Enterprise Occupational Health Ltd as both a Data Controller and Data Processor is committed to protecting the rights of the individual and acknowledge that any personal data that we handle will be processed in accordance with the Data Protection Act 1998 (DPA) and the General Data Protection Regulations (GDPR) 2018.
The following data maybe collected, held and stored by Occupational Health
- Personal information (e.g. Name, Address, Date of Birth)
- Characteristics (ethnicity, gender)
- Past and present Job roles
- Medical Records
- Health Surveillance records
Your data may be collected from the following sources
- Employer
- Employee
- Occupational Health Professionals
- General Practitioners
- Physiotherapists
- Other relevant health professionals
How your data will be collected
- Information received in the post
- Via E-mail
- Verbal (face to face and telephone)
- Health Questionnaires
- Health assessments for example hearing tests, lung functions tests and drug and alcohol testing.
How your data will be stored
All personal data is stored electronically on secure encrypted systems which can only be accessed by our Occupational Health Professionals. Where paper copies are required these will be stored securely. Where Enterprise Occupational Health Ltd is working as a data processor on behalf of another Occupational Health provider (the data controller) your data will be transferred securely to the data controller, providing they meet the same high standard of GDPR compliance as ourselves. In these circumstances Enterprise Occupational Health Ltd will only store your data until successful transfer to the data controller has been confirmed.
Why your personal data is required
To ensure that we can safely and accurately carry out our duties as an Occupational Health service providing assessment and advice relating to Occupational Health to employers and employees.This may include statutory health assessments, advice on fitness for work, health and wellbeing checks and sickness absences advice and assessments.
Lawful Basis for processing the information
General Data Protection Regulations Article 6 (1)(f)
Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
General Data Protection Regulations Article 9 (2)(h) – special category data
Processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health and social care or treatment or the management of health or social care systems and services on the basis of EU or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards of UK law and the confidentiality duties imposed by the General Medical Council and Nursing and Midwifery Council.
How long will data be held for
- Where Enterprise Occupational Health Ltd is the data controller, data provided in the course of normal occupational health activity such as health surveillance, sickness absence assessments, pre-placement assessments or wellbeing assessments will be held for 6 years after the employee has left employment or 75 years of age (whichever is soonest) as recommended by the British Medical Association (BMA).
- In the case of one-off assessments, the data will be kept for 6 years following the date of assessment, or 2 years in the case of new employees who do not take up employment following assessment.
- Where Enterprise Occupational Health Ltd is acting as a data processor (or sub-contracting) for another occupational health provider, all data will be transferred to the data controller and only kept for such time as required to ensure successful transfer of data.
Who will my information be shared with
- Where we have consent to do so reports and outcomes of assessment may be shared with the referring organisation.
- Within Enterprise Occupational Health, employees may require access to your data in order to undertake their role, for example to assess you, or to process the information and send appointments etc. All employees are governed by a confidentiality agreement and with regard to clinicians, the regulations of their relevant governing body.
- Where Enterprise Occupational Health Ltd is acting as a data processor on behalf of another Occupational Health provider, your data will be securely transferred to the data controller who will have a similar data privacy policy in compliance with GDPR.
What are your rights
- You have the right to access any of your personal data held by Enterprise Occupational Health Ltd. If you wish to request a copy of any personal data held by Enterprise Occupational Health Ltd, please contact initially Andrew Paterson, Director with responsibility for Data Protection – andrew.paterson@enterpriseoh.com
- Where data is factually inaccurate you have the right to request this to be amended.
- You can also request that an amendment is attached to your health record if you believe any of the information held is inaccurate or misleading, for example if you disagree with an Occupational Health opinion.