Privacy Notice
Business
and Health Consultancy Ltd is keeping and processing records that include
personal information about clients and patients. Under the General Data
Protection Regulation there are certain duties and rights related to holding
this information. Due to the medical nature of our services we hold
additionally medical, work and financial information. This type of information
is classified as sensitive and there are additional legal and professional requirements
safeguarding it.
What information do we hold?
The
information we hold is kept to a minimum and required for the provision of
occupational health services. This includes information we are required to hold
to comply with professional standards. These standards are set by the General
Medical Council, Nursing and Midwifery Council, Health and Safety Executive and
others.
We do
not hold the same details about every individual as every case is different and
therefore different requirements may apply.
Data
we may hold:
Name, date of birth, national insurance number,
contact details, address
Employer details
Workplace details
Medical information
Results of medical tests
Details about your GP or specialists
Information from other parties like your GP or
other professionals
Reason
for holding this information
Our clinical staff needs to maintain personal information
to meet statutory requirements and guidelines. It also enables us to keep an
accurate record of contacts that we have had with you for medical and workplace
assessments.
Article 9 of the GDPR refers to holding and processing
special category data. This includes health data. In Article 9 paragraph 2 (h) processing
of occupational health data is stated as being justified.
Source
of information
To carry out occupational health assessment we receive
information from your employer and yourself. In some cases we may receive additional
information from other professionals.
Right
to be forgotten
The GDPR does include a right of the data subject to request
erasure. However regarding medical data this right is superseded by other laws
and regulations. Therefore the right to be forgotten is limited due to other
legal requirements.
Duration
information is kept
The requirement to keep information and retention time is regulated
by a number of laws and regulations. The most important ones are:
Health and Safety at Work Act 1974
Management of Health and Safety at Work Regulations 1999
Workplace (Health, Safety and Welfare) Regulations 1992
Control of Substances Hazardous to Health Regulations 2002
Control of Asbestos Regulations 2012
The Control of Lead at Work Regulations 2002
Ionising Radiation Regulations 2017
Work in Compressed Air Regulations 1996
The Control of Noise at Work Regulations 2005
Reporting of Injuries, Diseases and Dangerous Occurrences Regulations
1995
The Control of Vibration at Work Regulations 2005
Confined Space Regulations 1997
Working at Height Regulations 2005, amendment 2007
Personal Protective Equipment Regulations 1992
Display Screen Equipment Regulations 1992
The Working Time Regulations 1998, amendment 2003
The Private and Voluntary Health Care (England) Regulations
2001
Information |
Retention period |
Health surveillance medical information |
40 years from last entry |
Health surveillance medical related to
ionising radiation |
until age 75 and at least 30 years |
Occupational health medical records |
at least 8 years from date of last entry,
best practice is 10 years from last entry |
Financial information |
minimum of 6 years from last entry |
The listed retention times are minimum times and
information is assessed individually if a longer retention time is required (for
example for assessing vaccination and immunity the life time vaccinations schedule
is required to assess appropriately).
Confidentiality
and security
Medical records are kept confidential on a central server. The
information is only accessed by occupational health staff for the provision of
the service. Paper notes are used for a duration of 3 months to up to 3 years
depending on details. They are then stored electronically according to GDPR
requirements.
Due to professional requirements data cannot be anonymised
for the performance of the medical assessment. We use encryption for
safeguarding.
We do not share information with third party organisations
without the consent of the data subject. We do only release a report to your employer
with your consent. You can withdraw consent at any time until the time the
report has been sent.
There are some legal requirements which can overrule the
need for consent. There can be a legal obligation for disclosure due to the
power to order a disclosure as it can be exercised by courts, tribunals or
regulators or if a disclosure is in the public interest (e.g. if a person is
putting others at significant risk).
Access
to personal information
You have the right to request access to the information
held about you. Please use our contact page to get in touch with us. The first
copy is free which will usually be send by email. Repeated or excessive
requests can be chargeable.
Due to the sensitive nature of the information we may
request additional information to establish your identity.
Medical information has to comply with additional requirements.
A healthcare professional can therefore withhold information if it is felt it
may cause serious harm to the physical or mental health of the individual if
disclosed.
Should any information we hold not be accurate we would
expect you to inform us so we can amend your information.
Raising
Concerns
If you have any concerns about the data we hold about you
or how we use and process it, please get in touch with us via the contact page
of the website to contact our Data Protection Officer. If you are still not
satisfied you may contact the Information Commissioner’s Office. Our registration
number is Z9181912.
Access
to information from other healthcare professionals
We do not have access to your GP notes or the medical files
of other healthcare professionals. In case we feel access to medical
information of other healthcare professionals being of benefit we will ask you
for consent before contacting your GP or specialist.
Decision
making
We do not use automated decision making. Assessments are
carried out by qualified healthcare professionals.
For answers to any further questions you may wish to refer to our Terms and Conditions at http://www.businessandhealth.co.uk/Business.php