Staywell Occupational Health Ltd
Data Protection Privacy Notice (health surveillance and fit for task medicals)
This notice explains what personal data (information) we will hold about you, how we collect it, and how we will use and may share information about you during the online booking process. We are required to notify you of this information, under data protection legislation. Please ensure that you read this notice (sometimes referred to as a ‘privacy notice’) and any other similar notice we may provide to you from time to time when we collect or process personal information about you.
Who collects the information
Staywell Occupational Health Ltd (‘Company’) is a ‘data controller’ and gathers and uses certain information about you.
Data protection principles
We will comply with the data protection principles when gathering and using personal information, as set out by the Faculty of Occupational Medicine.
About the information we collect and hold
The table set out below summarises the information we collect during the operation of our health surveillance service and fit for task medicals, how and why we do so, how we use it and with whom it may be shared.
We seek to ensure that our information collection and processing is always proportionate. We will notify you of any changes to information we collect or to the purposes for which we collect and process it.
Where information may be held
Information may be held at our offices, representatives and agents.
How long we keep your information
We keep the personal information that we obtain about you from the appointment for at least 40 years. This complies with the HSE requirement that health records relating to Control of Substance Hazardous to Health (COSHH) are kept for at least 40 years.
Your rights to correct and access your information and to ask for it to be erased
Please contact our head office who can be contacted by email: admin@staywelloh.co.uk and by phone at 0800 4714941 if (in accordance with applicable law) you would like to request access to information that we hold relating to you or if you have any questions about this notice. You also have the right to ask for some but not all of the information we hold and process to be erased (the ‘right to be forgotten’) in certain circumstances.
Keeping your personal information secure
We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
How to complain
We hope that our Head Office can resolve any query or concern you raise about our use of your information. If not, contact the Information Commissioner at https://ico.org.uk/concerns/ or telephone: 0303 123 1113 for further information about your rights and how to make a formal complaint.
As a private occupational health provider, we process data under the following lawful bases outlined by GDPR:
Article 6 (1) (f): processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party.
Article 9 (2) (h): processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems or services.
| The information we collect | How we collect the information | Why we collect the information | How we use and may share the information |
| ‘Your name’ | From your employer and you | Article 6 (1) (f): processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party. | This data is collected to identify you and manage screening bookings. A list of names is provided to the clinician at the beginning of the clinic. Your employer has access to the names of individuals making bookings. |
| ‘Date of Birth’ | From you | Article 6 (1) (f): processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party. | This is required to calculate your age to ensure the data collected is analysed against the appropriate values. This also acts as a further identifier. Your employer will be provided with a results matrix following testing which contains your date of birth. |
| ‘Health information’ | From you | Article 6 (1) (f): processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party. Article 9 (2) (h): processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems or services. | This refers to the health information provided by completing a questionnaire. The reviewing clinician will use this health information to help assess your suitability to the role, support any findings that are discovered during testing and compare any declared symptoms against working environments and practises. |
| ‘Health data’ | From you | Article 6 (1) (f): processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party. Article 9 (2) (h): processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems or services. | This refers to the health data collected by the clinician carrying out physical tests. Examples include but are not limited to: lung function, hearing and blood pressure. The clinician will compare this data to your health information to aid them in reaching any decisions. This data will be compared against a set of HSE standards to categorise the data. Categorised data will be sent to your employer to form part of their health and safety obligations to their employees. Raw health data will never be sent to your employer without your implicit consent. |
| ‘Email Address’ | From you | Article 6 (1) (f): processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party. Article 9 (2) (h): processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems or services. | Only collected if need for further OH intervention is identified. This may be used to contact you if a further appointment needs to be booked. |
| ‘Phone number’ | From you | Article 6 (1) (f): processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party. Article 9 (2) (h): processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems or services. | Only collected if need for further OH intervention is identified. This may be used to contact you if a further appointment needs to be booked. |
Last updated 30/09/2019