Health Partners are committed to ensuring the protection, confidentiality and privacy of information entrusted to us by any individual and to ensure the data we hold is secure at all times.
Data protection and confidentiality is a fundamental aspect of our ethical codes of conduct and a central tenet in our relationship with our employees, our customers, their employees, our business partners and any applicants applying to work with us.
Health Partners will not only comply with the requirements of the current data protection legislation, but additionally meet all our ethical and professional bodies’ guidelines and codes of practice regarding privacy and confidentiality.
Information held on our customers’ employees include both personal and sensitive or special category data including name, date of birth, address, limited employment data and information regarding their health and for certain roles, immunity status. This information has been supplied to the OH Service by the customer, employee themselves or their GP/Specialist directly. It will only ever be used for the purposes of providing occupational health services and will not be shared with any third parties for any other activity.
The OH Service manage and process the data of our customers and their employees for the purposes of ‘occupational medicine and treatment; assessing the work capacity and capability of employees, medical diagnosis and the management of their cases’ and ‘legitimate interests’.
Your medical records may be audited as part of our clinical governance protocols, but any outcomes will be anonymous and not contain any identifiable information. When we provide your organisation with service usage reports, called Management information, all the data will be anonymised, so no individual will be identifiable either.
Our commitment to you with regard to your data from a legal and ethical perspective
- We will process your data lawfully, fairly and in a transparent manner, ensuring we only collect the data for specific, explicit and legitimate purposes.
- We will inform you of what information we are processing about you, and will never use it for any other purposes, such as marketing.
- We will ensure the data is relevant, adequate and limited to what we need to know to assess your fitness for work, to treat you or your wellbeing.
- We will endeavour to ensure the data is accurate and, where necessary, kept up to date.
- We will process it in a manner that ensures suitable and sufficient security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
- We will not hold the data for longer than necessary. Generally occupational health data is kept for a period of 8 years after the last annotation, however for statutory documents (such as health surveillance records) we will need to keep them for up to 40 or 50 years, depending on which type of record they are.
- Health Partners will not transfer any of your data outside the United Kingdom if you are based in the UK. If you are based in Ireland, it will be held in the UK and potentially also in Ireland, if you are assessed there The UK and EU have appropriate measures in place to ensure data can transfer between the two. We also have an ‘EU Representative’ as required by law.
- Individuals have a right to withdraw consent at any time.
- An individual has the right to have inaccuracies amended. Any factual inaccuracies will be amended promptly, and the information noted on the case. This right does not however include an individual’s right to have ‘clinical opinions’ amended, this remains the decision of the clinical author of the document.
- An individual may request copies of the information we hold on them at any time. These are referred to as Subject Access Requests.
Subject access requests
Individuals may request copies of their occupational health records or parts thereof, at any time. These requests are known as subject access requests (SARs). An individual may also request that a copy of their occupational health records is sent to a third party, such as a solicitor.
If an individual wants access to their occupational health records, we ask that the request be made in writing to ensure the security of your sensitive data. The letter or email must include:
- Your full name,
- Your date of birth,
- Your address,
- You must expressly request their occupational health records from Health Partners.
It should also contain a signature, if in letter form. If we receive the request by e mail, we may make an additional security check to ensure you are who you say you are. This is designed to protect your information.
If the request comes from a third party, such as a solicitor, then it is essential that we have the following information included in a consent form from the individual. The consent form should include:
- The individual’s full name,
- The date of birth,
- Their address,
- They must also expressly request their occupational health records from Health Partners (please do not ask for the occupational health records from the individual’s company as these records will only be the outcome reports which the company hold and not our full medical records),
- It must explicitly consent to us sending the records to the named third party, i.e. contain the words ‘I consent to the release …’,
- It must be signed by the individual.
If we receive a request from a third party, we may contact you to verify that the request is legitimate, and you have asked them to request the data.
Should you have any queries regarding data protection there is further information available on the UK’s ICO website at www.ico.org.uk. Or if you are based in Ireland from the DPC. Their website is www.dataprotection.ie . The ICO is the government body responsible for data protection in the United Kingdom and the DPC is the governing body in Ireland.
If you have a complaint regarding data protection, please contact Health Partners’ Data Protection Officer via firstname.lastname@example.org initially.
This document is the equivalent of a privacy notice.