Occupational Health: Recommendations for GDPR Compliance
The new General Data Protection Regulation (GDPR) came into effect on the 25th May 2018.
GDPR requires the Trust to process: Sensitive personal data (Health Records) under 9(2)(h) – “Necessary for the reasons of preventative or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services” and occasionally 9(2)(c) “when it is necessary to protect the vital interests of a person who is physically or legally incapable of giving consent”
Personal data under 6(1)(e) “Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Trust (Data Controller)” and occasionally 6(1)(d) “ when it is necessary to protect the vital interests of a person who is physically or legally incapable of giving consent
What types of personal data do we process?
In order to carry out our activities and obligations as an occupational health service providing occupational and preventative healthcare we collect and process your information including:
- Personal demographics (this may include gender, age, race, ethnicity, sexual orientation, religion and disability);
- Contact details such as names, addresses, telephone numbers and emergency contact(s);
- Health information which forms part of the occupational health clinical records including about a physical health or mental condition; immunisation records; health surveillance records; statutory medical surveillance records; health promotion activity;
- Information relating to health and safety, including risk assessments;
- Any other personal information that may be relevant for the provision of an occupational health service.
What is the purpose of processing data?
To carry out our activities and obligations as an occupational health service providing occupational and preventative healthcare to staff and external clients. We may use a variety of means, including questionnaires, forms, direct questioning, requests from third parties. Information may be collected by telephone, face-to-face, paper or electronic means.
Sharing your information
No confidential information held by the Occupational Health Department will be disclosed without your explicit informed consent with the exception of:
- Where the disclosure is required by law (for example if ordered by a judge or a presiding officer of a court using a court order; to the HSE under the Health &Safety at Work etc Act 1974; for statutory requirement to notify certain infectious diseases; to the NHS Counter Fraud Service to detect and prosecute Fraud);
- Where the disclosure is in the public interest (for example where a worker’s health endangers others and the worker refuses to disclose information which would allow potential harm to be avoided). Where disclosure of personal data is necessary for the above reasons, this will always be assessed on a case-by-case basis, using the minimum information necessary for the specific purpose and circumstances and with the appropriate security controls in place.
Prevention and Detection of Crime and Fraud
We may use the information we hold about you to detect and prevent crime or fraud. We may also share this information with other bodies that inspect and manage public funds. We will not routinely disclose any information about you without your express permission. However, there are circumstances where we must or can share information about you owing to a legal/statutory obligation.
Retention of Records
Occupational health records will be kept until your 75th birthday or 6 years after you leave the organisation, whichever is sooner, unless they include health surveillance when records will be retained 50 years after the date of last entry or until 75th birthday, whichever is longer.