Workare Ltd is “the controller” of the personal data that you provide to us. We take the collection, storage and use of personal data very seriously. In this document you will find an explanation of why we collect individual data for Workare Ltd, how we process it and the steps we take to ensure data security at all stages.
What kind of information do we collect?
We collect the following pieces of personal information for those persons who come to us for medical assessments.
- Date of birth
- Name and contact details of your general practitioner
- National insurance number
- Medical/health information as part of the assessment
Who will it be collected from?
- The employer or employee
- Human Resources
Other health professionals (e.g. GP, specialist, physio).
How it will be collected?
- Verbal (Either by telephone or face to face)
- E mail
- Health Questionnaires
- Health Assessment/Health Surveillance
- Referral to occupational health.
We do not process any data without consent
Why we collect it and how we use it?
- We collect is as part of a medical/health assessment process in order to identify an individual and ensure that the correct health information is associated with that individual.
- We collect and use it to record that an assessment has been done for legal( HSE) purposes
- We collect it in order to provide appropriate advice and support to you. Details you discuss with any occupational health staff will be written down and be available for any future reviews. The information collected will enable us to discuss reasonable and practicable adjustments and with your consent be part of the occupational health report or assessment.
- To safeguarding and promoting the welfare of employees.
- To ensure the health and safety of employees at work and to allow consideration of any adjustments that may be required to support their ability to work/study or attend placement.
- Carrying out of research and statistical analysis. All data and research information presented to anyone outside of the Company will be anonymous, in order to preserve confidentiality.
With Guidance from the Faculty of Occupational medicine Where health data is being processed by us under Article 9 (2) (h): processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems or services…”. This applies to our medical administrator.
What is the lawful basis for processing?
These purposes are supported under the following sections of the GDPR:
The controller shall be responsible for and be able to demonstrate compliance with the principles. (GDPR Article 5.2)
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to individuals. GDPR Article 5)
‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’ (Article 6(1) (e)
‘…necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…” (Article 9(2) (h).
Healthcare staff will also respect and comply with their obligations under the common law duty of confidence.
Sharing your data
- Your data may be shared with other members of the clinical and admin staff for the purposes of training and administrative functions( issue of health record forms)
- Personal data is not shared with anyone outside the Company
- Results of Health Surveillance will be passed on to the employer under Reg. 11 COSHH Regulations 2002 and ACOP 2103 for retention as required by the Health and Safety Executive (HSE).
How long will the information be held?
Any information will be held as long as legally required especially in the case of medical files.
- Information will be held for 6 years after leaving employment or 75 years of age (whichever is soonest) as recommended by the British Medical Association and Information Governance Alliance, unless there is a recognised clinical need or statutory requirement to retain it for longer e.g. Control of Substances Hazardous to Health and Health & Safety legislation require retention for 40-50 years for some health surveillance records.
Security of your information
Data Protection legislation requires us to keep your information secure. This means that your confidentiality will be respected and all appropriate measures will be taken to prevent unauthorised access and disclosure .Only members of staff who need to access to relevant parts or all of your information will be authorised to do so. Information about you in electronic form will be subject to password or other security restrictions, while paper files will be stored in secure areas with controlled access.
- The information is collected and kept either on paper or electronically
- Paper information is kept securely in a locked filing cabinet in a locked room and retained for as long as is legally required
- Electronic information is kept encrypted on a computer which is password protected
- Only named persons have access to the paper or electronic files
Some processing (destruction/shredding) may be undertaken on the Company’s behalf by an organisation contracted for that purpose. These organisations will be bound by obligation to process personal data in accordance with Data protection legislation.
Cookies & Google Analytics
A cookie is a piece of information that is stored on your computer’s hard drive by your web browser. On revisiting our computer server will recognise the cookie, giving us information about your last visit. Usage of a cookie is in no way linked to any personally identifiable information while on our site. Once you close the browser, the cookie simply terminates. Most browsers accept cookies automatically, but usually you can alter the settings of your browser to prevent automatic acceptance. If you choose not to receive cookies, you may still use most of the features of our website.
In addition, our website also uses Google Analytics cookies to help us monitor site visits and customer behaviour. All data gathered by this method is totally anonymous.
What are your rights?
You have a right to access your personal information, to object to the processing of your personal information, to rectify, to erase, to restrict and to port your personal information. If you have any concerns about the use of data for these purposes, or would like a copy of the data, we hold about you, requests or objections should be made in writing to the Company Data protection Officer.
Workare Ltd Data Protection Officer
Waterton industrial estate
BRIDGEND CF31 3US
Under the GDPR, individuals have the right to withdraw consent at any time. If for any reason you wish to withdraw your consent, we ask that you submit this request in writing to the Data Protection Officer within the Company. You will be asked to complete a Request to Withdraw Consent form so we can ensure that you understand what is meant by withdrawing your consent and what will happen next.
If you have further questions about how we process individual monitoring data, please feel free to get in touch with us via the Data Protection officer at our Company address.
How to make a complaint
If you are unhappy with the way in which your personal information has been processed you may in the first instance contact Workare Data protection Officer using the contact details on the leaflet.
If you remain dissatisfied, you have the right to apply directly to the Information Commissioner for a decision. The Information Commissioner can be contacted at Information Commissioners Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF www.ico.org.uk
Where there is legitimate interest of the employer e.g. for the OH Practitioner to advise on fitness to work for the efficient and safe running of its business, to comply with its legal obligations under health and safety law and employment law in particular the Equality Act 2010, or with respect to its legal duties for sick pay.
Personal data may be processed for the purposes referred to in Article 2 when those data processed by or under the responsibility of a professional subject to the obligation of professional secrecy under EU or Member State Law or rules established by national competent bodies .e.g. by a regulated health professional. This incorporates common law and General Medical Council/Nursing and Midwifery Council (NMC) (Ref) duty of confidentiality into the GDPR.
The NMC Code of Conduct- clause 5, Privacy and confidentiality; clause 7, Communicable clearly; clause 10, Clear, accurate and relevant records; Clause 14, be open and candid including mistakes; Clause 16, Act immediately if risk to patient or public protection