Privacy Policy

OCCUPATIONAL HEALTH PRIVACY NOTICE

SOH vanilla Ltd is both Data Controller and Data Processor and as such we keep personal data, including medical data, relating to our client organisations and their employees. This notice provides appropriate advice relating to Occupational Health in compliance with data protection regulations.

  1. SOH vanilla will collect data including:-
  • Personal Information. E.g: Employee names, addresses, date of birth and contact details
  • Past and present job roles
  • Health and medical information 

       Where the employee has been referred by management:

  • Reasons for an employee being referred to us
  • Medical history
  • Reports from other medical professionals
  • Advice offered to the employer and employee 

      Where the employee is included in a Health Surveillance Programme:

  • The specific issues requiring health surveillance
  • Historical surveillance measurements
  • Current surveillance measurements
  • Advice offered to the employer and employee

 

  1. SOH vanilla will collect data from:
  • Human Resources
  • Managers
  • Employees
  • Other health professionals (e.g. GP, specialist, physiotherapist)

 

  1. SOH vanilla will collect data by:-
  • Email
  • Post
  • Verbal (either by telephone or face to face)
  • Management Referral forms
  • Health Questionnaires
  • Health Assessment (e.g. skin or respiratory assessment)
  • Other health professional reports

 

  1. SOH vanilla collect data for:-
  • The purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee.
  • To ensure the health & safety of employees at work and to allow consideration of any adjustments that may be required to support their ability to work.
  • Data may also be used for research, audit or statistics but will be anonymised if this is the case.

 

  1. SOH vanilla will hold data
  • For as long as necessary for proper provision of the Occupational Health Service.
  • All clinical information / management referral data may be kept for 6 years after the last contact/entry as recommended by the British Medical Association (BMA) and Faculty of Occupational Medicine, unless there is a recognised clinical need or statutory requirement to retain it for longer.
  • Statutory health surveillance records may be retained for up to 40 years under Reg.11 COSHH Regulations 2002 and ACOP 2013 as required by the Health & Safety Executive (HSE).

 

  1. How Your Data Will Be Stored
  • SOH vanilla has security systems in place to protect data it holds against accidental or unauthorised loss, change or disclosure for electronic and paper storage systems.
  • Data is backed up regularly.
  • Paper records are securely held and only accessible to Occupational Health Staff.
  • Paper records are securely shredded when no longer required.
  • Electronic records are destroyed in accordance with industry practice.
  • Electronically sent documents are encrypted and password protected.
  • SOH vanilla does not contract out any processing to other agencies and does not store any data outside the EEA.

 

  1. Your Rights
  • You have the right to see any information held about you in your SOH vanilla Ltd occupational health clinical record. The request should be made in writing and will be responded to within 4 weeks without charge.
  • You can also request that an amendment is attached to it if you believe any of the information held by SOH vanilla Ltd is inaccurate or misleading.
  • You have the right to withdraw consent at any time, for any reason. In this instance, please ensure SOH vanilla Ltd receives your request.
  • In the case of request for erasure, retention may be lawful (e.g. if required for legal compliance).
  • SOH vanilla Ltd is registered with the Information Commissioners Office (ICO) in respect of its usage of personal data. The Director of SOH vanilla Ltd is responsible for reporting any breaches to the ICO within 72 hours as required, if it is likely to result in a risk to peoples’ rights and freedom.
  • In the event of a client organisation moving their occupational health provision away from SOH vanilla Ltd, SOH vanilla Ltd will provide the data it holds to the new occupational health provider only with written permission by the client organisation. SOH vanilla Ltd will also require evidence from the new provider that it is qualified to hold such data. SOH vanilla Ltd will then securely destroy all copies it holds of that data.

 

  1. Lawful Basis For Processing (from the GDPR Regulations)
  • 1. Article 6 (1)
    (f) Processing is necessary for the purposes of the legitimate interests1 pursued by the controller or by third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
  • Additional condition for the processing of Special Category Data  
  • 2. Article 9 (2)
    (h) Processing is necessary for the purposes of Occupational Medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health and social care treatment, or the management of health or social care systems and services on the basis of EU or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in para 3 (below)
  • Article (3)2
    Personal data may be processed for the purposes referred to in (2)(h) when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under EU or Member State law rules established by national competent bodies.

 

This policy will be reviewed periodically to ensure that it reflects the practices of SOH vanilla Ltd. This version of the policy is dated 17th May 2018.

1 Where there is the legitimate interest of the employer e.g. for the OH Practitioner to advise on fitness to work for the efficient and safe running of its business, to comply with its legal obligations under health and safety Law and in employment law in particular the Equality Act, or with respect to its legal duties for sick pay.

2 Article 9(3) e.g. by a regulated health professional. This incorporates common law and GMC/NMC (Ref) duty of confidentiality into the GDPR.

 

Reference:

The NMC Code of Conduct – Clause 5, Privacy and confidentiality; Clause 7, Communicate clearly; Clause 10, Clear, accurate, relevant records; Clause 14, Be open and candid including mistakes; Clause 16, Act without delay if risk to patient safety or public protection.

Carmela Tucker, RGN, SCPHN-OH, Director of SOH vanilla Ltd