Data Privacy Statement
Prohms Occupational Health Services
Data Controller: Prohms Limited
Data Protection Officer: Sandra Babbings
ICO registration number: ZA023185
To run our business competently it is necessary for us to collect special category personal data relating to individuals; only relevant and necessary data is ever collected. Any special category personal data collected is lawfully processed by Prohms under Article 6 (1) (f) of the General Data Protection Regulations (GDPR) (2018) which states: ‘Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests’. Processing of special categories of personal data such as that relating to health come under Article 9 (2) (h) which states ‘processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3’.
In simple terms this means that we collect the necessary and relevant special category personal data regarding an individual to enable us to fulfil our contractual obligation to our customers by offering an opinion on, for example, a person’s suitability for work, and to help the customer meet their legal obligations under Health and Safety at Work Regulations. Medical or other personal information is not released and only an opinion on your fitness for work is given to the employer. However, we will disclose data if necessary under the conditions listed below, if disclosure is necessary only minimum and relevant information will be released:
- We are legally obliged to do so
- Disclosure is made at your request or with your consent
- In the event of a medical emergency
- If necessary to prevent/control significant health and safety risks to yourself and/or others
Your data may be shared with other health professionals working for or on behalf of Prohms, for example occupational health physicians. All parties are bound by Prohms Data Protection Policy and Confidentiality Policy as well as those of their own professional body. If you have any concerns or want information on this, please check the NMC (www.nmc.org.uk) or GMC (www.gmc-uk.org) websites.
Any report regarding an individual compiled by a health professional in regards of a referral into our services will, in the first instance, be sent to the person who the report concerns for their consent to send to their employer. ANY report sent by Prohms concerning an individual(s) will be sent to a named person in a secure non-editable format and will be password protected.
Access to occupational health records
If at any time you wish to receive a copy of your occupational health records you have the right to do so by submitting a Subject Access Request (SAR) to the Data protection Office (named above). In the first instance we are obliged to give you a copy of the records we hold within a month and without charge, however, subsequent or repeated requests may incur an administration fee.
All personal data is collected as either hard copy which is then scanned or electronic data; all data is stored securely on our server. All hard copy records are securely shredded and recycled by a reputable company, compliant with GDPR. Only those employed by Prohms who have been authorised by the Data Protection Officer and issued with a password may access this data. The server is managed by an outside company who have provided evidence of their GDPR compliance and the server is backed up daily to a secure network. In the unlikely event of a data breach you will be made aware as soon as possible and it will be reported to the relevant bodies within the appropriate timescale.
Right to erasure
Under the GDPR you have the right to request the erasure of your personal data. Prohms will comply with this request, however please be aware that legally, under Health and Safety at Work Regulations, certain data MUST be stored for a set period of time. For example, data concerning noise, COSHH, HAVS, etc MUST be kept for 40 years. Other clinical notes MUST be kept whilst you are employed by the client company and for 6 years thereafter or from your 75th birthday, whichever is sooner.
Training and Marketing
All our training courses are run around statutory requirements in the workplace. The only data we keep is used with the companies/individuals consent. It is used to remind them of their legal requirements, when their training requires renewal and/or updating and of any forthcoming training which may be applicable to them. No information is passed on to third parties.
Our full Data Protection Policy is available for you to read on our website.
This is a working document
This is a live, working document. Please check back for regular updates.