For many companies, the issue of data protection presents a variety of problems, particularly when they hire third party services that require access to and have the responsibility to gather personal information for employees.

In today’s world, the fact that a company can say they are fully compliant with all data protection legislation doesn’t mean they are – when they choose to form a relationship with any third party, employers need to go that extra mile to make sure data is safe and will remain so in the future.

Nowhere is this more important than in the occupational health industry where sensitive personnel and medical data is often handled.  Whether you are small company with less than ten employees or a multi-national responsible for thousands of staff, the challenges remain the same if you want to comply with legislation or be on the wrong side of legal action for wrongful disclosure.

This not only applies to the time when the occupational health team are providing their service but also must continue after the relationship has ended with any data that remains on record, either with the employer or the occupational health provider, kept secure.

The information given to an occupational health professional, of course, cannot be shared unless the employee has given their consent – even to the employer who has arranged the appointment in the first place. Any storage or the way the information is handled must also comply with the Data Protection Act and the occupational health organisation is required to act accordingly, and that includes when this conflicts with what the employer actually wants.

Covering Confidentiality

Any employer who is looking to contract or outsource an occupational health team will need to be sure of several safeguards that means their employee data is in safe hands:

First of all, the OH team should be registered with the ICO or the Information Commissioner’s Office. This provides a set of guidelines for employers, individuals and organisations to follow and registered parties agree to comply with their obligations. Our registration number is ZA119351 and you can find out more about ICO by visiting their website.

Part of complying fully with the Data Protection Act is in ensuring the right processes are in place. For instance, all staff should have signed a confidentiality agreement and organisations need to make sure they only collect data for clearly defined purposes. On top of that, there are the important measures that need to be put in place if that data is to be fully protected. As we all know there is the threat of digital data being hacked into and an organisation likes ours takes certain measures to ensure data integrity.

• We encrypt confidential documents with AES-256 bit encryption which gives several layers of protection from outside attacks.
• We have the option to password protect the confidential reports we send out to clients
• In our terms and conditions we have a clause to protect IP throughout and beyond the life of our involvement in a contract. This means, even if a business relationship ends, we are bound by our terms and conditions not to reveal any IP.

Employers who contract an occupational health team are liable to the same restrictions and code of practice under the data protection act and, as such, have the same responsibility to safeguard employee information and data.