Privacy Notice

Workplace Health & Wellbeing as an Occupational Health provider need to process personal data (defined as identifiable information relating to an individual) in order to provide services. The health information that we will hold on individuals is classed as ‘special category’ data.

Workplace Health & Wellbeing are both Data controllers and Data processors as we store and process the personal data. The word ‘process’ can include collection, recording, storage, disclosure by transmission, erasure and destruction. The purpose of this privacy statement is to provide information on how we will undertake these activities in line with the General Data Protection Regulation (GDPR)(Regulation (EU) 2016/679)

The records that we have are related to an individual’s (data subject) health and as such become our ‘clinical record’. We ensure that these records are processed in accordance with the General Medical Council (GMC), Nursing and Midwifery Council (NMC) and Ethics Guidance for Occupational Health Practice Faculty of Occupational Medicine (FOM) guidance on record keeping. Therefore we will not disclose confidential medical information to a third party, including an employer, without informed written consent unless there is a risk of serious harm to others or a court order.

What data will be collected?

  • Personal Information (e.g. Name, address, Date of Birth)
  • Personal Characteristics (e.g. ethnicity, gender)
  • Past and present job roles
  • Health information (classed as special category data)

Who will it be collected from?

  • An employee / worker (data subject)
  • An employer (e.g. Human Resources, Managers)
  • Treating doctor or health professional (e.g. GP / treating consultant)
  • Other Health Specialists or services that we may refer you to as part of our assessments (e.g. specialist physio, psychologist)

How will it be collected?

  • In writing – this can be from the forms that individuals and employers may complete – e.g. Pre-placement health assessments, management referral forms. These may be sent to us either by mail, secure fax or submitted electronically via our secure portal system or email.
  • Verbally – by telephone calls or face to face assessments

Who will have access?

  • Only Workplace Health & Wellbeing employees will have access to the information. This will include our doctors, nurses, technicians, health & wellbeing practitioners and our administration team. The clinical team need to have access to perform the necessary assessments as part of the role. Our administration team have access on a ‘need to know’ basis so that they can book appointments, process reports etc. All staff (including administration staff) in our department understand the need for confidentiality and sign annual confidentiality statements.

Why data is collected – i.e. what is the ‘lawful basis’ for processing the data?

The lawful basis for processing your data under GDPR is:

For Norfolk and Norwich University Hospitals Employees – Article 6 (1)(e) – processing is necessary for the performance of a task carried out in the public interest or in exercise of official authority vested in the controller.

For all other employees of our contracted services – Article 6 (1) (f) – processing is necessary for the purposes of the legitimate* interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

*the legitimate interest of the employer e.g. for the OH practitioner to advise on fitness to work for the efficient and safe running of their business to comply with legal obligations under health & safety law and employment legislation (e.g. Equality act) or with respect to its legal duties for sick pay.

As far as special category data is concerned, Workplace Health & wellbeing need to process your data under Article 9 (2) (h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3 (see below)

Article 9 (3) – Personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.

The above incorporates common law and GMC / NMC / FOM Ethics guidance on confidentiality and consent.
On occasions we may also use your data for the purpose of research, audit or statistical analysis to help us undertake our work or provide trends to an employer. If this data is to be shared it will be anonymised so that you are not identifiable.

How long will data be held for?

  • With regards to a pre-placement assessment form, these will form part of an occupational health record unless the individual has not been successfully appointed to the post. In this situation it will be kept for one year unless there is a good clinical or legal reason to retain it longer.
  • Other OH records will be kept for 6 years after an individual has left employment or 75years of age (whichever is the soonest) unless there is a recognised clinical need or statutory requirement to retain it for longer.

How will data be stored?

  • Paper records will be stored in locked filing cabinets and only Workplace Health & Wellbeing staff have access to the keys. In addition, access to the office is restricted to Workplace Health & Wellbeing staff only. The office is locked during non-working hours so no one can access any information.
  • Electronic records are stored on a secure server. These records can only be accessed by Workplace Health & Wellbeing staff using their personal login / passwords.
  • Information is protected when sending data to a worker or employer by sending via encrypted email

Consent / who information will be shared with?

  • Our consent procedures are undertaken in line with the GMC / NMC and FOM Ethics guidance.
  • Before any information is released, we ensure that a worker is informed about the consent process and consent is received – verbally or written. Workers are able to contact us and withdrawn consent at any time.
  • Workplace Health & Wellbeing would only share information to a third party without consent unless there is a serious concern – e.g. risk to life / harm to others or there is a court order.

Worker Rights (data subject)

  • A data subject has the right to request any information that is held on their occupational health clinical record or to authorise a third party (such as a legal adviser) to exercise that right on their behalf.
    • The request should be made formally.
    • The information will be provided within one month of the request. However, if there is a large quantity of data or a complex request then this time frame can be extended for a further two months. The worker will be informed if this is required.
    • This information will normally be provided free of charge unless multiple requests are made or the request is unfounded or excessive
    • Additional written consent may be required from a worker if a third party request is made under our legal and ethical duty to protect your medical confidentiality.
  • A worker can request an amendment to their record if any of the information is factually inaccurate. The professional opinion of the Occupational health practitioner cannot be changed.
  • Workers do not have the ‘right to erasure’ of their data as the processing is necessary for the purposes of preventative or occupational medicine. This applies as the data is being processed by and under the responsibility of a health professional under the relevant professional code of conduct.