During the course of our activities, Acorn Occupational Health Ltd will collect, store and process personal information about the employees of our customers. We collect this information for the purpose of:
- Assessing health at the start of employment.
- Preventing ill health due to working activities or work patterns.
- Assessment of health during or following a period of absence due to ill health or an injury.
- Assessing a health problem that may arise from, or be exacerbated by factors within the workplace.
Law Governing Data Collection
The law governing the collection of sensitive data is covered by the General Data Protection Regulation (GDPR) 2018. Specifically, for the purpose of Acorn Occupational Health Ltd collecting data:
Lawfulness of Processing data is covered by Article 6.1.f:
‘Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child’.
Processing of Special Categories of personal Data is covered by Articles 9.2.h:
‘Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3’.
Occupational Health Reports
An occupational health report is normally written following a referral from a manager or Human Resources. This type of referral is called a management referral. The report will be written with your consent. In accordance with the Access to Medical Records Act 1988, you have a right to view a report, request amendments and veto the release of the report. The report will enable the Occupational Health professional to communicate to your employer the effect that your health will have on your work role, the effect that work will have on your health, the resulting capability, any reasonable adjustments or restrictions which may be applicable to supporting you in work.
On occasions, and with your consent, a report may be written to the organisation following self-referral, if it is felt that this would be helpful in managing your health issue. This can only be written and released to your organisation with your prior consent. In accordance with the Access to Medical Records Act 1988, you have a right to view a report, request amendments and veto the release of the report.
A report following health surveillance will include a general statement about fitness for work and any recommendations relevant to the health surveillance and the date that a review is advised. You can request to know what is being written and you can obtain a copy from your manager.
Health promotion reports such as well-being/person medicals include your name and date of attendance only.
The need for further medical advice
Occasionally we may need to obtain specific medical information from your doctor or other specialist. If this is required, we would explain the need for the information to you in more detail and seek your written consent. This medical information is provided to us in strict confidence and is not divulged to anyone at work without your specific consent. We use this information to clarify your medical history and to ensure that we give the best possible advice to your manager /HR.
Whilst we work in partnership with your manager/HR to provide our services, Occupational Health records that we maintain during your employment are confidential and only Occupational Health staff have access to them. You are able to see these records at any time if you apply to do so in writing.
We provide confidential advice to your manager and HR about your wellbeing at work. We give advice and support to you and your manager/HR to ensure that your health and safety does not suffer whilst you are at work.
The information we give to your manager/HR relates to your fitness for work. This is usually in respect of any restrictions or modifications to the type of work you are able to do. For example, if a person has epilepsy, their employer might receive a report recommending that the person should not work unsupervised. This need not necessarily disclose epilepsy.
There are exceptional circumstances when we are bound by law or professional conduct to report a medical condition. Fortunately, this kind of situation is rare, but we would counsel anyone carefully if this action was necessary.
Storage and Retention of Information
The personal information obtained by Acorn Occupational Health is securely stored. The personal information will be kept for no longer than is necessary. However, the General Data Protection Regulation (GDPR) 2018 allows for some records to be stored indefinitely as archives for research purposes or if relevant conditions are adhered to by law such as COSHH, the Health Records will need to be stored for 40 years following the last entry. The length of storage depends on the type of medical information enclosed.
Unwanted documents will be disposed of securely as confidential waste, by shredding, pulping, incinerating, deleting or overwriting. This will be documented and a destruction certificate obtained.
Acorn’s Retention of Data Policy
Acorn will agree with the customer (employer) a time frame for destruction. This is usually for the duration of employment plus 6 years following employment or 75 years of age.
Specific conditions are as follows:
Ionising Radiation Records – 50 years
Health Surveillance Records (COSHH, Noise, Vibration, Lead) – 40 years
Health Screening (Fit for Task Medicals) – 2 years if Acorn store the records and no longer provide a service for the client
Vaccination consents – 1 year
Post job offer forms – Can be destroyed if the potential employee never starts with the company through their own choice, 3 years if the employee was turned down due to a medical reason.
Management Referral – 2 years if Acorn store the records and no longer provide a service for the client.
However, it is advised that records of significant episodes, exposures or accidents should be preserved beyond the above time periods.
A request to delete personal information will be considered and actioned. However, the request to delete information may be declined if the personal information is governed by legislation or other exceptional circumstance.
How to access your personal data
General Data Protection Regulation (GDPR) 2018 gives you the right to access the information which Acorn Occupational Health holds about you and why. Requests must be made in writing and you will need to provide:
- Adequate information [for example full name, address, date of birth, staff number, etc.] so that your identity can be verified and your personal data located.
- An indication of what information you are requesting to enable us to locate this in an efficient manner.
You should send your request to Acorn Occupational Health Ltd, Dane Mill Business Centre, Broadhurst Lane, Congleton, Cheshire, CW12 1LA or email: firstname.lastname@example.org.
Acorn will comply with requests for data access for personal data as quickly as possible. We will ensure that we deal with requests within 30 days of receipt. Where requests are complex or numerous we will write to inform you with an explain as to why an extension is necessary.