The Occupational Health Service recognises the need to comply with the General Data Protection Regulation (GDPR) and Data Protection Act 2018 and all other relevant legislation and codes of practice in relation to its work activities. The provision of a confidential, informed and impartial service to the staff and students at the University of Bristol is essential to maintain a professional relationship. The Occupational Health Service collects, retains and processes personal data, for the which the University of Bristol is the data controller.
It is incumbent on all occupational health staff to maintain confidentiality. Each member of staff has an obligation not to divulge any information learned in respect of his/her work activities as detailed below.
The personal information we hold is kept to a minimum and details only what is required to allow us to carry out health assessments and maintain adequate records required by the General Medical Council, the Nursing and Midwifery Council and other authorities.
We may hold the following personal information about those employees who are referred to us:
- Name, date of birth, telephone number(s), e-mail and/or address;
- Details of employer and job (if relevant);
- Details of general practitioner (if relevant);
- Details including medical history, medication and clinical observations of any medicals or health assessments that we carry out;
- Information from other bodies such as employer, general practitioner or other professionals where this has been provided to enable assessments to be made of medical fitness or any appropriate adaptations to employment.
Storage of records
All Records will be maintained in accordance with the requirements of The General Data Protection Regulation and relevant Guidance from the Nursing and Midwifery Council, the Faculty of Occupational Medicine and other regulatory bodies and quality standards.
- All occupational health records of employees will remain private and confidential to occupational health unless signed medical consent is provided.
- Paper records will be maintained on site at occupational health premises.
- All records will be securely stored in a locked cabinet within a locked room and only be accessible to occupational health.
- All electronic records and information will be kept on secure and protected systems (Orchid) and encrypted where necessary.
- All computers, laptops, phones, network storage and other IT equipment will be password protected.
- We will maintain suitable and up to date anti-virus and anti-malware software.
- All electronic information will be backed up on a 24 hour basis.
- Reports and other correspondence will be password protected where required and appropriate.
Information about an individual may only be disclosed to a third party outside of occupational health if:
- The individual concerned has given informed and expressed consent.
- Provision of such information is required by a court of law.
- Disclosure is in the public interest and the interests of the individual it relates to.
Individual employees can also:
- Request amendments to any information that they believe is inaccurate or incomplete. Changes to Occupational Health opinion will not be possible, although additional statements to supplement reports can be provided.
- Refuse consent for a proposed action. This will be respected once the consequences have been explained and documented in appropriate records.
- Request that data is moved. This will only be possible for legitimate reasons, provided contractual and legal obligations allow.
- Request the right to erasure of data where it is no longer required for lawful processing.
- Request access to their information. They have a right to be provided with a single copy of the information that Occupational Health holds about them. They should submit their request to Occupational Health in writing or by email. The information will be provided within one month of the request being received.
All such enquiries about an individual, or individuals, whether from a third person or from the individual personally, must be referred to a clinical member of staff. No medical or health advice, information, recommendations or opinion is to be given by administrative staff.
Retaining and disposing of information
- All occupational health records, whether hard copy or electronic can be destroyed 6 years after an employee has left the employment of the University (or you reach the age of 75 whichever is sooner) in line with BMA guidance.
- Health surveillance data is the exception to the above which will be kept for 40 years for purposes of COSHH assessment and in accordance with HSE legislative requirements.
- Paper records would be securely shredded. Electronic records would be destroyed by secure deletion processes.
Occupational Health Service staff
All occupational health staff including administrators will be required to sign that they understand the implications of this policy and medical confidentiality every 2 years or when there has been a significant change. Any breaches of the above may result in disciplinary action including dismissal.
If you have any concerns about how your personal data is processed, please contact the Occupational Health Service in the first instance.
For more information regarding data protection in the University, please see Data protection | University Secretary's Office | University of Bristol.
The University’s Data Protection Officer can be contacted with any concerns or queries at firstname.lastname@example.org.
For more information regarding GDPR 2018, please see Guide to the General Data Protection Regulation - GOV.UK (www.gov.uk).