Go Health Services: GDPR Statement
What is the GDPR?
The General Data Protection Regulations (GDPR) is effective since May 2018 and replaces the previous legislation about how data is secured and managed. A key requirement under GDPR is an individual’s right to be informed regarding the collection and use of their personal data.
GO Health Services is committed to protecting your confidentiality and respecting your privacy, and take our obligations under data protection legislation seriously.
What data do we hold?
The Occupational Health Record holds information about your personal information and health. This may include your demographics such as name, address, date of birth, ethnicity and gender. Medical information collected may include medical treatments including vaccinations, past medical history, health surveillance records, pre-employment screening, referral information, and specialist reports. We operate according to very strict internal guidelines, and always ensure that medical data is processed fairly, securely and lawfully.
Who do we collect data from?
Sources of data may include yourself, clinical supervisor, Human Resources and your manager. We will seek your consent prior to requesting any data from you GP or any specialists involved in your care.
Why do we need the data?
We collect only the necessary and relevant personal and medical data to enable us to fulfill our obligations to you and NHS Grampian. This includes for the purpose of preventive or occupational medicine, assessment of working capacity, ensuring health & safety, allowing consideration of any workplace adjustments and to support your ability to work.
The data is also used to help NHS Grampian meet their legal obligations under the Health & Safety at Work Regulations.
Lawful Basis for processing the information
The main legal basis for Occupational Health processing your personal information is as below:
Article 6 (1) (e): processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Article 9 (2) (b): as a lawful basis processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment or social security or social protection.
Article 9 (2) (h): processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems or services.
We hold and process your information in accordance with the Data Protection Act 2018 as amended by the GDPR, as explained above. In addition, everyone working for the NHS must comply with the Common Law Duty of Confidentiality and various national and professional standards and requirements.
We have a duty to:
- maintain full and accurate records of the care we provide to you,
- keep records about you confidential and secure,
- provide information in a format that is accessible to you.
We do not require explicit consent of employees to process their personal data if the purpose falls within the legal basis detailed above. However, in line with General Medical Council and Faulty of Occupational Medicine Good Medical Practice guidelines, we will seek consent wherever practicable. For further information on this legislation please visit http://www.legislation.gov.uk/
Where do we store your data?
Your medical records are stored in an electronic format on a highly secure database which can only be accessed with an authorized secure password by Occupational Health personnel. Some data may be collected as a hard copy which is then scanned into the system. All hard copy records are securely shredded and recycled by a reputable company, compliant with GDPR.
We keep minimal paper records, but any that we do, are kept locked in secure filing systems within the Occupational Health Department.
The server is managed by an outside company, located within the UK, who have provided evidence of their GDPR compliance and the server is backed up regularly to a secure database network.
Under Health and Safety at Work Regulations; data must be stored for a certain period. For example, data concerning the Control of Substances Hazardous to Health Regulations 2002 (COSHH) must be kept for 40 years. Other clinical notes must be kept whilst you are employed by NHS Grampian and for 6 years after or from your 75th birthday, whichever is sooner. These retention guidelines are in line with NHS Scotland’s Code of Practice.
Our professional code
Anything that you tell or share with us about your health is confidential. All Occupational Health Nurses and Advisers are bound by the terms of the Nursing and Midwifery Council’s Code of Conduct and all Occupational Health Physicians are bound by similar guidance from the General Medical Council. Administration staff and Counseling staff are also aware of the strict guidelines related to your information. What this means for you is that your health information remains confidential within the confines of Occupational Health.
Communicating with you
We may connect with you in person, by telephone (work, home or mobile), by post (to your home address), by email (via a secure email address if you have provided us with one) or via text message for appointment confirmations. If you would like to opt out of text message reminders then please contact us at gram.ohs@nhs.scot.
When contacting you via telephone, the number we are contacting you on may show up as blocked or restricted in-line with NHS Grampian policy.
Communicating with your manager or clinical supervisor
Should we need to communicate with your manager or clinical supervisor, we will do so with your consent. Occupational Health will not reveal medical details and will only communicate what impact, if any, your medical condition may have on your ability to carry out your job role and remit. To ensure transparency, you will also be offered a copy of the report.
We may disclose data if necessary under the conditions listed below; if disclosure is necessary only minimum and relevant information will be released:
- we are legally obliged to do so;
- disclosure is made at your request or with your consent;
- in the event of a medical emergency;
- if necessary to prevent/control significant health and safety risks to yourself and/or others;
We will not share information about you with third parties without your consent unless the law allows us to.
Communicating with Occupational Health
All correspondence with Occupational Health which pertains to your health and wellbeing will be uploaded to your record. This will include communication from you, your manager or clinical supervisor and HR.
Audits and reporting
As part of our continuous improvement process, we carry out audits of the Occupational Health Records. The information taken is reported collectively, it is anonymised and no personal individual information is disclosed. If you have any concerns about this, please discuss with us.
Your rights
You have right to ask for a copy of the information we hold about you. The request should be made in writing to gram.ohs@nhs.scot and should be responded to within 30 days, free of charge. You can also request that an amendment is attached to your health record if you believe any of the information held by GO Health Services is inaccurate or misleading.
Additional Information
Additional information regarding your rights under GDPR is available at the following link:
Data Protection Notice
Concerns
If you have any questions or are concerned about how your personal data is collected or processed, please first raise your concerns with us directly on gram.ohs@nhs.scot.
The right to complain
NHS GRAMPIAN employs a Data Protection Officer to check that we handle personal information in a way that meets data protection law. If you are unhappy with the way in which we use your personal information please tell our Data Protection Officer at gram.dpo@nhs.scot.
You also have the right to complain about how we use your personal information to the Information Commissioner’s Office (ICO). Details about this are on their website at www.ico.org.uk.