1. What is Insync Corporate Healthcare Ltd (ICH)?
We are an independent occupational health provider. Occupational health is a specialist branch of medicine focused on maintaining health and wellbeing in the workplace. Occupational health specialists (nurses and doctors) are trained to provide advice on work-related illnesses and accidents, fitness for work including pre-placement screening and assessing employees for fitness for work after a period of sickness absence. They also can provide health surveillance to help monitor wellness in the workplace, together with general advice on health and wellbeing, stress at work and ill health retirement.
Further information about us can be found at www.insynchealth.co.uk
2. Why do we process personal data?
Our occupational health specialists give advice to organisations on all aspects of occupational health.
3. What information do we process?
Organisations or other occupational health providers pass us information about workers so that we can arrange appointments and undertake relevant assessments. The information we are given may include names, addresses, national insurance numbers, employment details and telephone and email contacts. We need to make sure that our assessments are undertaken with the right person and will ask individuals to confirm some of the details we have been given and may request further evidence to confirm identity, such as photographic evidence, if so copies will be added to the occupational health record.
The nature of what we do means that we also collect personal medical information.
4. What information is released?
The workers formal consent is required to provide any information to an employer or third party. The occupational health specialist will discuss the outcome of the assessment and the information that they aim to send to the employer/third party in order for the worker to make an informed decision regarding the release of information.
5. Are we allowed to do this?
We have identified our lawful use of such data under the EU General Data Protection Regulations (GDPR) Articles – 6.1(f) Legitimate Interests and special category 9(2)(h) for purposes related to the provision occupational health services.
6. Is the information discussed at the appointment confidential?
All information given to us is kept securely and maintained in accordance with the data protection legislation1, and guidance produced by the General Medical Council and the Faculty of Occupational Medicine concerning confidentiality and privacy.
It will only be accessed by ICH’s staff and clinical team for the purpose of providing occupational health services. The information will not be passed to any third party without the workers consent. At the end of our contract with the employer/organisation, workers will be informed of the new provider of occupational health services and the method for transfer of occupational health records.
Whilst workers remain in employment with the company medical documents will be held securely by ICH only being deleted 10 years (for case management), 40 years (if health surveillance has been undertaken) or 50 years (if statutory health surveillance has been undertaken) after the last entry in the notes once the worker has left the company. Our record retention policy is in keeping with our medical malpractice insurance, recommendations for best practice in the field of occupational health and relevant statutory requirements.
Workers have the right to request a copy of the information that we hold about them at any time during their employment.
Copies of some or all of personal information can be requested from our administration team, who are also able to help with making sure that personal information is accurate and up to date; workers can ask us to correct or remove information they think is inaccurate.
The administration team can be contacted at firstname.lastname@example.org, or by writing to Insync Corporate Healthcare ltd, Excalibur Drive, Thornhill, Cardiff CF14 9BB.
7. How is the data shared and stored?
Paper records are securely locked away and can only accessed by personnel approved by ICH and/or occupational health specialists.
Electronic occupational health records are held in a secure bespoke cloud based database that is accessible by authorised users and managed by Probase Applications ltd. The database is ISO 27001 compliant and certified under the Cyber Essentials scheme.
Microsoft Office 365 is our email platform and we ask organisations to make sure that information is transferred to us securely. When sending information to organisations we encrypt documents containing personal data and confirm the identity of the recipient before releasing any details. Requests for information on paper are protectively wrapped and marked before sending by secure and signed for delivery.
1 Data Protection legislation means any applicable law, and/or related issued judicial guidance, relating to the processing, privacy and use of personal data, including the GDPR and/or any corresponding or implementing national laws or regulations.