Occupational Health Privacy Notice

Exeter Occupational Health Service is one of the departments based at the Royal Devon and Exeter Hospital (RD&E). For further information please refer to the Information Governance page and Occupational Health page on our Intranet pages on HUB and BOB. 

The staff caring for you will need to collect and maintain information about your health and treatment so that the best possible advice can be given for you to your manager/University for preventive and occupational health reasons. This advice could encompass your fitness to work or to train and any support that will be helpful for you. We may also provide preventive advice e.g. to stop smoking and for clinical workers/ students whether your immunisation status is up to date. Our Physiotherapy and Staff Support and Counselling services will also store information about your care and treatment. This personal information can be held in a variety of formats, including paper records, electronically on computer systems, in video and audio files.

The Exeter Occupational Health Service, on behalf of your employer/University, collects stores and processes personal information about prospective, current and former staff/ students to ensure compliance with legal, professional body or industry requirements.

We recognise the need to treat staff/students' personal and sensitive data in a fair and lawful manner. No personal information held by us will be processed unless the requirements for fair and lawful processing can be met. Your information will never be sold for direct marketing purposes. The Exeter Occupational Health Service is required to protect your personal information, inform you of how your personal information will be used and allow you to decide if and how your personal information can be shared. The personal information you provide to the Service in confidence will only be used for the purposes explained to you and to which you have consented. Unless, there are exceptional circumstances, such as when the health or safety of others is at risk, where the law requires it or there is an overriding public interest to do so. Where there is cause to do this, the Service will always do its best to notify you of this sharing.

The main legal basis for Occupational Health processing your personal information is as below:

Article 6 (1) (e): processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Article 9 (2) (b): as a lawful basis processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment or social security or social protection

Article 9 (2) (h): processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems or services

We hold and process your information in accordance with the Data Protection Act 2018 as amended by the GDPR 2016, as explained above. In addition, everyone working for the NHS must comply with the Common Law Duty of Confidentiality and various national and professional standards and requirements.

We have a duty to:

• maintain full and accurate records of the care we provide to you
• keep records about you confidential and secure
• provide information in a format that is accessible to you

The Occupational Health Department does not require explicit consent of employees to process their personal data if the purpose falls within the legal basis detailed above. However, in line with General Medical Council and Faculty of Occupational Medicine Good Medical Practice guidelines, we will seek explicit consent wherever practicable.

For further information on this legislation please visit: http://www.legislation.gov.uk/

Personal information about you will be collected directly from you during your recruitment and employment. Further personal information may be collected in undertaking management referrals, health surveillance, immunisations or providing physiotherapy and counselling services. Personal information may also be collected from healthcare professionals in certain circumstances e.g. from your GP or treating specialist.

In order to carry out our activities and obligations as a service we handle data in relation to:

• Personal demographics (including name, date of birth, occupational, gender)
• Contact details such as names, addresses, telephone numbers and GP contact(s)
• Employment history
• Details about your manager or University administrator
• Occupational health information and notes (medical information including physical health or mental condition, learning or developmental disabilities, results of any investigations e.g. x-rays and laboratory tests, smoking and drinking status, immunisation data, contact tracing data, health surveillance records, COVID-19 risk assessments)

Your personal information is processed for the purposes of:

• Contact details such as names, addresses, telephone numbers to remind you about your appointments and send you relevant correspondence
• GP contacts in case of emergency
• Providing clearance for fitness to work/train
• Providing physiotherapy care
• Providing counselling care and support
• Providing advice to management about on-going fitness to work or train and adjustments/aids to support working/training
• Providing relevant immunisation and prophylactic treatment following contact tracing
• Undertaking assessments for consideration of retirement on the grounds of ill health
• Undertaking Health Surveillance
• Undertaking COVID-19 risk assessments
• To help train and educate health professionals
• Occupational Health Services
• Review of care e.g. anonymous auditing or service improvement to ensure we provide the relevant high quality service
• Report and investigate complaints, claims and untoward incidents
• Report events to the appropriate authorities when we are required to do so by law e.g. for communicable disease, under RIDDOR
• Health promotion/preventative activities Our service will provide specific reasons for the majority of the work undertaken below in the consent/ information leaflets that you will be provided before such duties are carried out by Occupational Health.

Where possible, we will always look to anonymise/pseudonymise your personal information so as to protect patient confidentiality, unless there is a legal basis that permits us to use it and we will only use/share the minimum information necessary

We will not routinely disclose any information about you without your express permission. However, in order to enable effective staff administration, with your consent, we will share the information which you provide during the course of your employment (including the recruitment process) with the NHS Business Services Authority for maintaining your employment records, held on systems including the national NHS Electronic Staff Record (ESR) system. In addition to this, we may also share with Health Education England, Academic faculties and other NHS Trusts.

Any disclosures of personal data are always made on a case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances and with the appropriate security controls in place. Personal Information is only shared with those agencies and bodies who have a "need to know" or where you have consented to the disclosure of your personal data to such persons.

Where possible, we will always look to anonymise/pseudonymise your personal information so as to protect confidentiality, unless there is a legal basis that permits us to use it, and will only ever use/share the minimum information necessary. However, there are occasions where the Trust is required by law to share information provided to us with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud. For any request to transfer your data internationally outside the UK/EU we will make sure that an adequate level of protection can be satisfied before the transfer.

We are required to protect your personal information, inform you of how your personal information will be used and allow you to decide if and how your personal information can be shared. Personal information you provide to Exeter Occupational Health Service in confidence will only be used for the purposes explained to you and to which you have consented. Unless, there are exceptional circumstances, such as when the health or safety of others is at risk, where the law requires it or there is an overriding public interest to do so.

There are a number of circumstances where we must or can share information about you to comply or manage with:

• Disciplinary/investigation processes; including referrals to Professional Bodies, e.g. NMC and GMC
• Legislative and/or statutory requirements
• Court Orders which may have been imposed on us
• NHS Counter Fraud requirements
• Request for information from the police and other law enforcement agencies for the prevention and detection of crime and/or fraud if the crime is of a serious nature
• Under the Freedom of Information Act, we are obliged as a public sector body to release relevant anonymous data following a legitimate request

Where there is cause to do this, Exeter Occupational Health Service will always do its best to notify you of this sharing.

Your personal information is held in both paper and electronic forms for specified periods of time as set out in the NHS Records Management Code of Practice for Health and Social Care and National Archives Requirements.

We hold and process your information in accordance with the Data Protection Act 2018 as amended by the GDPR 2016, as explained above. In addition, everyone working for the NHS must comply with the Common Law Duty of Confidentiality and various national and professional standards and requirements.

We have a duty to:

• maintain full and accurate records of the care we provide to you
• keep records about you confidential and secure
• provide information in a format that is accessible to you

Your data will be securely stored at Exeter Occupational Health Service, Heavitree Hospital and on relevant secure servers at the Royal Devon and Exeter NHS Foundation Trust.

Your Occupational Health data will be retained for a period of the person’s employment/University course plus six years or until his 75th birthday, whichever is the sooner. For Health Surveillance health records, different criteria for storage apply. The Health Surveillance health record is not confidential to OH and can be kept by management. The detailed clinical records with the results of the tests and other clinical information should be kept separate in the confidential OH record and not disclosed without consent. The health record should be kept for 40 years (30 years in the case of ionising radiation).

Use of email - some services in the Trust like Occupational Health provides the option to communicate with patients via email. Please be aware that the Trust cannot guarantee the security of this information whilst in transit and by requesting this service you are accepting this risk.

Further information can be found in our Information Governance policies

If we need to use your information for any reasons beyond those stated above, we will discuss this with you and ask for your explicit consent. The Data Protection Act 2018 gives you certain rights, including the right to:

• Request to access the personal data we hold about you, e.g. personnel records. If you wish to do this, please contact the Trust’s Occupational Health Department in writing. Please remember to include details of the information you require plus contact details and two forms of identification such as a copy of your driving license/passport and also a document with your name and address on such as a utility bill
• Request the correction of inaccurate or incomplete information recorded in our records, subject to certain safeguards
• Request that your information be deleted or removed where there is no need for us to continue processing it and where the retention time has passed
• Ask us to restrict the use of your information where appropriate
• Ask us to copy or transfer your information from one IT system to another in a safe and secure way, without impacting the quality of the information
• To object to the use of your personal information: in certain circumstances you may also have the right to ‘object’ to the processing (i.e. sharing) of your information where the sharing would be for a purpose beyond your care and treatment (e.g. as part of a local/regional data sharing initiative). This so called ‘’Data Opt-out’ initiative, developed by Dame Fiona Caldicott, is set to commence in 2018 and conclude in March 2020. Further information can be found here
• To challenge any decisions made without human intervention (automated decision making)
• To your personal information to be transferred to other providers on certain occasions
• To refuse/withdraw consent to the sharing of your health records: Under the Data Protection Act 2018 we are authorised to process, i.e. share, your health records ‘for the management of healthcare systems and services’. Your consent will only be required if we intend to share your health records beyond these purposes, as explained above (e.g. research). Any consent form you will be asked to sign will give you the option to ‘refuse’ consent and will explain how you can ‘withdraw’ any given consent at a later time. The consent form will also warn you about the possible consequences of such refusal/withdrawal.

Please contact the Occupational Health Administration Manager on 01392 405800 for further information or write to Occupational Health Administration Manager at:

Exeter Occupational Health Service, Heavitree Hospital, Gladstone Road, Exeter EX1 2ED. Please visit the HUB and BOB intranet for further information. 

The Data Protection Officer can be contacted at the below email address:

rduh.dpo@nhs.net

For further details, please see:

https://www.royaldevon.nhs.uk/about-us/information-governance/fair-collection-privacy-notice/

The Information Commissioner’s Office (ICO) is the body that regulates the Trust under Data Protection and Freedom of Information legislation.

https://ico.org.uk/

If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the ICO at:

Information Commissioner's Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number

Fax: 01625 524 510

Email: casework@ico.org.uk