Privacy policy

The University of Bristol (“The University”) is committed to protecting your personal data and for keeping you informed about how information about you is used.

This notice outlines how the Occupational Health Service process your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This notice should be read in conjunction with the University’s top level privacy notices.

Types of personal data processed

In order to support staff and students at the University of Bristol to stay healthy in their work and study environment, we need to process the following type of data about you:

  • Name and date of birth
  • Contact information such as telephone number(s), email and/or address

and if necessary, any of the following:

  • Details of current employer(s) and job
  • Details of general practitioner 
  • National Insurance number
  • NHS number

We also may need to process the following special categories of data:

  • Health data – such as past and current health conditions, allergies, medical history, medications, clinical observations, vaccination records, blood test results (including immunity tests and MRSA screening), health surveillance outcomes, fitness for work or study assessments, and relevant information from GPs or other healthcare professionals.

How we collect your data and how we use it

The information we process about you is collected from a number of sources including:

  • You (the individual) - for details you provide through health questionnaires, immunisation records, placement or elective health forms, and information you give during consultations or assessments.
  • Internal University parties such as your line manager, HR team, Academic school or faculty – for referral information where there are concerns about health impacting your work, attendance, performance, studies, or placement requirements.
  • Your GP or other health professionals – for medical reports, diagnosis and capability information.
  • Internal Occupational Health clinicians – for data generated from clinical observations, surveillance results, vaccination and blood test outcomes.
  • Placement providers – for health-related incidents, exposure risks and fitness-to-attend/practice concerns.

The above information is processed in order to maintain health and wellness at work for university staff, and to ensure that students undertaking courses with occupational health, fitness, or placement requirements receive appropriate support.

We will use your information to provide you with Occupational Health services and support your workplace or study related health and safety, in order to meet the University’s legal, contractual and public interest responsibilities.

We produce quarterly and annual reports on Occupational Health activity, but all data used is fully anonymised. The reports include only aggregated numbers, such as the volume of appointments, reasons for attendance, and the schools or faculties involved. This helps us identify trends and plan proactive support, and no individual can be identified from these reports.

We do not use any of the information we collect about you for direct marketing, and we will never use your occupational health data to send you promotional or marketing material.

We will not use your personal data for automated decision making about you or for profiling purposes.

We will process your personal data either in ways you have consented to, or because it is otherwise necessary for a lawful purpose. 

The lawful basis for us to process your personal data for the above purposes is is shown in the table below. The basis we rely on will depend on the type of activity and the context in which your data is used:

Lawful basis Why we use this Examples of how we use this
Contract Where we need to process your personal data to fulfil or support your employment or study contract with the University.
  • To assess your fitness to carry out the duties set out in your employment contract.
  • To manage sickness absence and facilitate your safe return to work.
  • To determine your eligibility for contractual entitlements (e.g., occupational sick pay).
  • To enable your participation in placements or programme activities that form part of your study contract.
Legal Obligation Where it is necessary to use your personal data to comply with applicable health, safety, and statutory requirements placed upon the University.
  • To carry out required health surveillance under health and safety legislation (e.g. infection risks).
  • To assess any workplace risks and ensure safe working practices.
  • To report and manage any notifiable workplace incidents.
  • To ensure that we meet our statutory obligations under applicable UK Health and Safety legislation such as the Health and Safety at Work etc. Act 1974.
Public Task Where we must process your personal data to perform tasks carried out in the public interest or in the exercise of our official functions as a university.
  • To support workplace and study‑related health, safety, and wellbeing.
  • To support fitness‑to‑study, fitness‑to‑practice, and placement‑clearance assessments.
  • To manage risks associated with regulated programmes, laboratories, or clinical activities.
  • To ensure compliance with external professional or regulatory standards.

The special category data as listed above, specifically health data, is being processed for the above purposes under the following additional lawful basis:

  • Article 9(2)(h) – Preventive or occupational medicine

Sharing your personal data

Your personal data will be collected and processed primarily by the University’s Occupational Health Service.

We may share your personal data with internal University parties where this is necessary to support your health, safety, work, study or placement arrangements. We will not share clinical details unless there is a legal basis to do so.

The table below outlines what types of your personal information may be shared, with which internal parties, and for what purposes.

Internal party What information we share Purpose for sharing
HR/People Services
  • Fitness for work outcomes (e.g., fit/fit with adjustments/not fit) 
  • Recommendations for reasonable adjustments 
  • Phased return to work plans 
  • Manage sickness absence 
  • Implement reasonable adjustments 
  • Support return to work processes 
  • Meet legal obligations relating to workplace health and safety
  • Administer sick pay entitlements correctly 
Line Managers/Supervisors
  • Adjustments required to ensure safe performance of duties 
  • Phased return arrangements
  • Ensure duties are safe
  • Implement workplace adjustments
  • Support rehabilitation and safe reintegration into work
Safety and Health Services
  • Information needed to manage risk following workplace exposures
  • Clearance to work with specific hazards
  • Comply with statutory health and safety requirements 
  • Maintain a safe working environment 
  • Manage incidents or hazardous exposures appropriately

Academic Schools/ Faculties
  • Fitness to study or fitness to practice outcomes 
  • Recommended study adjustments 
  • Confirmation of health requirements for course activities
  • Support academic adjustments 
  • Ensure safe participation in course related activities 
  • Support student to meet regulatory or programme requirements

We may need to share your personal data with third parties where this is necessary to safeguard your health, support any required medical assessment, or ensure you receive appropriate treatment.

We will only share your personal information where we have a lawful basis to do so, and will limit it to the minimum amount of information required for the stated purpose.

We may also include identifying details when needed, to ensure that the third party can reach you and offer the right support.

Third party

 What information we share Purpose for sharing
  • General Practitioners (GPs)
  • University Physiotherapists (Sports, Exercise and Health)
  • Identifying information (e.g., name, contact details).
  • A description of the concern identified.
  • Relevant test results or findings.
  • Any additional context necessary for the health professional to understand the concern or reason for referral.

  • To facilitate contact where a follow‑up, assessment or medical assistance is required.

  • Allow relevant healthcare or wellbeing professionals understand the issue so they can offer suitable advice, treatment or intervention.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow third party service providers to use your personal data for their own purposes; we only permit them to process your personal data for specified purposes and in accordance with our instructions.

Please note that we may need to share your personal information with a regulator or to otherwise comply with the law, and the list above is not necessarily exhaustive.

Storage and retention of personal data

The University has put in place appropriate technical and organisational security measures to prevent your personal data from being accidentally lost or used, accessed, altered or disclosed in any unauthorised way.

Access to your personal data is limited to those that have a lawful and legitimate need to access it.

All personal data processed by the Occupational Health Service is stored securely within secure, access-restricted SharePoint folders, as well as ORCIDLive, the University’s approved Occupational Health management system.

All personal data collected will be stored on servers within the UK and processed in accordance with the UK General Data Protection Regulation (UK GDPR), and the Data Protection Act (2018).

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

We will keep your personal data according to the University’s Records Retention Schedule, holding it for six years after you leave the University or until age 75, (whichever is sooner. Health surveillance records will be held for 40 years, as required by COSHH and HSE regulations.  Your personal will be securely disposed of once these periods have passed.

The spreadsheets we own are on SharePoint and shared with only certain individuals. Information limited to names, dates of tests/contact and outcome (fit, fit with restrictions etc) There are other owned by teams such as onboarding which we access.

Your rights

Under certain circumstances, you may have the following rights in relation to the data we process:

  • Right to request access to your personal data;
  • Right to request correction of your personal data;
  • Right to request erasure of your personal data;
  • Right to object to processing of your personal data;
  • Right to request restriction of the processing your personal data;
  • Right to request the transfer of your personal data; and
  • Right to withdraw consent.

For more information on these rights please visit the University’s guidance on Rights of data subjects. To exercise any of the above rights please contact the Data Protection Officer via data-protection@bristol.ac.uk

Questions, comments or complaints

If you have any questions or comments regarding this Privacy Notice, please contact the Occupational Health Service in the first instance.

You can also contact the University’s Data Protection Officer at: data-protection@bristol.ac.uk.

If you are unhappy or have any complaints about how we process your personal data, we encourage you to follow our internal complaints procedure. Should you remain dissatisfied after exhausting our internal complaints process, you have the right to raise your complaint with the Information Commissioner’s Office (ICO).