Protecting your Data re: The General Data Protection Regulations (GDPR) 2018 reviewed
Is an update of the Data Protection Legislative framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). This came into force on 25th May 2018. Since Britain left the EU the Regulations are now titled as UK GDPR, this came into force 1 January 2021. It requires that technical and organisational measures are taken against unauthorised or unlawful processing of Personal Data against accidental loss, destruction of, or damage to, Personal Data.
Harlow Occupational Health Service Ltd (HOHS) as a medical service processes personal information to enable us to provide Health Services to patients, to maintain our accounts and records, promote our services and to support and manage our employees. HOHS is committed to protecting the rights and freedoms of data subjects and safely and securely process Data in accordance with all of our legal obligations.
HOHS is registered with the Information Commissioners Office (ICO) as a Data Controller and our registration will continue as a Data Controller under UK GDPR. We determine the purposes of processing Personal Data and Sensitive Personal Data which UK GDPR now refers to as Special Categories of Personal Data.
As a Data Controller in our own right we have obligations and professional responsibilities in relation to clinical confidentiality which is determined by law. In certain situations, HOHS will enter into Joint Controller arrangements with client companies where a transparent arrangement between both Joint Controllers will need to be reviewed and / or agreed under UK GDPR. HOHS will also review arrangements with the Processors we use to enable us to provide our services, e.g. Laboratories. These Processors will be detailed in Specific Contracts.
Identification and contact information of the HOHS Data controllers is listed below:
UK GDPR what are your Rights as an individual?
Individuals have rights in relation to their data which we respect and comply with to the best of our ability. We ensure individuals can exercise their rights in the following ways:
- Right to be informed:
At HOHS in order to provide our services properly we will need to collect personal information from you. We will keep a record of how we use personal data to demonstrate compliance with the need for accountability and transparency. Your Data will only be processed for the intended purpose and we will continue to protect people’s rights and interests. In most situations we will continue to obtain explicit consent from patients which will identify what the relevant data is, why it is being processed and to whom it will be disclosed e.g. Occupational Health Physicians Medical Assessment Reports, Hearing Tests carried out as per The Control of Noise Regulations, Lung Function tests carried out under Control of Substances Hazardous to Health (COSHH).
A copy of this privacy notice will be given to all attendees prior to/or at time of appointment.
- Right of Access
At HOHS our lawful basis for processing your Personal Data is Legitimate Interest i.e. to carry out health screening.
At HOHS we enable individuals to access their personal data and supplementary information in compliance with UK GDPR. To access your medical record, we require a written request, this will now be free of charge and information will be sent to you within 4 weeks (or 28working days) upon receipt of written request.
- Right to rectification
UK GDPR requires that we rectify or amend the personal data of the individual if requested because it is inaccurate or incomplete. This must be done without delay, and no later than one month. This can be extended to two months with permission from the Data Controller.
- Right to erasure
The patient has the right to erase data when the data is no longer necessary for the purpose it was processed.
The patient has the right to erase data when they have withdrawn consent on which the processing is based and there is no other legal ground to continue processing.
The patient has the right to erase data when the data was unlawfully processed.
We must delete or remove an individual’s data if requested as long as there is no legal compelling reason for its continued processing. The Controller has the right to refuse to erase data as necessary. This could be due to:
– Legislative obligation where some records must be kept for 40-50 years.
– For the establishment, exercise or defence of legal claims.
– For exercising the right of freedom of expression and information.
– For reasons of public interest in the area of public health.
– For archiving purposes in the public interest, scientific or statistical purposes.
- Right to restrict processing
HOHS comply with any request to restrict, block, or otherwise suppress the processing of personal data. We are permitted to store personal data if it has been restricted, but not process it further. This would be due to a legal requirement.
- Right to data portability
HOHS provide individuals with their data so that they can reuse it for their own purposes or across different services.
HOHS provide this in a paper form or machine-readable format as preferred and send it directly to another controller if requested by them with written consent.
- Right to object
HOHS respect the right of an individual to object to data processing which may not always be possible based on legitimate interest or the performance of a public interest task.
HOHS respect the right of an individual to object to direct marketing, including profiling. We do not carry out either of these tasks.
HOHS respect the right of an individual to object to processing their data for scientific and historical research and statistics. Only on contractual agreement do we undertake statistics for companies, the information is always anonymised.
Rights in relation to automated decision making and profiling
HOHS respect the rights of individuals in relation to automated decision making and profiling. We do not use automated decision making, we make all decisions through professional (human) medical intervention.
- How to access your medical records.
Applications to access your data must be issued in writing to your employer, who will communicate with HOHS.
Should this not seem appropriate for your needs, then please write to a Data Controller (see above) at Harlow Occupational Health Service Ltd,
Stephen Taylor House, Edinburgh Place, Templefields, Harlow CM20 2DJ
If, however you are supplied with a direct contact at HOHS then contact them directly.
Conclusion: If you have any concerns in relation to your personal data then please contact HOHS.
Harlow Occupational Health Service Ltd.
Issue Date: Rev 24/11/2022
Client: Version Number: 2.0