top of page

Rockingham Occupational Health Ltd is committed to ensuring the privacy and confidentiality of the information we hold of users of our website, applicants and employees being assessed by, or utilising, our service.

​

This privacy statement explains what kind of information is collected by us during a visit to our web site or when an employee is referred to our service and how we use this information.

​

The information collected, held and used is in strict compliance with not only all current UK legislation but the confidentiality and ethical codes set out by the General Medical Council, Nursing and Midwifery Council and the Faculty of Occupational Medicine.

 

Data Controller

For the purpose of the current Data Protection legislation, the Data Controller is Rockingham Occupational Health Ltd, 5 Resolution Close, Boston, Lincolnshire, PE21 7TT with ICO registration number ZA009713.

​

This privacy notice tells you what to expect us to do with your personal information.

​

​

Contact details

​

Post

5 Resolution Close, Endeavour Park, , BOSTON, Lincolnshire, PE21 7TT, GB

​

Telephone

01536 772266

​

Email

admin@rockinghamoh.co.uk

​

What information we collect, use, and why

​

In order to carry out our activities and obligations as an occupational health service providing occupational and preventative healthcare we collect and process your information including:

​

  • Name, address and contact details

  • ·Gender

  • ·Date of birth

  • ·Health information (including medical conditions, allergies, medical requirements and medical history)

  • ·Information about care needs (including disabilities, home conditions, medication and dietary requirements and general care provisions)

  • ·Test results (including psychological evaluations, scans, bloods, x-rays, tissue tests and genetic tests)

  • Recordings of calls

  • Recordings of consultation

 

We also collect the following information to provide occupational and preventative healthcare:

​

  • Health information

​

We collect or use the following personal information through questionnaires, referral forms and consent forms through online portal functionality:

​

  • Name, address and contact details

  • Gender

  • Date of birth

  • Health information (including medical conditions, allergies, medical requirements and medical history)

  • Information about care needs (including disabilities, home conditions, medication and dietary requirements and general care provisions)

  • Test results (including psychological evaluations, scans, bloods, x-rays, tissue tests and genetic tests)

​

We also collect the following information through online portal functionality:

​

  • Health information

​

We collect or use the following personal information for dealing with queries, complaints or claims:

​

  • Names and contact details

  • Address

  • Correspondence​

​

Lawful bases and data protection rights

​

Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.

​

Which lawful basis we rely on may affect your data protection rights which are in brief set out below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:

​

​

If you make a request, we must respond to you without undue delay and in any event within one month.

​

To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.

​

Our lawful bases for the collection and use of your data

​

Our lawful bases for collecting or using personal information to provide occupational and preventative healthcare are:

​

  • Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.

  • Legitimate interest

o  We have contracts or service agreements with our clients that mean that we have a responsibility to look after the health of their workforces and advise them on health matters. Our purpose for processing your information is to ensure that we can let employers know that their employees are fit to do their jobs, are compliant with Health and Safety Laws, can make ill-health retirement and pensions decisions, and that they have done everything that they need to do to ensure the wellbeing of their employees. To do this we may need to process and record information relating to you. The lawful basis that we rely on is Article 6 (1 (f) (“Legitimate Interests”) and the special category condition is Article 9 (2) (h) (“Health – including occupational medicine”) of the UK GDPR. We have a legitimate interest in processing your personal data because we are required to do so in order to provide our services. The specific condition we meet to process your special category data is processing “necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis and the provision of health or social care advice.". If you provide us with any information about reasonable adjustments you require when attending an appointment with us, under the Equality Act 2010, the lawful basis we rely on for processing this information is Article 6 (1) (c) of UK GDPR to comply with our legal obligations under the Act.

​

Our lawful bases for collecting or using the following personal information through questionnaires, referral forms and consent forms through online portal functionality:are:

​

  • Consent - we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.

  • Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:

o  The online portal provides a secure method for managers making referrals and employees to complete screening questionnaires and consent forms. When a manager makes a referral they are asked to confirm that the employee has been made aware of the details of the referral before submitting. The referral will not be able to go ahead if this is not confirmed within the referral. Any referral received that does not confirm that consent from has been obtained will not be processed and will be returned to the referring manager. When an employee completes a screening questionnaire or consent form the purpose of the assessment and their rights under current legislation is detailed. Our purpose for processing your information is to ensure that we can let employers know that their employees are fit to do their jobs, are compliant with Health and Safety Laws, can make ill-health retirement and pensions decisions, and that they have done everything that they need to do to ensure the wellbeing of their employees. To do this we may need to process and record information relating to you. The lawful basis that we rely on is Article 6 (1 (f) (“Legitimate Interests”) and the special category condition is Article 9 (2) (h) (“Health – including occupational medicine”) of the UK GDPR. We have a legitimate interest in processing your personal data because we are required to do so in order to provide our services. The specific condition we meet to process your special category data is processing “necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis and the provision of health or social care advice.". If you provide us with any information about reasonable adjustments you require when attending an appointment with us, under the Equality Act 2010, the lawful basis we rely on for processing this information is Article 6 (1) (c) of UK GDPR to comply with our legal obligations under the Act.

​

Our lawful bases for collecting or using personal information for dealing with queries or complaints are:

​

  • Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:

o  Our purpose for processing your information is to answer your query or complaint. To do this we may need to process and record information relating to you. The lawful basis that we rely on is Article 6 (1 (f) (“Legitimate Interests”) and depending on the query may include the special category condition is Article 9 (2) (h) (“Health – including occupational medicine”) of the UK GDPR.

​

Where we get personal information from

​

  • Directly from you

  • Employers​

​

How long we keep information

​

Where Rockingham Occupational Health Ltd provide services directly to companies and there is a continuity of care, the occupational health record will be kept for the length of employment and for 6 years after leaving employment or until their 75th birthday - this applies to

​

  • Management Referrals,

  • Pre-placement Questionnaires

  • Vaccination / Travel health records.

​

Where Rockingham Occupational Health Ltd acts as an external advisor to a third party OH provider, and may only see the patient once, for example in connection with a management referral or pension application records will be kept for a six years, although If the case may potentially give rise to a legal claim they may be kept for longer..

​

Records of statutory health surveillance are in a special category. There are a number of regulations which impose a duty on employers to institute regular health checks of employees exposed to particular hazards where it may be possible to detect adverse effects before serious damage is done. Examples particularly relevant to OH are the Control of Substances Hazardous to Health (COSHH) Regulations, the Control of Vibration at Work Regulations, the Control of Noise at Work Regulations, the Control of Lead at Work Regulations, the Control of Asbestos Regulations and the Ionising Radiations Regulations. All these regulations follow a similar pattern:

 

  • The employer must create a basic health record with the following details: employee’s name and address and National Insurance number, substance/process they are exposed to and when, surveillance that has been done on them and the name of the tester, and the outcome, eg fit/unfit/fit with adjustments. This health record is not confidential to OH and can be kept by management.

  • The detailed clinical records with the results of the tests and other clinical information will be kept separately in the confidential OH record and not disclosed without consent. The health record should be kept for 40 years (30 years in the case of ionising radiations).​

 

Following the stipulated time periods, the Occupational Health record will be expunged from the systems and deleted / destroyed.

​

Who we share information with

​

Others we share personal information with

​

  • Other health providers (eg GPs and consultants)

  • Current employers

  • Professional consultants

  • Organisations we’re legally obliged to share personal information with

​

Duty of confidentiality

​

We are subject to a common law duty of confidentiality. However, there are circumstances where we will share relevant health and care information. These are where:

​

  • You’ve provided us with your consent (we have taken it as implied to provide you with care, or you have given it explicitly for other uses)

  • We have a legal requirement (including court orders) to collect, share or use the data

  • On a case-by-case basis, the public interest to collect, share and use the data overrides the public interest served by protecting the duty of confidentiality (for example sharing information with the police to support the detection or prevention of serious crime);

  • If in England or Wales – the requirements of The Health Service (Control of Patient Information) Regulations 2002 are satisfied; or

  • If in Scotland – we have the authority to share provided by the Chief Medical Officer for Scotland, the Chief Executive of NHS Scotland, the Public Benefit and Privacy Panel for Health and Social Care or other similar governance and scrutiny process.

​

Sharing information outside the UK

​

Where necessary, we may transfer personal information outside of the UK. When doing so, we comply with the UK GDPR, making sure appropriate safeguards are in place.

 

For further information or to obtain a copy of the appropriate safeguard for any of the transfers below, please contact us using the contact information provided above.

​

Organisation name: Tresorit

Category of recipient: Data Storage

Country the personal information is sent to: Switzerland

How the transfer complies with UK data protection law: Tresorit falls under Swiss jurisdiction. Switzerland was granted a data protection adequacy status by the European Commission, in order to ensure the free flow of personal data from the EU into Switzerland and vice versa. The Swiss data protection authorities are now working on updating the Swiss data protection regulation to maintain this adequacy with the GDPR.

Personal data stored in Tresorit may be transferred outside the place of establishment of the data controller to countries of the European Union or to countries outside the European Union.

Specifically, files uploaded into Tresorit are stored in Microsoft Azure servers located in the European Union for European customers.

Tresorit uses services performed by third parties not located in the European Union for the purpose of customer invoicing, support, etc. All third parties engaged by Tresorit: a) are established in a country that received an adequacy decision from the European Commission; or b) have signed Standard Contractual Clauses provided for by the European Commission.

In all the above cases, transfers of personal data are and will be made by Tresorit only in compliance with the provisions set forth by the EU Regulation 2016/679 (General Data Protection Regulation, “GDPR”).   You can read more about this right here.

​

Organisation name: Cogntio

Category of recipient: Data Collection

Country the personal information is sent to: United States

How the transfer complies with UK data protection law: Cognito Forms complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Cognito Forms has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.

Cognito Forms has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in their privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. You can learn more about the Data Privacy Framework (DPF) Program, and view their certification here

​

Organisation name: Google

Category of recipient: Data Collection

Country the personal information is sent to: United States

How the transfer complies with UK data protection law: As described in Google's Data Privacy Framework certification, they comply with the EU-U.S. and Swiss-U.S. Data Privacy Frameworks (DPF) and the UK Extension to the EU-U.S. DPF as set forth by the US Department of Commerce regarding the collection, use and retention of personal information from the EEA, Switzerland and the UK, respectively. Google LLC (and its wholly-owned US subsidiaries unless explicitly excluded) has certified that it adheres to the DPF Principles. Google remains responsible for any of your personal information that is shared under the Onward Transfer Principle with third parties for external processing on our behalf, as described in the “Sharing your information” section of our Privacy Policy. To learn more about the DPF, and to view Google’s certification, please visit the DPF website.

​​

​

How to complain

If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.

​

If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO.

​

The ICO’s address:           

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

​

Helpline number: 0303 123 1113

​

Website: https://www.ico.org.uk/make-a-complaint

​

Changes to our privacy policy

Any changes we may make to our Privacy Policy in the future will be posted on this page..

​

Where we get personal information from
How long we keep information
Who we share information with
Sharing information outside the UK
How to complain
Contact details
What information we collect, use, and why
Lawful bases and data protection rights
bottom of page