D4 Medicals Privacy Policy Introduction During the course of our activities, D4 Medicals Ltd will collect, store and process personal information about the employees of our customers. We collect this information for the purpose of:  

• Assessing health at the start of employment.  

• Preventing ill health due to working activities or work patterns.  

The law governing the collection of sensitive data is covered by the General Data Protection Regulation (GDPR) 2018. Specifically, for the purpose of D4 Medicals Ltd collecting data:  

The lawfulness of Processing data is covered by Article 6.1.f:  

‘Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child’.  

Processing of Special Categories of Personal Data is covered by Articles 9.2.h:  

‘Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3’.  

What Data and Why Data is collected:  

Medical Questionnaires and Examinations  

As an employee, you may be asked to complete a Medical Questionnaire or you may have a Medical Examination. The purpose of this is to establish a prospective employee’s fitness for employment within a specific job role. The purpose of a Health Assessment is to also ensure that a person is not positioned into a job that is going to adversely affect their health or make an existing health problem worse. 

Specialist or General Practitioner (GP) Reports  

Occasionally we may need to obtain specific medical information from your GP or another specialist. If this is required, we would explain the need for the information to you in more detail and seek your verbal or written consent. This medical information is provided to us in strict confidence and is not divulged to anyone without your specific consent. We use this information to clarify your medical history and to ensure that we give the best possible advice to your manager /Human Resources (HR). In accordance with the Access to Medical Reports Act 1988, you have a right to view the report at your GP surgery (you have 21 days to do so), request amendments and veto the release of the report. 

Confidentiality  

Whilst we work in partnership with your manager/HR to provide our services, Occupational Health records that we maintain during your employment are confidential and only Occupational Health staff have access to them. You are able to see these records at any time if you apply to do so in writing.  

The information we give to your manager/HR lead relates to your fitness for work. This is usually in respect of any restrictions or modifications to the type of work you are able to do. For example, if a person has epilepsy, their employer might receive a report recommending that the person should not work unsupervised. This need not necessarily disclose epilepsy.  

There are exceptional circumstances when we are bound by law or professional conduct to report a medical condition. Fortunately, this kind of situation is rare, however we would counsel anyone carefully if this action was necessary.  

Storage and Retention of Information  

The personal information obtained by D4 Medicals LTD is securely stored. The personal information will be kept for no longer than is necessary. However, the General Data Protection Regulation (GDPR) allows for some records to be stored indefinitely as archives for research purposes or if relevant conditions are adhered to by law such as COSHH, the Health Records will need to be stored for 40 years following the last entry. The length of storage depends on the type of medical information enclosed.  

Unwanted documents will be disposed of securely as confidential waste, by shredding, pulping, incinerating, deleting or overwriting. This will be documented and a destruction certificate obtained.  

D4 Medicals Ltd Retention of Data Policy [1]  

D4 Medicals LTD will agree with the customer (the employer) a time frame for destruction. This is usually for the duration of employment plus 6 years following employment or 75 years of age.  

Specific conditions are as follows:  

• Health Records – Are the responsibility of the Employer and must be kept for 40 years  

• Medical Assessment Forms –10 years maximum if paper records stored at D4 Medicals LTD. 1 year maximum if D4 Medicals LTD store the records and no longer provide a service for the client.  

However, it is advised that records of significant episodes, exposures or accidents should be preserved beyond the above time periods.  

A request to delete personal information will be considered and actioned. However, the request to delete information may be declined if the personal information is governed by legislation or other exceptional circumstance.  

How to Access your Personal Data  

General Data Protection Regulation (GDPR) gives you the right to access the information which D4 Medicals LTD holds about you and why. Requests must be made in writing and you will need to provide: 

• Adequate information [for example full name, address, date of birth, staff number, etc.] so that your identity can be verified and your personal data located. • An indication of what information you are requesting to enable us to locate this in an efficient manner.  

You should send your request to D4 Medicals LTD, Suite 2A, Blackthorn House, St Pauls Square, Birmingham, B3 1RL or email: admin@d4medicals.uk.  

D4 Medicals LTD will comply with requests for data access to personal data as quickly as possible. We will ensure that we deal with requests within 30 days of receipt. Where requests are complex or numerous we will write to inform you with an explanation as to why an extension is necessary. 

Complaints and questions  

If you have any questions about this privacy notice or how we handle your personal information, please contact the person responsible, Dr Charlotte Summers. If we have breached our duty of care, we will take appropriate action.  

If you are not satisfied by our response you also have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (email: casework@ico.org.uk.) 

Changes to this Privacy and Data Retention Notice  

We reserve the right to update this privacy notice at any time for justifiable reasons. For further information, please refer to our Data Protection Policy.  

Contact Details  

D4 Medicals LTD, Suite 2A, Blackthorn House, St Pauls Square, Birmingham, B3 1RL or email: admin@d4medicals.uk.  

Reference:  

1. Records Management Code of Practice (https://transform.england.nhs.uk/information-governance/guidance/records-management-code/) (Page 71)