Occupational Health Privacy Notice
This statement is provided with the intention to comply with your right to be informed under the General Data Protection Regulation.
We are the data controller and processor of this information although your employer will have responsibilities as well as a data controller and you should speak with them as to the name of the officer responsible for the protection of your data that they hold.
The data we gather, store and process will be in order to comply with your employers legal obligations that may include tests for health surveillance or in the legitimate interest of ensuring you are fit to complete the role and/or assignment that includes identifying any reasonable adjustments to comply with the Equality Act. Additionally processing of this data is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis and / or the provision of health related services.
The officer responsible for the protection of your data from our organisation is:
Data Protection Officer (DPO)
0161 785 2000
Elas, Charles House, Albert Street, Eccles, Manchester M30 0PW
Your data will be used to assess your fitness for the role and/or assignment and to assess whether any further consideration is necessary before your employer can determine your fitness for the role and/or assignment.
This is done on the basis of the legitimate interests of the employer to safeguard your health, safety and welfare and the health, safety and welfare of your colleagues, clients and third parties in the workplace. Your data is also processed in accordance with a contractual requirement between us and your employer. The failure to provide us with the data may impact upon your recruitment, employment or tasks, duties and responsibilities with your role and/or assignment. You should discuss the further impact of this with your employer.
The recipients of your data are us and your employer. In some circumstances it will be necessary for your data to be passed to a third party application where you work within specified industries and provide affirmative consent for this to happen. You will be advised of this requirement as part of the assessment. Examples of this will include:
• Data being uploaded onto the constructing better health portal for the processing and reporting of health
outcomes to employers and contractors
• Data being uploaded onto the Sentinel system for the processing and reporting of health outcomes and
restrictions to employers and sponsors.
• Data being passed to a laboratory for tests that you have consented to as part of your assessment. These
will include blood tests or drugs testing procedures in both urine and saliva.
It is not anticipated that there will be any other recipients nor any transfers of data to a third country (Outside of the EU). Accordingly, it is considered that safeguards for the transfer of data to a third country are not necessary.
Your data will be kept for the duration of your employment and for a further period thereafter of 6 years. This period has been set for the protection of the controller and the processor throughout your employment and for a period thereafter in the event of any professional negligence or breach of contract claims. If such a claim has been filed, the data will be retained for a period of 6 years following resolution of that claim and for 6 years following the resolution of any further claims. This period has been determined for the protection of the controller and the processor in the
event any professional negligence or breach of contract claims. Where the tests include statutory health surveillance such as lead, asbestos or to comply with COSHH then the records will be stored for up to 40 years, in instances where tests are to comply with the Ionising radiation regulations then records will be stored for up to 50 years in compliance with the law.
You have the right to be informed of fair processing information with a view to transparency of data. This statement is intended to fulfil that right. You have the right to access the information we hold. You should make such a request in writing to the Data Protection Officer using the above contact information. A request can also be made to your employer’s Data
Protection Officer or person responsible for Data Protection. You have the right to request the information we hold is rectified if it is inaccurate or incomplete. You should contact
the Data Protection Officer using the above contact information and provide him with the details of any inaccurate or incomplete data. We will then ensure that this is amended within one month. We may, in complex cases, extend this period to two months. A request can also be made to your employer’s Data Protection Officer or person responsible for Data Protection.
You have the right to erasure in the form of deletion or removal of personal data where there is no compelling reason for its continued processing. We have the right to refuse to erase data where this is necessary in the right of freedom of expression and information, to comply with a legal obligation for the performance of a public interest task, exercise of an official authority, for public health purposes in the public interest, for archiving purposes in the public interest, scientific research, historical research, statistical purposes or the exercise or defence of legal claims. You
will be advised of the grounds of our refusal should any such request be refused.
You have the right to restrict our processing of your data where you contest the accuracy of the data until the accuracy is verified. You have the right to restrict our processing of your data where you object to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and we are considering whether our organisation’s legitimate grounds override your interests. You have the right to restrict our processing of your data when processing is unlawful and you oppose erasure and request restriction instead. You have the right to restrict our processing of your data where we no longer need the data and you require the data to establish, exercise or defend a legal claim. You will be advised when we lift a restriction on processing.
You have the right to data portability in that you may obtain and reuse your data for your own purposes across different services, from one IT environment to another in a safe and secure way, without hindrance to usability. The exact method will change from time to time. You will be informed of the mechanism that may be in place should you choose to exercise this right.
You have the right to object to the following:
• processing based on legitimate interests or the performance of a task in the public interest/exercise of
official authority (including profiling);
• direct marketing (including profiling); and
• processing for purposes of scientific/historical research and statistics
The data collected is not anticipated to fall within the above categories. Whilst there is no anticipated automated decision making relating to the data you provide, you have rights where there is automated decision making including profiling. We may only do this where it is necessary for the entry into or performance of a contract, authorised by EU or the UK law or based on your explicit consent. Whilst it is not anticipated that this will occur, where it does, we will give you information about this processing, introduce to you simple ways for you to request human intervention
or challenge a decision, and carry out regular checks to ensure that our systems are working as intended.
You have the right to withdraw your consent at any time.
You have the right to lodge a complaint with a supervisory authority such as the Information Commissioner’s Office or any other of our regulators or accreditors that may regulate or provide accreditations to us from time to time. We advise that you exhaust our internal complaints procedure prior to referring the matter to any supervisory, regulatory or accrediting body. A copy of our complaints process is available from the Data Protection Officer at the contact information above.