The Health and Work Consultancy Ltd, as part of our “trusted” company value is committed to protecting the information you provide us with the utmost privacy: exactly how we would like our information to be treated ourselves.

We are also committed to complying with all data protection legislation relevant to our practice including The General Data Protection Regulations 2018 (GDPR) and The General Medical Council and The Nursing and Midwifery Council codes of confidentiality.

This privacy notice tells you what to expect from us we process the personal or sensitive data we collect about you should you be referred to, or access our occupational health services.

This notice is layered to allow you to easily select the reason we process your personal data and see what we do with it.

Controller's contact details

The Health and Work Consultancy Ltd has its registered office at Cardiff Medicentre, Heath Park, Cardiff, CF14 4UJ.

As a provider of occupational health services we can act as both the data controller (we decide how your personal data is processed and for what purpose) and the data processor (we process on behalf and on the instruction of the data controller).

There are many ways to contact us, including by phone, email and post.

Our postal address is:
The Health and Work Consultancy Ltd
Cardiff Medicentre
Heath Park
Cardiff
CF14 4UJ

Our telephone number is: 02920 682028

Data Protection officer's contact details

Our data protection officer is Sarah Jane Mogford. You can contact her at dpo@the-hwc.com or via our registered office address. Please mark the envelope "Data Protection Officer".

Why we need your personal and sensitive information?

The Health and Work Consultancy carries out a range of occupational health services. Occupational health is a branch of nursing and medicine what focuses on the physical and mental well-being of employees in the workplace. The information we receive is provided to us for one of the following reasons:

The aim of occupational health is to prevent work-related illness and injury by:

  • Encouraging safe working practices;
  • Ergonomics (fitting the task to the human not the human to the task);
  • Monitoring the health of the individual and that of the overall workforce;
  • Supporting the management of sickness absence.

We may also:

  • Work with your employer to implement policies and ensure health and safety compliance
  • Conduct new starter health assessments
  • Provide advice on fitness to work for safety critical tasks (for example, for work in confined spaces or at height)
  • Support health promotion and education programmes;
  • Provide advice and counselling to employees around non-health related problems;
  • Provide advice on reasonable adjustments to accommodate disabilities in the workplace a requirement of Equality legislation.
  • Provide advice to your pension provider about whether you meet the medical criteria in your scheme.
  • Provide your employer with anonymous statistics, regular quality audits based upon anonymised criteria.

What data will be collected?

Types of data The Health and Work Consultancy Ltd commonly collects, holds and stores includes:

  • Personal information (e.g. Name, salutation, address, date of birth, email address, phone numbers)
  • National insurance number (required under Health and safety legislation)
  • Special category data including personal characteristics (e.g. gender, ethnicity, - for health surveillance testing purposes)
  • Special category medical or health information including whether or not you have a disability
  • Current and previous job titles, job descriptions, hours of work and other terms and conditions relating to your employment
  • Documents provided to us by your employer (e.g. fit notes, sickness absence leave records and any other documents relevant to the occupational health service requested by your employer)
  • Special category data including occupational health records and health surveillance records
  • Relevant medical reports from other primary healthcare professional’s e.g General Practitioners and treating specialists.

Personal information

Personal information means information from which a person can be identified. Identification can take place using that that is collected or in conjunction with any other data in the data controller`s possession or likely to come into the data controller`s possession. The processing of personal data is governed by the Data Protection Act 1998 and after the 25th May 2018 will be governed by the General Data Protection Regulation 2018 (EU) 2016/679 (the “GDPR”)
Examples of personal data includes, Names, addresses, dates of birth, National Insurance numbers.
Sensitive (or special category data)

When personal data of an individual relates to any of the following we must process the data in accordance to more stringent guidelines as it is considered “Special Category data”.

  • racial or ethnic origin;
  • political opinions;
  • religious or philosophical beliefs;
  • trade union membership;
  • data concerning health;
  • data concerning sex life or sexual orientation;
  • genetic data; or
  • biometric data where processed to uniquely identify the data subject.

We may use your special category data to provide occupational health advice to your employer.

We do not need your consent if we use special categories of personal data in order to carry out our legal obligations or exercise specific rights under employment law. However, we will ask for your consent to allow us to process certain particularly sensitive data (to include health data) under recommendations made by our professional bodies; The General Medical Council and the Nursing and Midwifery Council.

If this occurs, you will be made fully aware of the reasons for the processing. As with all cases of seeking consent from you, you will have full control over your decision to give or withhold consent and there will be no consequences where consent is withheld. Consent, once given, may be withdrawn at any time. There will be no consequences where consent is withdrawn.

How will the data be stored?

We may hold your data either in a physical format (paper records) or via electronic records (on our bespoke client record database). Our bespoke employee record database (CAS – Client administration System)  is downloaded onto each individual computer that uses the system in order to prevent interception hacking via the open internet. 

The appropriate security measures and data protection policies are in place to safely store your data. We ensure that your data is protected further with Firewalls and the latest versions of anti-virus protection which are regularly tested. Saved data (entered onto CAS) is encrypted the moment your information is saved by the system and is regularly backed up within securely encrypted Microsoft cloud servers based within the United Kingdom.

Who will have access to the data?

Employees of Health and Work Consultancy (administrators, nurses and technicians) will receive your data in the first incidence to allocate the most applicable clinician to the service provided. However, for the purposes of IT hosting and maintenance this information is stored on securely encrypted servers within the European Union.

Your data will be treated as strictly confidential and will only be shared with data processors who are associates or third party network clinicians or providers of further health related services such as counselling, physiotherapy, laboratories or additional occupational medical advice. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.

In certain circumstances, we will be legally obliged to share your information with third parties if you provide us with your consent. We are legally obliged to share information with court order if the required to do so by law, or if there is a substantial public interest for use to do so (such as danger to the wider public), or the disclosure of this information is of overall benefit to you when we believe that you lack the capacity to consent.

We have a Data Protection regime in place to oversee the effective and secure processing of your personal and /or sensitive data.

We may also share data with finance personnel involved in the administration of invoicing your employer.

We will absolutely not share your information with any third parties for the purposes of direct marketing.

How do we obtain your personal data?

Your personal data will be collected from:

  • Your company representatives
    • Human Resources personnel,
    • line managers
    • Safety representatives
  • Administrative support staff to book appointments (are not allowed access to special category health information)
  • You (the data subject or employee)
  • Other Occupational Health Practitioners
    • occupational health physicians,
    • nurses
    • technicians
    • Physiotherapists
    • Counsellors
  • Primary healthcare personnel
    • General Practitioners
    • Treating hospital specialists
    • Physiotherapists

How do we receive the information or data?

As an occupational health provider, we are commonly asked to process sensitive or special category data in order to provide occupational health advice to your employer. Information is received from the following sources:

  • Electronic forms via our securely encrypted website.
  • Email
  • Post
  • Verbally (face to face and telephone)
  • Completed health questionnaires
  • Occupational health assessments and / or consultations

How long will the data be stored?

The Health and Work Consultancy will retain your personal data, your occupational health file, only for as long as we need that personal data for the purposes of the processing.

In some cases we will keep your data for a period after your employment has ended and our retention periods can vary depending upon statutory requirements and the reason for data collection. For example:

  • Management referral information will be held for 6 years + 1 year after the employee has left their job or 75 years of age (whichever is soonest) as recommended by the British Medical Association (BMA)
  • New Starter medicals will be discarded after 2 years if the employee does not take up the offer of the job, but is discarded 6 years + 1 year after the employee has left their job, or 75 years of age (whichever is sooner)
  • Health Surveillance Records will be retained depending upon specific guidance from the Health and Safety Executive. Usually retention for "Health records" is set as 40 years or until that person is 75 years old (whichever is soonest), as required by the Health and Safety Executive (HSE)
  • Drug and Alcohol screening information will be held for 6 years + 1 year after the employee employment or 75 years of age (whichever is soonest) in defence of legal claims.
  • Vaccination records will be kept for 6 years + 1 year after the employee has left employment of 75 years of age (whichever is soonest) as recommended by the British Medical Association (BMA)
  • Wellbeing screening information and records other than non-individualised generic data will be destroyed immediately.

In order to maintain accurate retention records, we have written into our terms and conditions that your employer to provide us with regular updates on changes to the staffing lists and provision of time within the contract to remove leavers records from our systems and filing cabinets.

Your data protection rights

Under data protection law, you have rights we need to make you aware of. The rights available to you depend upon our reason for processing your information.

Your right of access

You have the right to ask us for copies of the personal information we hold on you. There are some exemptions, which means you may not always receive all the information we process.
Should you wish to see the personal information we hold on you, please contact us in writing detailing the information you wish to see. Getting a copy of this information we hold on you is free of charge. However, in circumstances of repeated requests or requests for subsequent copies of the information a further fee will be incurred based on the administrative costs of providing this to you.

Your right to correct (rectification)

We want to make sure that the information we hold about you is correct and up to date. If you believe the information we hold on you is incorrect, you can request to see this information.

Please let us know if your details change. You also have the right to ensure that we hold any incomplete or factually inaccurate information we hold about you by requesting that an amendment is attached to your occupational health record.

Your right to erasure

You have the right to ask us to restrict the processing of your information in certain circumstances. However, if the processing is necessary for the purposes:

“to protect the establishment, exercise or defence of legal claims” Article 9(2)(f)

“for the establishment of substantial public interest” Article 9(2)(g)

 “of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services” Article 9(2)(h)

You will not have the “right or erasure” in accordance with the quoted exemptions under GDPR.

Your right to restriction of processing

You have the right to ask us to restrict the processing of your information in certain circumstances. For example, if you believe the information we hold is incorrect, we will stop processing it (whilst still holding it) until we have ensured it is corrected.

Your right to object to processing

You have the right to object to processing information about you for certain purposes at any time by contacting us using the details above.

Your right to data portability

Where you provide personal data you have the right to be provided with a structured, commonly used and machine-readable copy and have the right, in certain circumstances, to ensure that we transmit that personal data to another person your nominate (the right to data portability).

You are not required to pay any charge for your exercising your rights for the first time. We have one month to respond to you. Please contact us if you wish to make a request, or contact us on our helpline on 02920 682028.

For your information we have obligations and professional responsibilities in relation to clinical confidentiality as per our professional bodies, The General Medical Council and the Nursing and Midwifery Council.

Your right to complain

We work to high standards when it comes to processing your personal information. If you have queries or concerns, please contact Sarah Jane Mogford at dpo@the-hwc.com and we will respond.

If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). https://ico.org.uk/

Changes to this Privacy Notice

We keep our privacy notice under regular review to make sure it is up to date and accurate.

Managing Customer Contact

Restricted contact

We may impose a restriction on your access to our services if it’s necessary to protect our staff from unacceptable behaviour as defined in our ‘Violence and Aggression Policy`.

The legal basis we rely on to process your personal data is article 6(1)(f) of the General Data Protection Regulation (GDPR), which allows us to process personal data for the purposes of the legitimate interests pursued by the controller or by a third party or article 6(1)(b) of the General Data Protection Regulation (GDPR), which allows us to process personal data for the purposes necessary for contract performance to which the data subject may be party.

If the information you provide us in relation to your single point of contact contains special category data, such as health, religious or ethnic information the legal basis we rely on to process it is article 9(2)(h) of the GDPR, which allows us to process the personal data for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems or services. We will also be restricted with regards to the information offered.

If we do this, we’ll explain to you the restriction we have applied and why we feel it’s necessary. We’ll create a record of the restriction for administration purposes, so relevant staff members know the restriction is in place. This will include your name, contact details and a description of why we have imposed a restriction.

The decision to impose a restriction will be taken, and reviewed, by a manager. We’ll write to you explaining why we’ve applied the restriction. We’ll review the restriction periodically. We’ll remove it if we feel your behaviour has changed or if you no longer communicate with us.

Visitors to our website

Analytics

When you visit www.ico.org.uk, we use a third-party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out such things as the number of visitors to the various parts of the site. This information is only processed in a way that does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website.

If we do collect personal data through our website, we will be up-front about this. We will make it clear when we collect personal information and we will explain what we intend to do with it.

Cookies

You can read more about how we use cookies on our Cookies page. We use a cookies tool on our website which relies on users to accept cookies the standard of consent required by GDPR.

We will ensure any necessary cookies for functionality and security are marked so that they are not deleted by the tool.

Security and performance

We use a third-party Secure Socket Layer (SSL) encryption from GoDaddy.com to help maintain the security and performance of our website.

Purpose and legal basis for processing

The purpose for implementing all of the above is to maintain and monitor the performance of our website and to constantly look to improve the site and the services it offers to our users. The legal basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when it is necessary for the purposes of our legitimate interests.

What are your rights?

As we are processing your personal data for our legitimate interests as stated above, you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.

Visitors to our Registered Office

We meet visitors at our head office, including:

Employees from contracted companies;

External training providers;

job applicants;

suppliers and tradespeople;

stakeholders; and

If your visit is planned, we will notify send your name and visit information to reception before your visit – so that they can allow you to access the Medicentre car park.

If you arrive without an appointment, you will not be allowed to park within the Medicentre car park which will incur car parking costs should you park on the Heath Park Campus.

We ask all visitors to sign in and out at reception.

Closed-circuit television (CCTV) operates outside the building for security purposes and is not operated by us. The information is viewed by us on a live feed and it is recorded by our landlord: Cardiff Medicentre for security recall and fire regulation purposes. The recordings are stored securely for seven years on Cardiff Medicentre servers as we are not the data controller we ask that you contacting them (http://www.cardiffmedicentre.co.uk/contact_us) directly should you wish to access this data.

We have Wi-Fi on site for the use of visitors. We’ll provide you with the address and password.

We record the device address and will automatically allocate you an IP address whilst on site. We also log traffic information in the form of sites visited, duration and date sent/received.

We don’t ask you to agree to terms, just to the fact that we have no responsibility or control over your use of the internet while you are on site, and we don’t ask you to provide any of your information to get this service.

The purpose for processing this information is to provide you with access to the internet whilst visiting our site. The legal basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests.