Privacy Statement Document No. BM.01.001: Effective Jan 2020
How do we manage and use your Personal Data? Prism OH Ltd are an Occupational Health provider and we are responsible for safeguarding the privacy of your information. We comply fully with the General Data Protection Regulations (GDPR) for information within our control.
This Privacy Statement provides information about the type of data we collect and how it is managed. Having read this document, if you have any further questions, you can speak with a member of the Prism OH Ltd clinical staff or contact our Data Protection Officer.
Data Controller: Prism OH Ltd, Cross Styles, Ivetsey road, Wheaton Aston, Staffordshire. ST199QW. Companies House No.: 09654792
Data Protection Officer: Allison Rose; Managing Director
What data do we process?
For us to provide Occupational Health services to patients, personal and often sensitive medical information needs to be obtained.
Information we receive from your employer: To begin the process of offering an appointment for patients, the employer will need to provide details about you and the basis of the referral. This will usually include your name, date of birth, address, telephone number, job details and a description of the problem and any issues they would like advice on. This can include sensitive information that the employer is in possession of such as reasons for sickness absence or medical treatments being taken. We recommend that the employer discuss your referral and the information to be provided with you before it is sent to us.
Information obtained during your consultation: All our consultations are with an OHA or OHP, who all have well-established professional obligations to maintain confidentiality. Without this, we would not be able to provide effective care to our patients. Your consent to us collecting personal, sensitive information and to proceed with a consultation is necessary before we can perform a consultation with you. It would not be possible for us to provide an Occupational Health assessment without keeping a clinical record as this is a professional requirement for registered practitioners. Consent for us to process personal sensitive medical information is not consent for us to write to anyone else, including your employer – see section below. During an OH consultation, the clinician will ask about health issues and your work and you will see them writing a clinical record. This is a confidential file and is not accessible by your employer. You can of course see any information we keep about you at any time upon request.
Information we may send to your employer: Your consent is required before we would send personal information to your employer, such as an outcome report from your consultation. The clinician will discuss with you the information they would like to send to the employer. You can have a copy of this information. Usually this information is in the form of a report written during your consultation. Sometimes the report cannot be done at that time in which case it will be sent to you for review first. Sometimes employers may need guidance or clarification on the report. The clinician will consider if there is a need to notify you before sending such additional information. If the supplementary advice given does not contain more sensitive personal information than the original report and does not alter the opinion of the original report, then additional consent is not usually requested. However, if there is a material change to the report and the associated information and advice, you will be contacted, or a further consultation will be requested. The receiving employer is expected to maintain appropriate data security for the Occupational Health reports and advice we provide to them and this is covered by our Data Sharing Agreement.
Data Sharing Agreement: Your confidential Occupational Health record is not accessible by your employer and is never shared. It is a requirement for employers making referrals to Prism OH Ltd to agree to our Data Sharing Agreement. This outlines the responsibilities of the referring employer and Integral OH for managing your personal information. It covers data security and confidentiality responsibilities. It also ensures you are aware of what information is being sent to us by your employer and that suitable controls are in place once the employer receives your OH report.
Legal Basis for processing information: We process personal sensitive information in accordance with the General Data Protection Regulations (GDPR) on the lawful basis of with Consent and for the purpose of Occupational Medicine.
Categories of personal data: We process personal information such as name, address and date of birth. We also collect occupational information and medical information including symptoms, history and treatments you may be undergoing. This medical information is regarded as Special Category Data.
Recipients of personal data: Your information which we receive from an employer is only accessed by our own administration team and staff doctors and nurses. All staff have contractual confidentiality agreements and our processes are designed to maintain confidentiality. Our OH output reports are sent securely to the named recipient, usually a Human Resources officer or Manager. You will know who the report is going to at the point that we request consent for dispatch.
Third Country Processing: Your data is not transferred to other countries.
Retention periods for your data: Most OH records that involve OH consultation will be kept for 10 years from the date of the last entry. This is a generally accepted timescale. Health Surveillance records (such as hearing and breathing tests) should be kept for 40 years. This is because sometimes industrial diseases can develop later in life so such records should be retained. This is a recommendation from the Health & Safety executive. Most of the records we hold are not Health Surveillance records. Pre-employment health questionnaires will be retained for 3 years.
Rights of Individuals: The GDPR has strengthened the rights of individuals regarding data about them. These rights are outlined below:
Right to be informed: This Privacy Notice is one of the ways we make sure you are informed about the sensitive personal information we collect.
Right of access: You have the right of access to personal data we hold about you. If you would like access, please contact the Data Controller (details above). We will ascertain your identity and then forward you the requested data as soon as possible. We do not normally make any charges for providing this information.
Right to rectification: If you feel that information we hold, is inaccurate or incomplete, please contact the Data Controller (details above). We will review the area you would like rectified and if this is appropriate, we will make the change. If we do not agree to the change, you have the right to complain to the Information Commissioner.
Right to erasure: If you would like us to consider erasing the personal information, we hold about you, please contact the Data Controller. Your request will be passed to the Data Protection Officer who will want to discuss this with you. Sometimes Occupational Health records form important medicolegal documents for the exercise or defence of legal claims, such as with Health Surveillance records where such assessment is a statutory requirement. In such cases, we may not be able to agree to the erasure of your personal information.
Right to restrict processing: Once your personal information has been obtained, you have the right to restrict further processing. This means there will be no more activity involving your data other than it being still held by us. This might arise if you did not wish to have any further OH involvement as we require consent to provide OH advice.
Portability of information upon change of OH Provider: If there is to be a change of Occupational Health provider by your employer, the existing OH provider would seek evidence of consent for the transfer of your OH records to the new provider. We would also need to be satisfied that the new OH provider had reasonable arrangements in place for the safe storage of that data before we would transfer it. If you did not want your information to be transferred to another OH provider, you should state this if a notification of change of provider occurs within your organisation.
What if you are not happy with how we are processing your information? If you are not happy with any aspect of our information management, please consider contacting the Information Protection Officer for our Organisation and we will manage this as a complaint. You also have the right to complain to the Information Commissioner’s Office (ICO).
Contractual Requirements: It is not possible for doctors and nurses to provide Occupational Health services without personal sensitive information being processed by us. It is a contractual requirement between Prism OH Ltd and any referring party, such as your employer, that without the consent of individuals, we cannot provide OH advice for individual cases. Clinicians need to be satisfied that the individual consents to our process of OH assessment and advice, including the processing of sensitive personal information, and without such consent, we cannot provide the clinical service. The consequence of not providing consent for the processing of personal sensitive data is that the individual and the employer will not have access to our Occupational Health advice. This in turn may mean health risks are not minimised and harm could arise to both parties.
If you have any further questions, we would be pleased to help. Contact us on 07504954590 or speak to your OH Professional. You can also ask to speak to the Data Protection Officer