Occupational Health privacy notice
The Occupational Health Department is part of the University of Leicester. The University of Leicester Occupational Health Department is the Data Controller and the Data Processor for your Occupational Health Records.
As your OH records are also classed as a 'clinical record' we also have a legal and ethical duty (under relevant health professional codes of conduct) not to disclose confidential medical information to third parties, including your manager or HR, without your informed written consent, unless there is a grave risk of serious harm to others or is the subject of a court order.
This privacy notice explains how we use your personal information and your rights regarding that information
Why are you collecting my data?
To enable us to provide an Occupational Health and Wellbeing Service to University of Leicester staff and students.
What information are you collecting?
- Personal information, e.g. name, address, date of birth, National Insurance number
- Personal characteristics e.g. ethnicity, gender etc.
- Contact details e.g. telephone and email
- GP and/or specialist contact details
- Past and present occupational job roles and occupational exposure
- Health information that would be classed as ‘special category data’
- Details of medical investigations and biological testing
Who are you collecting data from?
- You (the data subject)
- Your manager and Human Resources
- Health specialists/services that we may refer you to as part of our assessment process
- With your consent, your GP or other specialists from whom you have received treatment
How will it be collected?
- Verbally, either via telephone calls or face to face conversations
- In writing or electronically via forms that you or your manager complete as part of the management referral process or for health surveillance, or via reports sent to us from other parties, e.g. from your GP
How will you use this data?
We use this data to:
- Identify you and ensure that your medical information is filed correctly
- Assess your health and your fitness to work
- Provide advice to managers on the impact of your health on work and work on your health
- Identify a baseline of your health against which to measure any future changes
- As the basis on which to provide advice to management on fitness for work and any adjustments that would help you to do your work
- Identify any additional support that would help you to improve your health
- Identify health trends within the University to enable targeted health and wellbeing strategies
What is the legal basis for processing the data?
The information collected by the Occupational Health Department is classed as Special Category Data as it is more sensitive than other forms of personal data. In order to process Special Category Data we must have a Lawful Basis under Category 6 and a separate Condition under Article 9.
Article 9 (2) condition (h) states:
“Processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3.”
We are processing your data on the following Lawful Basis:
- It is necessary to process your health data in order to enable you to comply with your contract of employment.
- It is necessary to enable the University to comply with legal obligations under the Health and Safety at Work etc Act 1974, to protect your health and safety at work as far as is reasonably practicable.
- It is necessary to protect the vital interests of you and your colleagues.
In addition, we will ask for your consent to process your data and ensure that you are kept fully informed.
If you are sharing my data with others, who are you sharing it with?
Information on your fitness to work is shared with your line manager, department safety officers and HR with your consent, however where withholding this information could impact on your health and safety and the health and safety of others, information on your fitness to work will be provided to management and to HR without your consent. In cases where we are unable to gain your consent, or where your consent is withheld and we need to share information anyway, you will always be informed.
Details of your medical conditions will not be shared with anyone outside Occupational Health without your consent.
Anonymised statistical data is shared with senior members of the University to help us to plan the service and monitor health trends in the workplace.
How long will you process my data for?
All data will be retained for the duration of your employment with the University and for 6 years following your leaving date, with the exception of Health Surveillance information. This will be stored for 40 years to comply with Health and Safety Control of Hazardous Substances at Work (COSHH) 2012 legislation. Information on Radiation Medicals will be stored for 50 years to comply with the Ionising Radiation Regulations. Health Declarations for the assessment of fitness to work or study will be retained for 2 years following completion of study or termination of contract of employment. The above will be applied, unless there are good clinical or legal reasons to keep them for a longer period.
Who will be processing my data?
Occupational Health administrative staff, and the Occupational Health Nurses and Doctors will have access to your data when required and are responsible for processing in line with internal Information Governance protocols and Professional Codes of Conduct.
How will the data be stored?
Your records will be stored securely and confidentially in accordance with the Occupational Health Department Information Governance protocol, either in locked filing cabinets, or on secure digital servers. Every attempt will be made to keep your data secure when we are transmitting it to 3rd parties.
What are my rights?
You have statutory right of access to your occupational health records (in full or in part), or to authorise a third party, such as a legal adviser, to exercise that right on your behalf.
The request should be made in writing clearly outlining to us what records you wish to see. We will endeavour to provide the information without delay and at the latest within one month of receipt. If the request is complex/numerous we may extend this timeframe by a further two months; if this is the case we will inform you why the extension is necessary within one month of your request.
This information will be provided without charge
We may request additional written consent from you if a third-party request is made under our legal and ethical duty to protect your medical confidentiality.
You can request that an amendment is attached to your OH record if you believe any of the information held by us is inaccurate or misleading.
You do not have a “right to erasure” of your data as the processing is necessary for the purposes of preventative or occupational medicine (e.g. where the processing is necessary for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services). This applies as your data is being processed by and under the responsibility of a health professional under the relevant professional codes of conduct.
If you require any further information, please contact the Occupational Health Manager via firstname.lastname@example.org or call 0116 252 3263