Confidentiality and Data Protection Policy
Introduction
Workable Occupational Health Ltd (Workable OH) is registered with the Information Commissioner’s Office (Registration number ZA 678751) as a data processor and data controller. We are committed to following all applicable data protection laws and guidelines.
Definitions
Data processing: Any action performed with personal data, such as collecting, storing, or sharing it.
Personal Information: Information that can identify a living person (i.e., ‘Data Subject’)
Responsible Person: Our Managing Director oversees data protection under the data protection legislation.
Sensitive Personal Information: This special category of personal information includes health information, which is the primary type of sensitive data we handle.
Purpose and Scope
This Policy outlines how we protect your data in line with UK data protection laws and medical guidelines: UK General Data Protection Regulation 2017, the Data Protection Act 2018 and relevant GMC and FOM guidelines.
Workable OH is committed to processing data in accordance with its responsibilities under the legislation.
Main Principles
- Workable OH, an occupational health provider, is a data processor and data controller registered with the Information Commissioner’s Office under the Data Protection Act and GDPR.
- The Workable’s OH Managing Director shall be Data Protection Officer responsible for data protection.
- All Personal Information will be processed by us lawfully to fulfil our role as an occupational health provider.
- Personal Information will be processed only with informed consent (see Privacy Notice).
- Personal Information will be collected and processed to enable the business mission of Workable OH, i.e. occupational health services.
- Personal Information will not be shared except if required by law or after prior informed consent of the Data Subject.
- According to the GDPR Data Protection Principles, Personal Information shall be:
- Processed fairly, lawfully and transparently;
- Collected and processed only for specified, explicit and legitimate purposes;
- Adequate, relevant and limited to what is necessary for the purposes for which it is processed;
- Accurate and kept up to date. Any inaccurate data must be deleted or rectified without delay;
- Not kept for longer than is necessary for the purposes for which it is processed; and
- Processed securely.
- Workable OH shall take reasonable steps to ensure Personal Information is accurate and up to date.
- All WOH staff with access to Personal Data shall sign the confidentiality and non-disclosure statement, and follow its requirements.
- All Service Users (Data Subjects) will be informed of the principles of data confidentiality, data protection, data sharing and their relevant rights. Informed consent must be provided before OH consultations and before the release of OH information to the employer (see Privacy Notice).
- The informed consent can be provided in written or verbal form and documented by the Workable OH Clinical Staff.
- These principles do not apply to anonymised statistical information in line with the ICO guidelines.
- This Policy will be reviewed every 3 years or after significant changes to data protection legislation.
Roles and responsibilities
Workable OH has the following responsibilities as an ICO-registered data controller and data processor:
- Complying with the data protection laws
- Cooperating with the Information Commissioner’s Office (ICO), the UK regulator of data protection laws
- Monitoring compliance with data protection laws
- Responding to data subject rights requests
- Ensuring that the Workable OH Staff are aware of the Policy. All Workable OH Staff are responsible for protecting medical information in line with relevant legislation, this Policy and the Privacy Notice
- Any breach of the Policy or Personal Information (e.g., accidental or unlawful loss, destruction, alteration, or disclosure) should be immediately reported to the manager, who will investigate and record the breach and take appropriate action, including mitigation, prevention of further breach, and notification to ICO, if there was a risk to people’s rights and freedoms.
Data Security and Integrity
- All Personal Information is stored on Workable OH computers using MS Office Professional 365 Business Cloud Storage and Backup System (with access to IT support), using up-to-date antivirus and firewall software.
- Personal Information is protected by login name, password, and one-time over-the-phone password (OTP) for additional security.
- The office computers shall never be left unattended if the screen is on.
- Printed documents will be scanned into the secure online system and shredded.
- Internal and external drives shall be encrypted.
Data Subject Rights
Data Subjects have the right to access their Personal Information, correct any inaccuracies, erase Personal Information (unless storage is required by law, e.g., in case of health surveillance), withdraw consent for future data processing, copy Personal Information or transfer to another controller, and be notified of their data security breach.
Data Subject Access Request
Data Subjects can make a written Subject Access Request (SAR) to access their Personal Information, correct inaccuracies, or request the removal of their Personal Information stored by Workable OH. The request will be coordinated by the Data Protection Officer and completed within two weeks (one month in particularly complex cases). There is no fee for SAR. However, if the procedure requires significant use of our resources, we may charge a reasonable administrative fee of up to £300. The fee represents the cost of determining whether Workable OH holds the information, retrieving and reviewing the Personal Information to remove information about other data subjects or as otherwise required by the GDPR.
More detailed information is available from the General Medical Council and the Faculty of Occupational Medicine
Questions? Comments? Please let us know using our Contact page
