Data controller: Sandra Babbings

ICO registration number: ZA023185

To run our business competently it is necessary to collect personal data relating to individuals; only relevant and necessary data will be collected. Any personal data collected is processed by Prohms under Article 6 (f) of the General Data Protection Regulations (GDPR) which states: ‘Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests’. Processing of special categories of personal data such as that relating to health come under Article 9 (2) (h) which states ‘processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3’.

In simple terms this means that we collect the necessary and relevant personal data regarding an individual to enable us to fulfil our obligation to our customers by offering an opinion on, for example, a person’s suitability for work, and to help the customer meet their legal obligations under Health and Safety at Work Regulations. Medical or other personal information is not released and only an opinion on your fitness for work is given to the employer. However, we will disclose data if necessary under the conditions listed below, if disclosure is necessary only minimum and relevant information will be released:

  • We are legally obliged to do so
  • Disclosure is made at your request or with your consent
  • In the event of a medical emergency
  • If necessary to prevent/control significant health and safety risks to yourself and/or others

Your data may be shared with other health professionals within Prohms or third-party providers working on behalf of Prohms, for example occupational health physicians, who work on a self-employed basis for Prohms in a health capacity. All self-employed parties are bound by Prohms confidentiality policy as well as those of their own professional body. If you have any concerns or want information on this, please check the NMC (www.nmc.org.uk) or GMC (www.gmc-uk.org) websites.

If at any time you wish to receive a copy of your occupational health records you have the right to do so by submitting a Subject Access Request (SAR). In the first instance we are obliged to give you a copy of the records we hold within a month and without charge, however, subsequent or repeated requests may incur an administration fee.

Any report regarding an individual compiled by a health professional in regards of a referral into our services will, in the first instance, be sent to the person who the report concerns for their consent to send to their employer. ANY report sent by Prohms concerning an individual(s) will be sent to a named person in a secure non-editable format and will be password protected.

Data storage

All personal data is collected as either hard copy which is then scanned or electronic data; all data is stored securely on our server. All hard copy records are securely shredded and recycled by a reputable company, compliant with GDPR. Only those employed by Prohms who have been authorised by the Data Controller and issued with a password may access this data. The server is managed by an outside company who have provided evidence of their GDPR compliance and the server is backed up daily to a secure network. In the unlikely event of a data breach you will be made aware as soon as possible and it will be reported to the relevant bodies.

Under Health and Safety at Work Regulations data must be stored for a certain period. For example, data concerning noise, COSHH, HAVS, etc must be kept for 40 years. Other clinical notes must be kept whilst you are employed by the client company and for 6 years after or from your 75th birthday, whichever is sooner.

Training and Marketing

All our training courses are run around statutory requirements in the workplace. The only data we keep is used to remind individuals of their legal requirements. No information is passed on to third parties.
Policy