OHRD and General Data Protection Regulations (“GDPR”)
This privacy notice explains how OHRD process any personal or sensitive information we collect about you when you are referred (or access) our occupational health services.
WHO ARE WE?
Occupational Health Risk and Disability Limited (OHRD Ltd has its registered office c/o Fitzmaurice McConville, Oakmont House, 2 Queens Road, LISBURN BT27 4TZ).
OUR DATA PROTECTION OFFICER
Our Data Protection Officer is Dr Tony McGread, see below for all contact details.
PERSONAL DATA – WHAT IS IT?
Personal data means any information relating to an identifiable person who can be directly or indirectly identified, in particular by reference to an identifier. The processing of personal data is governed by the General Data Protection Regulation (EU) 2016/679 (the “GDPR”).
SENSITIVE DATA – WHAT IS IT?
Personal data of an individual, the data subject, relating to any of the following:
racial or ethnic origin;
religious or philosophical beliefs;
trade union membership;
data concerning health;
data concerning sex life or sexual orientation;
genetic data; or
biometric data where processed to uniquely identify the data subject.
PROCESSING YOUR DATA
HOW AND WHY WE USE YOUR PERSONAL DATA?
OHRD carries out a range of occupational health services. We process and collect health information where necessary for the protection of health and safety, to prevent discrimination on the grounds of disability, and to provide advice to your employer or employer representative on fitness to work.
WHAT PERSONAL DATA DO WE COLLECT ABOUT YOU?
We process and collect information about you and your health when you are referred to us as part of your employer’s occupational health service, as part of your application of early retirement due to ill health or when you access any of our medical services including role specific medicals (for example, for work as a driver, at heights, safety or safety critical roles), statutory health and safety requirements (for example, relating to noise and hand arm vibration), for the provision of other services such as alcohol and drug testing, or wellness events. Data may include written, visual or audio formats.
WHERE DO WE OBTAIN YOUR PERSONAL DATA?
Your personal data may come to us via a referral from your employer or employer representative, your GP or Consultant or a provider of additional services such as physiotherapy or counselling. Alternatively, we may obtain personal data directly from you. Data provided by your employer or employer representative may be in written, visual or audio format.
HOW DO WE PROCESS YOUR PERSONAL DATA?
OHRD complies with its obligations under the GDPR by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of personal data; by protecting personal data from loss, misuse, unauthorised access and disclosure; and by ensuring that appropriate technical measures are in place to protect personal data.
SHARING YOUR PERSONAL DATA
The main purpose of occupational health is to provide medical advice to your employer or employer representative, so data will be shared with them, but only with your consent.
Your personal data will be treated as strictly confidential and will only be shared with third party clinicians or providers of services such as counselling, physiotherapy or additional assessments – we will only share your personal data with third parties if you provide us with your consent, the sharing of your personal data is required by law if there is a substantial public interest for us to do so (such as a danger to the wider public), or the disclosure of your personal data is of overall benefit to you when we believe that you lack the capacity to consent. Where we do not rely on your consent to share your information data, we will only disclose the minimum amount of information necessary, avoiding releasing personal data where possible.
HOW LONG WILL WE KEEP YOUR PERSONAL DATA?
OHRD will retain your personal data, your occupational health file, only for as long as we need that personal data. At the most, we will retain your personal data for 6 years post-employment or in agreement with your employer’s retention notice or statutory / legal requirements. This is in keeping with the ethical guidance (2018) given to us by our professional body, the Faculty of Occupational Medicine. In the case of pre-employment screening questionnaires, we will only retain these for one year if you have been unsuccessful in the pre-employment job process.
WHERE DO WE PROCESS YOUR PERSONAL DATA?
We do not process any of your personal data outside of the European Economic Area.
OHRD will seek your explicit consent to process your personal data with regards to the occupational health referral and process.
You have the right to withdraw your consent at any time. Please note that should you withdraw your consent, your employer or referring agent (e.g. insurance company, or other) may choose to act on the information they have to hand, and that may not always be in your interests. But is then decision between you and your employer or referring agent.
Also, please note, that failure to provide appropriate information to our clinicians may lead to those clinicians being unable to provide a medical opinion on fitness for work or appropriate adjustments.
WHAT ARE YOUR RIGHTS?
Right of access. The GDPR gives you the right to access copies of the personal data held about you. Your right of access can be exercised in accordance with the GDPR. The first copy of the personal data held about you will be provided free of charge, but any subsequent copy will be subject to a reasonable fee based on the administrative costs of providing copies of the personal data to you.
Right to request an electronic copy of your personal data. You have the right to be provided with a structured, commonly used and machine-readable copy and have the right, in certain circumstances, to ensure that we transmit that personal data to a recipient of your choice without hindrance (the right to data portability).
Right to correct. You have the right to ensure that we correct the records of any personal data held about you which are inaccurate. You also have the right to ensure that we complete any incomplete personal data held about you.
Right to erasure. You have the right to ensure that we erase your personal data (the right to be forgotten) where the data is no longer necessary, or consent is withdrawn or where OHRD does not have legitimate grounds for processing your data, or where were the data has been unlawfully processed. It is important to note there are several exceptions to right the ‘right to be forgotten’ e.g. where there is legal or in the public interest are examples of such.
Right to restriction. In certain circumstances, such as, where you have contested the accuracy of personal data, you have the right to restrict our processing of your personal data. That means that we will hold your personal data on file but that we cannot process that personal data. We will inform you if for any reason the restriction on processing your personal data is lifted.
Where any rectification or erasure of personal data or restriction of processing has taken place, we shall communicate any rectification to you or erasure or restriction of processing to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort. We shall, if you request, inform you about those recipients.
Exercising your rights. If you wish to exercise any of your rights, or if at any point you believe the personal data we process is incorrect, you can request to see this personal data. If you would like a copy of your personal data, or if you wish to have that personal data transferred to another company or organisation, please contact us at: firstname.lastname@example.org
If you wish to raise a complaint on how we have handled your personal data, please contact our Data Protection Officer, Dr Tony McGread at email@example.com
If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law, you have the right to discuss and if need be, lodge a complaint with the Information Commissioner’s Office (ICO) at https://ico.org.uk/