As your Employer’s Occupational Health (OH) service provider, Workplace Wellbeing are required to process your personal data, defined as any identifiable information relating to you the Employee, the “data subject”. The term “processing” covers virtually everything that can be done with data, including collection, recording, storage, disclosure by transmission, erasure and destruction.
As both the Data Controller and Data Processor of your data we are committed to protecting your individual rights to privacy. Your data will be processed in accordance with the Data Protection Act (DPA) 1998. As your OH records are also classed as a “clinical record” Workplace Wellbeing also has a legal and ethical duty (under relevant health professional codes of conduct) not to disclose confidential medical information to third parties, including your Employer, without your informed written consent, unless there is a grave risk of serious harm to others or a court order.
The Occupational Health Practitioner is both Data Controller and Data Processor and is committed to protecting your rights
What Data Will Be Collected
The following data may be collected, held and shared by Occupational Health:
- Personal information (e.g. Name, Address, Date of Birth)
- Characteristics (ethnicity, gender)
- Past and present job roles
- Health information.
Who It Will Be Collected From
- Human Resources
- Other health professionals (e.g. GP, health specialist, physiotherapist).
How It Will Be Collected
- Verbal (Either by telephone or face to face)
- Health Questionnaires
- Health Assessment (e.g. skin or vision assessment).
Why It Is Collected
- For the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee.
- To ensure the health and safety of employees at work and to allow consideration of any adjustments that may be required to support their ability to work.
- Data may also be used for research, audit or statistics but will be anonymized if this is the case.
Lawful Basis For Processing (from the General Data Protection Regulations)
- Article 6(1)
(f) Processing is necessary for the purposes of the legitimate interests*1 pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
- Additional condition for the processing of Special Category Data
Article 9 (2)
(h) Processing is necessary for the purposes of Occupational Medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health and social care or treatment, or the management of health or social care systems and services on the basis of EU or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in in para 3 (below).
Personal data may be processed for the purposes referred to in (2)(h) when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under EU or Member State law or rules established by national competent bodies.
How Long will Your Data Be Held For?
- Information will be held for 6 years after leaving employment or 75 years of age (whichever is soonest) as recommended by the British Medical Association (BMA) unless there is a recognised clinical need or statutory requirement to retain it for longer.
- New employee assessments will be discarded after 2 years if the offer of the job is not taken up.
How will Your Data Be Stored?
Records are kept either on paper or digitally
- Paper record are part of a structured filing system and stored in accordance with the BMA’s medical records storage policy and in compliance with GDPR. They are accessible only to the Workplace Wellbeing Occupational Health Team.
- Digital records are held within a cloud based server within the Workplace Wellbeing IT system and are password protected.
- Email attachments are password protected.
Who will Your Information Be Shared With?
- Information may be requested by your employer, however information about you will not be shared with third parties, including your employer, without your consent unless the law allows this, or there is a serious risk to life.
- Results of Health Surveillance will be passed on to the employer under Reg. 11 COSHH Regulations 2002 for retention as required by the Health and Safety Executive (HSE).
You have the right to see any information held about you in your Occupational Health Clinical Record. The request should be made in writing and will be responded to within 4 weeks, without charge.
You can also request that an amendment is attached to it if you believe any of the information held by Occupational Health is inaccurate or misleading.
You have the right to withdraw consent at any time, for any reason. Please ensure that Occupational Health is informed if this is the case.
In the case of request for erasure, retention may be lawful (e.g. if required for legal compliance).
*1 Where there is the legitimate interest of the employer e.g. for the OH Practitioner to advise on fitness to work for the efficient and safe running of its business, to comply with its legal obligations under health and safety Law and employment law in particular the Equality Act, or with respect to its legal duties for sick pay.
*2 Article 9(3) e.g. by a regulated health professional. This incorporates common law and GMC/NMC (Ref) duty of confidentiality into the GDPR.
The NMC Code of Conduct – Clause 5, Privacy and confidentiality; Clause 7, Communicate clearly; Clause 10, Clear, accurate, relevant records; Clause 14, Be open and candid including mistakes; Clause 16, Act without delay if risk to patient safety or public protection.
Source Acknowledgement:FCC, OH Medical, @work Partnership, ICO, Prof D. Kloss, and COPHA (Thanks also to Occy Health Ltd)