General Data Protection Regulation Statement NewcastleOHS

Page 1

Question 1.

Occupational Health Records Privacy Notice
This Privacy Notice explains what personal information we collect from you, how we store this personal information, how long we retain it and with whom and for which legal purpose we may share it.

The TRUST is registered with the Information Commissioner’s Office (ICO) to process personal and special categories of information under the Data Protection Act 2018 and our registration number can be obtained by contacting nuth.newcastle.ohs@nhs.net

The Occupational Health Service is one of the departments within the TRUST.

Privacy notices specifically for TRUST staff are available on staff intranet page. TRUST privacy notices for patient are available on the Trusts website
The TRUST takes your confidentiality and privacy rights very seriously. This notice explains how we collect, process, transfer and store your personal information and forms part of our accountability and transparency to you under current Data Protection Legislation.

We recognise the need to treat your personal and sensitive data in a fair and lawful manner. We will process your personal information fairly and lawfully by;

• Only using it if we have a lawful reason and when we do, we make sure you know how we intend to use it and tell you about your rights;
• Only collecting and using your information to provide you with your care and treatment and will not use it for anything else that is not considered by law to be for this purpose;
• Only using enough of your personal information that will be relevant and necessary for us to carry out various tasks within the delivery of your care;
• Keeping your information accurate and up to date when using it and if it is found to be wrong, we will make it right, where appropriate, as soon as we can;
• Only keeping your information in a way that it will identify you for as long as we are legally required to, whilst ensuring your rights;
• Having secure processes in place to keep your personal information safe when it is being used, shared, and when it is being stored.
Question 2.

What type of information do we collect about you?

Personal information about you will be provided by your employer as part of the referral process. Further personal information may be collected in undertaking management referrals, health surveillance, immunisations or providing physiotherapy and counselling services. Personal information may also be collected from healthcare professionals in certain circumstances e.g. from your GP or treating specialist.

In order to carry out our activities and obligations as an occupational health service providing occupational and preventative healthcare we collect and process your information including:

• Personal demographics (this may include gender, age, race, ethnicity, sexual orientation, religion and disability);
• Contact details such as names, addresses, telephone numbers and emergency contact(s);
• Health information which forms part of the occupational health clinical records including about a physical health or mental condition; immunisation records; health surveillance records; statutory medical surveillance records; health promotion activity;
• Information relating to health and safety, including risk assessments;
• Any other personal information that may be relevant for the provision of an occupational health service.

Question 3.

What is our purpose of processing your data?

To carry out our activities and obligations as an occupational health service providing occupational and preventative healthcare to patients, staff and external clients;

• To undertake occupational health assessments and advise on fitness to work.
• To advise on adjustments to accommodate a disability or health condition
• Referral to a third party, treatments and/or care e.g. physiotherapy treatment.
• Provide counselling care and support
• To check and review the quality of care. (This is called audit and clinical governance).
• Contact details such as names, addresses, telephone numbers to remind you about your appointments and send you relevant correspondence
• GP contacts in case of emergency
• Providing clearance for fitness to work/train
• Providing physiotherapy care
• Providing advice to management about on-going fitness to work or train and adjustments/aids to support working/training
• Providing relevant immunisation and prophylactic treatment following contact tracing
• Undertaking assessments for consideration of retirement on the grounds of ill health
• Undertaking Health Surveillance
• To help train and educate health professionals
• Information and databank administration to prepare anonymous reports to the commissioners of Occupational Health Services
• Review of care e.g. anonymous auditing or service improvement to ensure we provide the relevant high quality service
• Report and investigate complaints, claims and untoward incidents
• Report events to the appropriate authorities when we are required to do so by law e.g. for communicable disease, under RIDDOR
• Health promotion/preventative activities

Question 4.

What is our lawful basis for processing your data?

We rely on specific legal provisions under Article 6 and 9 of the GDPR to provide you with Occupational Health care, for the purposes described in this notice we will be lawfully using your information in accordance with:

Personal data under 6(1)(e) “Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Trust (Data Controller)” and occasionally 6(1)(d) “ when it is necessary to protect the vital interests of a person who is physically or legally incapable of giving consent

Sensitive personal data (Health Records) under 9(2)(h) – “Necessary for the reasons of preventative or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services” and occasionally 9(2)(c) “when it is necessary to protect the vital interests of a person who is physically or legally incapable of giving consent”

We hold and process your information in accordance with the Data Protection Act 2018 as amended by the GDPR 2016, as explained above. In addition, everyone working for the NHS must comply with the Common Law Duty of Confidentiality and various national and professional standards and requirements.

We have a duty to:
• maintain full and accurate records of the care we provide to you
• keep records about you confidential and secure
• provide information in a format that is accessible to you
The Occupational Health Department does not require explicit consent of employees to process their personal data if the purpose falls within the legal basis detailed above. However, in line with General Medical Council and Faculty of Occupational Medicine Good Medical Practice guidelines, we will seek explicit consent wherever practicable.

For further information on this legislation please visit: http://www.legislation.gov.uk/

Question 5.

Who might we share your information with?

No confidential information held by Occupational Health will be disclosed without your explicit informed consent with the exception of:

• Where the disclosure is required by law (for example if ordered by a judge or a presiding officer of a court using a court order; to the HSE under the Health &Safety at Work etc Act 1974; for statutory requirement to notify certain infectious diseases; to the NHS Counter Fraud Service to detect and prosecute Fraud);
• Where the disclosure is in the public interest (for example where a worker’s health endangers others and the worker refuses to disclose information which would allow potential harm to be avoided).

Where disclosure of personal data is necessary for the above reasons, this will always be assessed on a case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances and with the appropriate security controls in place. Personal Information is only shared with those agencies and bodies who have a "need to know" or where you have consented to the disclosure of your personal data to such persons.

We may need to share your personal information with a other third parties, which may include, but is not limited to;
• Your employer
• GP or other healthcare professionals involved in your care
• Her Majesty’s Revenue and Customs (HMRC);
• Department for Work and Pensions (DWP);
• Disclosure and Barring Service (DBS);
• Home Office;
• Child Support Agency;
• Regulatory bodies, e.g. NMC, GMC;
• Law enforcement agencies including the Police and the Serious Organised Crime Agency;
• NHS Business Services Authority - National NHS Electronic Staff Record (ESR) system.

The Information used is highly restricted to key staff in the Occupational Health Department and required in the course of their work for legitimate reasons. The information is not processed, transmitted or stored outside of the UK and is not made available to others outside of the department unless there is a legitimate reason or consent has been provided.

Sharing for the Prevention and Detection of Crime and Fraud
We may use the information we hold about you to detect and prevent crime or fraud. We may also share this information with other bodies that inspect and manage public funds.
We will not routinely disclose any information about you without your express permission. However, there are circumstances where we must or can share information about you owing to a legal/statutory obligation.

Question 6.

How we maintain your information?

Your personal information is held in both paper and electronic forms for specified periods of time as set out in the NHS Records Management Code of Practice for Health and Social Care and National Archives Requirements.

We hold and process your information in accordance with the Data Protection Act 2018 as amended by the GDPR 2016, as explained above. In addition, everyone working for the NHS must comply with the Common Law Duty of Confidentiality and various national and professional standards and requirements.

We have a duty to:
• maintain full and accurate records of the care we provide to you
• keep records about you confidential and secure
• provide information in a format that is accessible to you

Your Occupational Health data will be retained for a period of the person’s employment/University course plus six years or until his 75th birthday, whichever is the sooner.

What are your rights as an individual?

Data Protection law gives individuals rights in respect of the personal information that we hold about you and these apply in circumstances where the relevant conditions are met.

These rights are, the right:
1. To be informed why, where and how we use your information.
2. To ask for access to your information.
3. To ask for your information to be corrected if it is inaccurate or incomplete.
4. To ask for your information to be deleted or removed where there is no need for us to continue processing it.
5. To ask us to restrict the use of your information.
6. To ask us to copy or transfer your information from one IT system to another in a safe and secure way, without impacting the quality of the information.
7. To object to how your information is used.
8. To challenge any decisions made without human intervention (automated decision making)

For further information on your rights please visit the ICO website www.ico.org.uk or contact the Trust Data Protection Officer.

How can I access my information?

You can request access to the information that Occupation Health holds about you.

Your request, once agreed with you, will be completed within 30 calendar days. However, if your records are extensive we may take longer to process your request but will inform you from the outset, and in any case within 30 days.

To submit a formal written request, please contact:
nuth.newcastle.ohs@nhs.net


Data Protection Officer

The Trust’s Data Protection Officer (DPO) is responsible for ensuring that the Trust complies with the GDPR. The DPO is the person to contact if you would like to know more about how we use your information, if you require information in any accessible format or language, you wish to make a complaint or if (for any reason) you do not wish to have your information used in any of the ways described. The DPO contact details are:

Data Protection Officer
Information Governance Department

Making a Complaint

Should you wish to lodge a complaint about the use of your information, please contact our Occupational Health Department

nuth.newcastle.ohs@nhs.net

You have the right to lodge a complaint if you are not content with the outcome of your confidentiality and data protection complaint and/or concern raised with the Trust.

Post: The Information Commissioner’s Office,
Wycliffe House, Water Lane,
Wilmslow,
Cheshire,
SK9 5AF
Helpline: 0303 123 1113 (Local Rate) or +44 1625 545 745 (outside UK)
Online: www.ico.org.uk

Question 7.

If you are a member of the Newcastle Occupational Health Service please insert full name for CPD purposes only.