This privacy notice is designed to help you understand how and why the occupational health team processes your personal data. This notice should be read in conjunction with our corporate privacy notice.
Who are we?
North Yorkshire Council is a ‘data controller’ as defined by Article 4(7) of the UK General Data Protection Regulation (UK GDPR). The health and wellbeing team are the council’s certified practitioners in occupational health and this is a service that can be traded to other organisations.
The council has appointed Veritau to be its data protection officer. Their contact details are:
Information Governance Office
Tel: 01904 552848
What personal information do we collect?
In order to deliver the occupational health and wellbeing service the council will need to collect both personal and special category data.
The personal data we may collect, so that we can contact and identify you where appropriate, includes (but is not necessarily limited to):
- date of birth
We may also collect the following categories of special category data:
- physical and/or mental health details
Who do we obtain your information from?
We primarily process information that you have already disclosed to us. However, on occasion, we may contact other organisations (such as your GP or medical advisor) where you have provided your consent. These organisations may provide information relating to your current mental or physical health which is relevant to the workplace. This does not usually include historic information (unless relevant).
We may also collect information from your employer for example risk assessments and information relating to sickness/absence.
Why do we collect your personal information?
We require your information to:
- to provide health and wellbeing guidance to employees and employers
- to provide management advice on fitness for work and reasonable work adjustments (where appropriate)
- to complete pre-placement health questionnaires and where appropriate issue an outcome certificate
- to facilitate employment referrals where appropriate (for example where there are health concerns raised by your manager either because your manager has concerns or because you have disclosed difficulties to your manager)
- to facilitate consideration for an ill-health retirement
- to facilitate statutory health surveillance where determined by health and safety risk assessments - this may be a requirement of your employment contract
- to conduct non-statutory health assessments, if requested by your employer, which is a voluntary process intended to establish your baseline health
- records can be accessed for clinical audit unless you request us not to
- health surveillance records, where applicable, are processed in order to fulfil requirements set out by your contract of employment
Who do we share this information with?
We will only disclose your personal information and special category information (i.e. medical information) to individuals or organisations where you have given us specific consent to do so. For example, this could be your manager, an HR representative, or a specialist occupational health advisor or physician.
If your organisation chooses to change occupational health providers then it is best practice that we send your data to that new provider. Your data will not be sent to your employer.
Your employer is obliged to tell you about their intention to transfer at which point you may object and choose an alternative registered medical practitioner (for instance, your GP) to be the recipient of this data transfer.
In circumstances where ill-health retirement is a consideration, with your consent, we will be instructed to obtain the necessary medical information to support this process. We will supply this to an independent registered medical practitioner (IRMP) who will provide a basis of opinion on which your employer will determine your eligibility for access to the early release of your pension benefits.
Where we have undertaken health surveillance, as required by health and safety assessments, we will disclose an outcome certificate to your employer.
How long do we keep your information for?
All occupational health records. We may need to keep your information for longer than the stated retention period if there is an ongoing investigation. The retention of the information will be reviewed upon closure of the investigation.
Six years after termination of employment or until 75th birthday (whichever is sooner). This is subject to your employer informing the service of termination.
Health surveillance records
Kept for current year plus 40
What is our lawful basis for processing your information?
North Yorkshire council relies on the following lawful basis to process your personal data:
- UK GDPR Article 6(1)(a) - the data subject has given consent to the processing of his or her personal data for one or more specific purposes
- UK GDPR Article 6(1)(b) - processing is necessary for the performance of a contract to which the data subject is party
When processing special category data, the council will rely on the following lawful basis:
UK GDPR Article 9(2)(h) - processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, meeting Schedule 1, Part 1 of the data protection act 2018 as below:
- (2) Health or social care purposes
For more information about how we use your data, including your privacy rights and the complaints process, please see our corporate privacy notice.