Privacy Policy

Introduction

Last Updated: 31/01/2025

This Privacy Notice outlines how we handle your personal data: what information we collect, why we use it, who we might share it with, how long we keep it, and the rights you have over your data. Specifically, it explains:

  • The legal bases allowing us to process your data
  • Our purpose for processing your information
  • If and when you’re required to provide certain details
  • Who we may share your information with and why
  • How long we retain your information
  • If (and why) we might transfer your data to another country
  • Whether we use automated decision-making or profiling
  • How we keep your information secure
  • How you can contact us if you have any questions

In this notice, references to your “employer” include your direct employer, a representative acting on their behalf (such as a manager or HR consultant), or pension trustees.

This notice applies to all clients that use our services, any of their employees or agents who are referred to us, and for those employees who become users of our services.

Who Are We?

We operate under the name Health Matters Occupational Health (“we,” “our,” “us”), including any appointed representatives and medical professionals acting on our behalf. We are registered with the ICO under number ZA510348.

Depending on the service, we may act as either the Data Controller or Data Processor of any personal data provided. This Privacy Notice applies when we act as a Data Controller.

For example for Occupational Health Assessments, such as management referrals, fitness for work assessments and health surveillance we determine how and why your data is processed, so we act as Data Controller.

For some on-site testing services when we simply conduct testing on behalf of your employer (unless one of our clinicians interprets the results and issues a report), we act as a Data Processor, and your employer is the Data Controller.

Regardless of our role, we are committed to protecting data subjects’ rights in accordance with the Data Protection Act 2018.

Legitimate Interest

We typically hold contracts or service agreements with our clients that require us to support their employees’ health and provide expert advice on health issues.

Our purpose in processing your data is to advise employers on matters such as employee fitness for particular roles, compliance with health and safety legislation, ill-health retirement or pension decisions, and ensure the health and wellbeing of their employees.

To achieve these objectives, we may process and record information about you. Our lawful basis under the UK GDPR is Article 6(1)(f) (Legitimate Interests). For special category (health) data, we rely on Article 9(2)(h) (Processing for the purposes of occupational medicine). Specifically, we process health information “necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of an employee, and for the provision of health or social care.”

Where you provide details of any reasonable adjustments needed under the Northern Ireland Act 1998, we rely on Article 6(1)(c) of the UK GDPR to meet our legal obligations under that Act.

Data We Collect and How We Use It

We primarily receive your information from you or your employer. For instance, when your employer refers you to us, they may give us details such as your:

  • Full name, title, date of birth, address
  • Contact numbers (mobile or landline)
  • Personal or work email address
  • Employment details (role, history, employee number)

We use this data to:

  • Arrange and schedule appointments
  • Provide appointment reminders
  • Reschedule appointments if necessary
  • Discuss any adjustments you might need
  • Conduct assessments in person, by phone, or via video
  • Verify your identity for security
  • Gather your feedback regarding our services
  • Respond to any queries about your appointment or records

We may also handle sensitive personal data, including medical information forming part of your occupational health records. This may cover both physical and mental health, past or present medical issues, details of medications, and other relevant health information. If necessary for clinical reasons, we might also collect data on ethnicity, family medical history, or lifestyle factors.

In certain circumstances, we may request information from your GP, consultant, or other healthcare professionals, either directly or through your employer (if you’ve shared it with them). We only do this with your consent and record that consent.

Our use of such health information varies based on the service we provide, but can include:

  • Determining your fitness to work
  • Reporting on your fitness to perform certain tasks or jobs
  • Evaluating whether you require adjustments or support due to a health condition
  • Assessing if workplace risks could, or may be negatively impacting your health
  • Advising on pension or ill-health retirement matters
  • Administering medications or vaccinations
  • Reviewing diagnostic results or medications and interpreting them for your employer (for example, alcohol or drug screening or biological monitoring)

We sometimes analyse and report on anonymised or aggregated data to help improve our services and support employers in identifying workforce health trends. Such reports never include personally identifiable details.

Should you request certain data from us (for example, a copy of records under your rights), we may ask for proof of identification (e.g., birth certificate, driver’s licence). This verification step is strictly to protect your privacy.

Information We Share and Why

Under common law of confidentiality, our healthcare professionals (or technicians operating under their supervision) share relevant health information with your employer with your consent. However, under UK GDPR, our legal basis is legitimate interest, not consent. You have the option to view any report before it is sent to your employer. If you choose not to share the report, the employer may need to make decisions without our occupational health input.

We may also engage processors. This may include independent healthcare professionals who undertake clinical and/or assessment activities on our behalf, and under our instruction. In such cases we will have an agreement in place which stipulates compulsory provisions that they must comply with as a processor.

Certain contracts require sharing data with other specialist clinical services (e.g., labs or therapy providers), which may need personal details to run tests or provide treatment. We might also be legally required to share data with public bodies like the HSE, HSENI, DVA, or UK Health Security Agency.

For internal quality assurance, clinicians and technicians may review your data among colleagues (e.g., through notes audits or professional supervision) to maintain high standards. If safeguarding concerns arise, our Safeguarding Policy guides any necessary disclosures to protect vulnerable individuals.

Additionally, we may use suppliers for tasks like UK-based system support, secure database/website hosting, telephone system management, document scanning, and archived record storage. These third parties will have contracts in place that require compliance with UK GDPR, and they cannot use your data for any purpose beyond fulfilling our service obligations.

We will never use your occupational health data for marketing.

If our contract with your employer ends and a new provider is appointed, your records may be transferred to them once they or your employer confirm you have been informed and given the opportunity to opt out. After the transfer, the new provider becomes the Data Controller for those records.

How Long We Store Your Information

How long we store your information will depend on the type of record that we have been processing.

  • General Occupational Health Records: We keep these for the duration of our contract with your employer and up to six years after you leave their employment. After this period, and with your employer’s permission, these records will be securely deleted. We rely on your employer informing us that you have left employment.
  • Health Surveillance Records: Under Health and Safety law, some health surveillance records must be kept for 40 years. If we cannot differentiate between general occupational health records and health surveillance records, such as when received from a previous provider, the 40-year retention period will be applied as a precaution.

If our contract ends with your employer, we will stop processing your information and all personal data and health records will be transferred to your employer’s next occupational health provider pending they submit a written request which confirms that your employer has informed you that this was going to happen, and you have not ‘opted out’.

Data not part of your formal Occupational Health record (like internal emails) may be routinely deleted once it is no longer needed.

Where We Process Your Information

Your data is typically processed within the UK. For IT hosting and Cloud Backups, some data may be stored on servers located within the European Union. If so, we ensure compliance with UK GDPR and relevant data protection regulations.

How We Protect Your Information

We design all our processes with security and privacy as top priorities. Your data is stored securely in systems subject to regular monitoring.

We work to protect the security of your personal information during any communications with you using secure communication methods and secure software procedures. We maintain physical, electronic, and procedural safeguards in connection with storage and disclosure of your personal information. Our security procedures mean that we may ask you to verify your identity before we disclose personal information to you.

Access to any of your personal data held on our systems is restricted to nominated employees within Health Matters Occupational Health who are required to have access to your information to provide our service.  Those employees can only access your information using our secure IT network.  Our employees utilise secure passwords and have annual training on Data Protection and Information Governance.

Where information is shared with a third party, such as independent healthcare practitioners, or a laboratory to process test results, we have data sharing agreements in place, and only those authorised to process your data will be permitted to do so for the purpose of the processing.

We use anti-virus and anti-malware software to reduce the risk of any malicious computer virus or cyber-attack on our systems.

We also ensure that your information is encrypted when it is being moved.  For example, when we share a report with you, or when your employer needs to view the report, they either receive it password protected via email or access it via a secure online portal to download a report when it is ready.

It is your employer’s responsibility to keep secure any reports at the point of receipt or download. Your employer will not have access to your Occupational Health record (background information obtained from you) as it is kept securely on our system and visible only to us.

Your Rights

Although we process your personal data for occupational health reasons (which can affect how some rights apply), under UK GDPR you generally have the following rights:

  1. Right of Access – You can request a copy of your personal data. We will respond within 30 days once we have verified your identity.
  2. Right to Rectification – If your personal information is inaccurate or incomplete, you can ask to have it corrected. Please note we may retain original medical records and append corrected versions to ensure accuracy.
  3. Right to Erasure (“Right to be Forgotten”) – You can request deletion of your personal data, but this is not absolute. Since we process your data for occupational health (a legal obligation), we generally cannot delete these records. However, for non-essential contact details (e.g., a personal email address), you can ask us to remove or update them.
  4. Right to Restrict Processing – If you challenge the accuracy of your data or otherwise object, you can request we hold but not process it.
  5. Right to Data Portability – You can request electronic transfer of your personal information to another provider in a machine-readable format.
  6. Right to Object – You can object to certain processing at any time, though this only applies in specific circumstances.
  7. Right to Withdraw Consent – Our primary legal basis is legitimate interest (not consent), but if we have explicitly relied on consent for a particular service, you may withdraw it at any time.

To exercise any of these rights, please email [email protected]. We will verify your identity to protect your data; this verification process is lawful under Article 6(1)(c) of the UK GDPR. Verification data is only kept as long as necessary to fulfil your request.

Common Law of Confidentiality and Consent

Healthcare professionals are bound by the common law of confidentiality, meaning they require your permission to share confidential health information with your employer. If you withdraw this consent, your employer might have to make decisions without the benefit of occupational health advice. If routine fitness-to-work assessments or health surveillance are part of your role, withdrawal of consent might mean your employer cannot allow you to continue in that position.

Contact Our Data Protection Officer & Right to Complain

We strive to maintain high standards of data protection and encourage you to reach out with any questions or concerns about how we use your personal information. Our Data Protection Officer is Mr. Shaun Doran, who can be contacted at:

  • Email: [email protected]
  • Address: Health Matters Occupational Health, Monaghan Court, Monaghan Street, Newry, BT35 6BH

If, after contacting us, you remain dissatisfied with our response or believe we are not processing your data lawfully, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). Visit www.ICO.org.uk for more information.

Thank you for taking the time to review this Privacy Notice.