This privacy policy explains how we process any personal or sensitive information we collect about you when you are referred or access our Occupational Health and Safety services. Shea Occupational Health Ltd is committed to protecting the rights of the individual and acknowledge that any personal data of yours we handle will be processed in accordance with Data Protection Act 1998 and the General Data Protection Regulation (EU) 2016/679 (the "GDPR").
Application
This Notice applies to clients of Shea Occupational Health Ltd and their employees.
Changes to our Privacy Policy
We keep our privacy policy under regular review at least annually.
Who We Are
Shea Occupational Health Ltd has its registered office at 2 Church St, Burnham, Slough SL1 7HZ. Our operations address is 8 Homewood, George Green Bucks SL3 6AU. Shea Occupational Health Ltd can act as both data processor (we undertake the processing on behalf and on the instruction of the data controller) and data controller (we decide how your personal data is processed and for what purposes).
Our Data Protection Officer
You can contact our Data Protection Officer using the following email address: dpo@sheaoh.co.uk.
Personal Data – What is it?
Personal data means information from which a living individual can be identified. Identification can take place using the information alone or in conjunction with any other information in the data controller’s possession or likely to come into the data controller’s possession. The processing of personal data is governed by the Data Protection Act 1998 and the General Data Protection Regulation (EU) 2016/679 (the "GDPR")
Data Protection Principles
In relation to your personal data, we will:
- Process it fairly, lawfully and in a clear, transparent way
- Collect your data only for reasons that we find proper for the course of your employment in ways that have been explained to you
- Only use it in the way that we have told you about
- Ensure it is correct and up to date
- Keep your data for only as long as we need it
- Process it in a way that ensures it will not be used for anything that you are not aware of or have consented to (as appropriate), lost or destroyed
Sensitive Data – What is it?
Personal data of an individual, the data subject, relating to any of the following:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- data concerning health;
- data concerning sex life or sexual orientation;
- genetic data; or
- biometric data where processed to uniquely identify the data subject
- Health information e.g. this is classed as “special category data”.
How and why we use your personal data i.e. What is the lawful basis for processing the data?
- Our lawful basis for processing your data is:
- Legal obligation: the processing is necessary for us to comply with the law, namely relevant health and safety legislation and employment legislation, and to support your Employer in complying with the same law as we are acting as their agent.
- for the assessment of the working capacity of the employee.
- To ensure the health and safety of the employees at work and to allow consideration of any adjustments that may be required to support their ability to work.
- to prevent discrimination on the grounds of disability
- to give medical advice on applications for early retirement due to ill health.
- Vital interests: “the processing is necessary to protect someone’s life”. Part of our work will be to help protect your health from harm that may potentially arise from work processes e.g. exposure to chemicals.
- Legal obligation: the processing is necessary for us to comply with the law, namely relevant health and safety legislation and employment legislation, and to support your Employer in complying with the same law as we are acting as their agent.
- We need to process your “special category data” for the“purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health”. This processing is also subject to subject to conditions and safeguards specified by relevant nursing and medical professional bodies.
We may also use your data for research, audit or statistical analysis to help us do our work. If this data is to be shared outside (OH Ltd.) it will be anonymised, so you are not identifiable.
What personal data do we collect about you?
We collect information about you and your health when you are referred to us as part of your
- Personal information (e.g.name, address, date of birth, email address, phone numbers)
- Characteristics (e.g. gender, ethnicity for health surveillance accuracy)
- Medical or health information including whether or not you have a disability
- National Insurance number-needed for Health Surveillance and Identification purposes
- Current and previous job titles, job descriptions, hours of work and other terms and conditions relating to your employment
- Documents provided to us by your employer (e.g. sickness absence leave records and any other documents relevant to the request for a service from your employer)
- Occupational health records
- Health surveillance records
- Relevant reports from other health practitioners e.g. General Practitioners and other treating specialists.
- Health information e.g. this is classed as “special category data”.
Where do we obtain your personal data?
Your personal data may come to us via
- Human Resources Personnel
- Managers
- You
- Health & Safety personnel
- Occupational Health Practitioners (e.g. occupational health physicians, nurses & technicians)
- Physiotherapists
- General Practitioners & treating hospital specialists
- Other treating health specialists
We can collect your data via different methods such as:
- Verbal (face to face or via telephone /skype)
- Post
- Completed documents such as Health Questionnaires
- Occupational Health consultations/assessments
How we store data?
This will be either as a physical paper copy (in fire proof locked cabinets, with the keys to cabinets locked in digital locked key safe) or Electronic Record held on a secure server digitally encrypted.
How do we process your personal data?
Shea Occupational Health Ltd complies with its obligations under the GDPR by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of personal data; by protecting personal data from loss, misuse, unauthorised access and disclosure;
Why do we process your data?
For the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services based on Union or Member State law or a contract with a health professional (Article 9 (h))
- To ensure the health and safety of the employees at work and to allow consideration of any adjustments that may be required to support their ability to work.
- Data may also be used for research, audit or statistics but will be pseudonymised if this is the case
What Personal Data may be obtained and processed?
- Employment screening/job role change screening
- Sickness absence/fitness for work referral
- Health Surveillance
- Biological Monitoring
- Health Promotion and Wellbeing screening
- Vaccinations
- Ergonomics
- Drug and Alcohol Screening
- Self-Referrals
Sharing your personal data
Your personal data will be treated as strictly confidential and will only be shared with third party clinicians or providers of services such as counselling, physiotherapy or additional assessments. We will only share your personal data with third parties if you provide us with your consent, the sharing of your personal data is required by law, there is a substantial public interest for us to do so (such as a danger to the wider public), or the disclosure of your personal data is of overall benefit to you when we believe that you lack the capacity to consent. Where we do not rely on your consent to share your information data we will only disclose the minimum amount of information necessary, avoiding releasing personal data where possible.
How long will we keep your personal data?
Shea Occupational Health Ltd will retain your personal data, your occupational health file, only for as long as we need that personal data for the purposes of the processing. At the most, we will retain your personal data in accordance with statutory requirements and / or your employer’s or your pension scheme’s retention policy.
Type of Data | Maximum Retention Period | Reason for length of period |
---|---|---|
Health Surveillance table Records | Dependent on specific guidance from the Health and Safety Executive. At least 6 years + 1 after the employee has left their job or 75 years of age (whichever is soonest). | Health and Safety Legislation and Guidance Defence of legal claims |
Management Referrals | 6 years + 1 after the employee has left their job or 75 years of age (whichever is soonest) | As recommended by the British Medical Association (BMA) Defence of legal claims |
New Starter Screening | 6 years + 1 after the employee has left their job or 75 years of age (whichever is soonest) Information relating to employees who do not take up the job offer will be discarded after 2 years. |
As recommended by the British Medical Association (BMA) Defence of legal claims |
Drug and Alcohol Screening | 6 years + 1 after the employee has left their job or 75 years of age (whichever is soonest) | Defence of legal claims |
Vaccinations | 6 years + 1 after the employee has left their job or 75 years of age (whichever is soonest) | As recommended by the British Medical Association (BMA) Defence of legal claims |
Well Being | All personal data other than non-individualised generic data destroyed immediately |
Where do we process your personal data?
We do not process any of your personal data outside of the European Economic Area.
Who is the data controller?
The Data Controller will normally be your employer, the Trustees or Trustee Representatives or Administrators of your Pension Scheme or Plan or those Pension organisations authorised by the Secretary of State.
Consent
Shea Occupational Health Ltd will seek your explicit consent to process your personal data with regards to occupational health and pension applications. This is the legal basis on which we will rely on to process your personal data.
You have the right to withdraw your consent at any time. Please note that should you withdraw your consent; your employer or pension scheme may choose to act on the information they have.
Please note that failure to provide appropriate information may lead to our practitioners being unable to provide a suitable medical opinion on fitness or adjustments.
What are your rights?
Right of access:
The GDPR gives you the right to access copies of the personal data held about you. Your right of access can be exercised in accordance with the GDPR. The first copy of the personal data held about you will be provided free of charge but any subsequent copy will be subject to a reasonable fee based on the administrative costs of providing copies of the personal data to you.
Right to portability (the right to request an electronic copy of your personal data):
Where you provide personal data, you have the right to be provided with a structured, commonly used and machine-readable copy and have the right, in certain circumstances, to ensure that we transmit that personal data to another data controller without hindrance (the right to data portability).
Right to correct (rectification):
You have the right to ensure that we correct the records of any personal data held about you which are inaccurate. You also have the right to ensure that we complete any incomplete personal data held about you.
Right to erasure:
You have the right to ensure that we erase your personal data (the right to be forgotten).
Right to restrict processing:
In certain circumstances, such as where you have contested the accuracy of personal data, you have the right to restrict our processing of your personal data. That means that we will hold your personal data on file but that we cannot process that personal data. We will inform you if for any reason the restriction on processing your personal data is lifted. Where any rectification or erasure of personal data or restriction of processing has taken place, we shall communicate any rectification to you or erasure or restriction of processing to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort. We shall, if you request, inform you about those recipients.
Exercising your rights:
If you wish to exercise any of your rights, or if at any point you believe the personal data we process is incorrect, you can request to see this personal data. If you would like a copy of the personal data about you that we process, or if you wish to have that personal data transferred to another company or organisation, please contact us at: karenshea@sheaoh.co.uk or rachelwhewell@sheaoh.co.uk.
If you wish to raise a complaint on how we have handled your personal data, please contact our Data Protection Officer dpo@sheaoh.co.uk.
With the law, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). https://ico.org.uk/.
Cookies and our use of Cookies