How we use your information - data protection and the GDPR

The main output from an occupational health intervention is a report. This may be to the employer when there has been a management referral for advice. It may be to a pensions authority or pensions trustees when the employee is claiming for ill health retirement or early release of deferred pension benefits. It may be to an insurer when claiming under an insurance policy. It may be to a lawyer when a medicolegal report is required.

In order to create a report, we have  to receive, store, create and process data. We will be sent information by employers, reports from treating clinicians including GPs and specialists, results of tests and investigations, and information from insurers or lawyers.

General Data Protection Regulations

The General Data Protection Regulations (GDPR) require that personal data must be processed fairly, lawfully and in a transparent manner. It is lawful for Working Fit to process this data under the GDPR (Article 6(1)), and there are a number of reasons why:

Processing may be necessary for the performance of a contract to which the data subject is a party, such as an insurance policy.

Processing may be necessary for compliance with a legal obligation, for example in relation to regulations under the Health and Safety at Work Act, or medicolegal work.

Processing may be necessary to protect the vital interests of the data subject or of another natural person for example where there is a risk that a medical condition could lead to serious injury (for example a road traffic crash, or a major incident in a workplace, or harm to students in a school).

Processing may be necessary for performance of a task carried out in the public interest, (for example occupational health assessments in a public organisation such as the NHS or a University or School).

Processing may be necessary for the purposes of the legitimate interests pursued by the controller or a third party, (for example occupational health assessments outside the public sector).

In addition to these factors, as the data is about the health of individuals, it is particularly sensitive. There are several lawful reasons why Working Fit has to process this data under the GDPR (Article 9):

Processing is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller in the field of employment and social security law.

Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.

Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee.

Processing is necessary for reasons of public interest in the area of public health.

Processing is necessary for archiving purposes in the public interest, research or statistical purposes.

The main Data Controller for Working Fit is Dr Tony Williams. Where other clinicians prepare reports, they will be Data Controllers for that data. Working Fit is registered with the ICO, reference Z7714206, since 11th March 2003.

Consent

As the reasons for processing data outlined above are all lawful, there is no additional legal requirement for consent to process your data. Nevertheless, consent will be required in most circumstances to send any report to a third party such as an employer. This requirement is outlined in guidance on consent from the General Medical Council (GMC) and Faculty of Occupational Medicine (FOM) and is entirely separate from the GDPR.

In most occupational health consultations, the report will be written at the end of the consultation so you can read it at the time and give your consent. There is no further requirement for you to be sent the report or to give additional consent, although you will be sent a copy if you choose to have one. You can of course withdraw your consent at this time, in which case the report will not be sent. Your employer will then have to make a decision on how to proceed without specialist occupational health advice and this may not be in your interest.

In most insurance and pensions assessments, where you are seen in clinic, the report will be prepared afterwards, and you will have the opportunity to see the report before it is sent to the insurer or pensions trustees if you wish. If you withdraw your consent, this may prevent the insurer or pensions trustees from completing the claims process so it may not be in your interest. Where you are not seen, there is no requirement for consent as the report will be prepared using information the insurer already has so there will be no additional release of confidential information.

In most medicolegal assessments, the report is considered privileged information for the lawyers, and as such cannot be shown to you unless the lawyers agree. There is therefore no requirement for you to consent to the report.

Rectification and erasure

If you are concerned about aspects of the report, or that the report may be missing information, you can ask the clinician who prepared the report to consider any additional factual information with a view to correcting the report.

You cannot ask the clinician to change their opinion although if there is missing factual information that you provide, this may lead to a change in opinion.

Where the report quotes a report from another clinician, you cannot ask for this to be rectified; it is a factual statement about the contents of that report.

Where information is held that is clearly factually incorrect, you can ask for this to be corrected or erased.

 If you remain unhappy about the report, the best option is to prepare your own letter outlining your concerns so that the recipient of the report can consider these alongside the report.

Data storage

Data has to be stored in order to produce a report, and afterwards in case there are further questions or additional material is provided. Paper documents are usually scanned to store electronically, and paper documentation is usually destroyed by shredding within six months of a final report being sent unless there are ongoing proceedings such as legal processes. Once these processes are complete the paper documents are destroyed within six months. Paper documentation is stored in a locked filing cabinet in a locked office.

Electronic data is stored on encrypted personal computers. These are backed up using a third party, ‘Cloud Direct’, who use an encrypted transfer to encrypted storage (256-bit AES GCM Encryption) using UK Data Centres.

Electronic data is processed using Microsoft 365, who also use encrypted data storage in UK.

Electronic data used to prepare reports is deleted after a year. Electronic reports are kept for reference and audit purposes. Annual audit is undertaken for quality control, comparing outcomes with previous years to ensure consistency.

Data transfer

Paper records are generally avoided as the least secure option, but there are occasions when information has to be posted, when the Royal Mail ‘signed for’ service is used.

Encrypted data transfer systems are preferred, and most customers transfer documentation to Working Fit using encrypted email or encrypted login systems. Where these are not available, simple password protection and encryption is used. Complex encrypted data transfer is not used when sending reports to patients to review. Reports are converted to .pdf, encrypted and password protected, and emailed to the patient. A second email is sent with the password.

Access to personal data

You have a right to access and receive a copy of personal data being processed. In practice, most of the data is copies of GP notes, letters and specialist reports which are accessible from your GP and specialists. The important additional data is the report produced and you will be sent a copy of this report unless you have asked not to receive it. The information will usually be sent by email as above.

There are specific times when you will not be sent all the information held. Where the information is legally privileged you may not be allowed to see it. Where information includes data about third parties this may need to be redacted before you can see the information. Where the information may cause serious harm to your mental or physical health you may not be sent it, but a copy would then usually be sent to your GP instead.