GDPR Privacy Notice
Drayton Medical Services Ltd is committed to protecting your personal information and complying with GDPR reference Article 6(1)(f), Article 9(2)(b) and (h) and Article 9(3). This statement sets out how Occupational Health Service may use and process such personal information.
What Data will be collected?
The following data may be collected, held and shared by Drayton Medical Services Ltd:
- Personal information (e.g. Name, Address, Date of Birth).
- Personal characteristics e.g. ethnicity, gender
- Past and present job
- Health and medical information which is a “special category” of
Why is it collected and what is the “lawful basis” for processing your data?
Our lawful basis for processing your data is:
- Legal obligation: the processing of your information and data is necessary for us to comply with the law this includes health & safety legislation and employment legislation, and to support your Employer in complying with the same law as we are acting as their agent and Occupational Health provider:
- To assess the working capacity of an employee;
- To ensure the health & safety of the employees at work & allow consideration of any adjustments that may be required to support their ability to work.
- Vital interests: Processing your data includes our interest in protecting life. Part of our work will be to help protect your health from harm that may potentially arise from work processes
- Special category data is collected for the “purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health”. This refers to the medical information we have from consultations with you and that which we receive, with your consent, from your GP, Medical Consultants, Specialists and Therapists. The processing is also subject to subject to conditions and safeguards specified by relevant nursing and medical professional bodies.
- Statutory Health Surveillance is performed due to specific legal regulations. This is to monitor your exposure to substances e.g. asbestos, lead or to protect the public from Hepatitis B. If your employer has asked us to perform Statutory Health Surveillance then they will create a basic health record with the following details:
- Employee’s name, address and national insurance number;
- Substance/process they are exposed to and when;
- Surveillance that has been done on them along with the name of the tester, and the outcome, e.g. fit/unfit/fit with adjustments.
Who will it be collected from?
- You are the data subject “the Employee”;
- Your Employer e.g. Human Resources and/or line managers should receive your consent to share your personnel and medical information they hold and wish to pass to the Occupational Health service;
- The doctors/health professionals who treat you (with your consent) e.g. GP, Specialists, Consultants and Therapists;
- On occasion our Occupational Health service will need to commission an Occupational Health assessment from an associate Occupational Health professional that we may refer you to as part of our assessment processes and who will also follow our informed consent processes and safeguarding of your data.
How will it be collected?
- Verbally via telephone calls and face to face conversations;
- In writing, which can include e.g. forms you and/or your Employer may complete e.g. health assessment forms, management referral forms, emails from you or your employer and from other parties e.g. GP letters etc. These may be sent to us electronically and/or by surface mail;
All exchange of information will be subject to informed consent processes and safeguarding of your data.
Storage & Use of Records
The information Drayton Medical Services Ltd collects and stores on computer, may be transferred to, processed, and stored at a destination outside of Drayton Medical Services Ltd. Drayton Medical Services Ltd will take all steps reasonably necessary to ensure that your information is treated securely and in accordance with this Privacy Statement.
Administrative support staff on a “need to know basis” can access your information to e.g. to book appointments, process reports etc. All administrative staff are obliged to follow our confidentiality policies and have a contractual obligation to preserve it.
You have statutory right of access to your Occupational Health records (in full or in part) under the GDPR, or to authorise a third party, such as a legal adviser, to exercise that right on your behalf. If you would like a copy of some or all of your personal information, please contact our administration team for a form to complete.
We want to make sure that your personal information is accurate and up to date and therefore you may ask us to correct or remove information you think is inaccurate.
You have the right to object to your personal information being shared with other healthcare providers for your own care. Please speak to Drayton Medical Services Ltd if you wish to object but this may limit the treatment that you can receive. You also have the right to have any mistakes or errors corrected.
We are not aware of any circumstances in which you will have the right to delete correct information from your medical record; although you are free to obtain your own legal advice if you believe there is no lawful purpose for which we hold the information and contact us if you hold a different view.
If you feel uncomfortable providing any of the information requested by Drayton Medical Services Ltd then please do not hesitate to raise your concerns with the employee requesting the information or the Drayton Medical Services Ltd Operations Manager.
You have the right to complain to the Information Commissioners Office (ICO) if you feel there is a problem with the way that we handle and store your information. https://ico.org.uk/global/contact-us/ or call the helpline 0303 123 1113.
Personnel Data Breaches
Any Drayton Medical Services Ltd Occupational Health staff dealing with personal and sensitive data as well as our processing system ‘Clinic-Assist’, are data processors.
All data processors will report any data breaches to the data controller who is the Operations Manager. This includes data both personal and sensitive that is lost, stolen or altered or disclosed/released without consent.
The controller will report this breach to the (ICO) within 72 hours
Clinical information will only be kept for as long as it is needed.
- New Starter Questionnaires for 1 year after they were received
- Occupational Health Files for 6 years after you leave your job, or when we are notified by your employer after the 6-year period or until your 75th birthday whichever is sooner.
- Health Surveillance records will be kept for 40 years or passed to a new OH provider if we stop trading, or to HSE for safe keeping
The Data Controller Drayton Medical Services Ltd, The Sanderson Suite, 280A Havant Road, Drayton, Portsmouth, Hampshire. PO6 1PA
Access to personal information
You have a right under the General Data Protection Regulations 2016 to request access to view or to obtain copies of what information Drayton Medical Services holds about you and to have it amended should it be factually inaccurate.
In order to request this, you need to do the following:
- Your request must be made in writing to Occupational Health (Drayton Medical Services Limited)
- We are required to respond to you within 40 days
- You will need to give adequate information (for example full name, address, date of birth, and details of your request) so that your identity can be verified and your records located.
Objections / Complaints
Should you have any concerns about how your information is managed at Drayton Medical Services, please contact the Office Manager at the following address:
Drayton Medical Services Ltd
The Sanderson Suite
280 Havant Road
If you are still unhappy following a review by Drayton Medical Services, you can then complain to the Information Commissioners Office (ICO) via their website (www.ico.gov.uk).
The General Data Protection Regulations 2016 requires organisations to register a notification with the Information Commissioner to describe the purposes for which they process personal and sensitive information.
This information is publicly available on the Information Commissioners Office website www.ico.org.uk
Drayton Medical Services is registered with the Information Commissioners Office (ICO).
Who is the Data Controller?
The Data Controller, responsible for keeping your information secure and confidential is:
Drayton Medical Services Limited & Huhtamaki.
Who is the Data Processor?
The Data Processor is necessary for the purpose of preventive or occupational medicine and for the assessment of the working capacity of the employee and is Drayton Medical Services Limited.