Privacy Notice

Phoenix Occupational Health, as both the Data Controller and Data Processor is committed to protecting the rights of the individual and acknowledge that any personal data of yours that we handle will be processed in accordance with the Data Protection Act 1998 (DPA) and the new General Data Protection Regulations (GDPR) 2018.

The GDPR will come into force throughout the EU on 25th May 2018.

The Data Protection Bill currently before parliament is only an adjunct. It makes rules for data not covered by the GDPR and provides exceptions to the regulations where member states are permitted to Derogate. It is expected to come into force on 25th May 2018.


Personal Data

Defined as: Article 4 – any information relating to an identified or identifiable natural person (data subject).

Data protection principle Article 5

Personal Data shall be:

  • Processed fairly and awfully and in a transparent manner
  • Collected for a specified explicit and legitimate purpose and not further processed in a manner incompatible for those purposes (processing for archiving in the public interest, scientific, historical or research purposes shall not be considered incompatible with the initial purpose)
  • Adequate relevant and limited to what is necessary in relation to the purposes for which they are processed.
  • Accurate and where necessary kept up to date; reasonable steps must be taken to ensure that data that is inaccurate is erased or rectified without delay
  • Kept in a form which permits identification of data subjects no longer than is necessary for the purposes for this the data is processed. They can be kept longer for archiving in the public interest, scientific or historical research purposes subject to protecting the rights of data subjects (i.e. anonymising or pseudonymisation)
  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss destruction or damage


Under the GDPR regulations, it is required that Phoenix OH identify a justification for processing data and tell the data subject who the controller is, what data is being collected and processed and for what purposed. This includes giving a justification under Article 6 and an additional justification in the case of special category (sensitive) data under Article 9


Phoenix Occupational Health will engage in the following activities

  • Collecting data i.e.: pre-placement, statutory health surveillance, assessing fitness to work.
  • Maintaining Occupational Health Records
  • Reporting about the data subject to HR, H&S, managers, trustees of a pension scheme, solicitors, DVLA

Article 6 – Lawfulness of processing (Why is it collected)

Processing shall be lawful only is and to the extent that at least one of the following applies

  • Examples relevant to OH practice
  • (a)The data subject has given consent to the processing of his or her personal data for one of more specific purpose
  • Consent is defined in Article 4;
    • Must be freely given, specific, informed and unambiguous indication of the data subjects wished by which he or she, by a statement of a clear affirmative action, signified agreement to the processing of personal data relating to him or her.
    • It is preferable for this to be in writing, but it is not legally required. Silence, pre-ticked boxes, or inactivity cannot constitute consent
  • For the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee. To ensure the health and safety of the employees at work and to allow consideration of any adjustments that may be required to support their ability to work.
  • Data may also be used for research, audit or statistics but will be anonymised if this is the case.


Phoenix Occupational Health justifies its gathering and processing of data under Article 6 section (c) “processing is necessary for compliance with a legal obligation to which the controller is subject” i.e.: statutory health surveillance, report of communicable disease under the public health act, employer’s duty to pay SSP, maternity pay, make reasonable adjudgments for disabled employees under the Equality Act etc.  


In addition to compliance with one of more of the justifications in Article 6 the controller will also have to comply with one of more of the justifications in Article 9 as the data controller will be collecting Sensitive or Special Category data.


Phoenix Occupational Health consider our justification in Article 9 to be (h) “processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment for the management of health or social care systems, subject to the conditions and safeguards referred to in paragraph 3.

 (3) – .. must be processed by or under the responsibility of a professional to the obligation of professional secrecy under Union or member state law or rules established by national competent bodies, or by another personal also subject to an obligation of secrecy.


Security of Processing: Article 32

Both the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including ability to ensure ongoing confidentiality; integrity; availability and resilience of processing systems and services;  ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and process for regular testing assessing and evaluating the effectiveness of measures for ensuring the security of the processing.


Encryption and IT support

Phoenix Occupational Health have encryption on all their computer systems and have a server at their offices in Burslem. All data is backed up o the server, every evening at 1900 hrs. Data on laptops is backed up as soon as reasonably practicable to do so, and no more than 5 days post entry.  We are working with an IT specialist to develop a portal on Office 365 where the data can be stored contemporaneously.  Our IT company ensures that we have the latest versions of virus protection and that this is regularly tested.


Transferring data

Phoenix Occupational Health will be required to transfer data to HR, H&S or management and this will be done in accordance with our Data Transfer policy.  The principles of this policy are;

  • If sensitive data is to be transferred by email, the data will be passworded as a PDF
  • The password will be shared at the consultation
  • If there is a substantial amount of data, this will be uploaded to our client portal
  • Each client will have an unlicensed account on office 365 to allow them access to our portal.
  • All documents on the portal will be security “trimmed” so that once logged in, the client (HR/ H&S / Manager) will only have access to the data that they are entitled to see.
  • The client will have their own password which will be changed regularly
  • The files in this portal will be removed within 30 days. The data will not be removed, as this will be securely stored on the server in a separate location to the client portal


Retention and Destruction

Phoenix Occupational Health are processing data for compliance with a legal obligation. Therefore, there are retention periods that we must adhere to.

  • Management referral information will be held for 6 years after the employee has left their job or 75 years of age (whichever is soonest) as recommended by the British Medical Association (BMA)
  • Pre-placement medicals will be discarded after 2 years if the employee doesn’t take up the offer of the job
  • Health Surveillance Records will be kept for 40 years or until that person is 75 years old, as required by the Health and Safety Executive (HSE)


Subject Access Requests: Article 15

Data subjects have the right to access their personal data and to exercise that right easily and at reasonable intervals. Information must be provided in a concise, transparent and intelligible and easily accessible form, using clear and plain language, no later than 1 month after receipt for the request. This must be provided free of charge except where manifestly unfounded or excessive (i.e.: repetitive)

Phoenix Occupational Health require the data subject to make this request in writing, with their name, date of birth, company and job title on the letter. We will acknowledge receipt of this and will provide the data subject an estimated time frame for when to receive the data. Phoenix Occupational Health will seek to send this data electronically if possible, in accordance with their transfer of data policy.


Right to erasure: Article 17

  • The data subject has the right to demand from the controller the erasure of personal data where:
  • The data is no longer necessary for the purposes for which they were processed
  • The data subject withdraws consent on which the processing is based and there is no other legal ground for processing
  • The data has been unlawfully processed

However, there are exception. The controller has the right to refuse to erase data is necessary

  • For exercising the right of freedom of expression
  • For compliance with a legal obligation
  • For reasons of public interest in the area of public health in accordance with (h) and (i) of article 9(2) which includes preventative Occupational Medicine
  • For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
  • For the establishment, exercise or defence of legal claims


Right to be notified of a breach: Article 34

The data subject has the right to be notified of a high-risk breach without undue delay

The Information Commissioner must be notified within 72 hours (Article 33) or, if not possible without undue delay


GDPR Summary  

Lawful Basis for processing the information

  • Lawful basis for processing this sensitive personal information is for compliance with a legal obligation, and for a legitimate interest.
  • Additional condition – Article 9(2)(h) specifically authorises processing of data as Occupational Medicine is a special category thus “processing is necessary for the purposes of Occupational Medicine” and Article 9(3) which states that processing is permitted “When these data are processed by a regulated health professional”


How long will data be held for

  • Management referral information will be held for 6 years after the employee has left their job or 75 years of age (whichever is soonest) as recommended by the British Medical Association (BMA)
  • Pre-placement medicals will be discarded after 2 years if the employee doesn’t take up the offer of the job
  • 40 years in relation to Health Surveillance as required by the Health and Safety Executive (HSE)


Right to Erasure

Article 17 states that you have a right to demand erasure, but there are exceptions. Phoenix Occupational Health will not be able to grant your right to erasure as we fall within the exceptions of b: there is a legal obligation to hold your data

C: reasons of public interest in accordance with (h)


How will the data be stored

  • Your records will be stored in accordance with Phoenix Occupational Health’s medical records storage policy following GDPR regulations.

Who will my information be shared with

  • We will not share information about you with third parties without your consent unless the law allows us to.

What are your rights

  • You have the right to see any information we hold abut you in your occupational health record. The request should be made in writing and should be responded to within 4 weeks without charge. You can also request that an amendment is attached to your health record if you believe any of the information held by Phoenix Occupational Health is inaccurate or misleading.