This Privacy Statement sets out what you can expect of TP Health (Data Controller and Processor) in relation to how we look after your data and information. This is in line with the core principles of the General Data Protection Regulations, the Data Protection Bill and the Faculty of Occupational Medicine’s guidance on data processing and consent.
Confidentiality is fundamental to the work of all Occupational Health Staff. Occupational Health Professionals are bound by an ethical code of conduct in the same way that they would be in a General Practice or Hospital. All members of the Occupational Health Team understand their responsibility to protect sensitive and personal information and have given an undertaking that they will do so. TP Health is registered with the Information Commissioner’s Office (Z9823811).
2. Why do we need to process your data?
We have a contract with your employer that requires us to look after the Occupational Health and wellbeing needs of their workforce. We therefore need to keep a record of the work that we do so that we can remain compliant with health and safety law, protect the health of employees and ensure that people are fit to do their jobs. Looking after your health in the workplace is also in the legitimate interests of both you and your employer.
The General Data Protection Regulations require us to define a Lawful basis for processing your data and information. We have reviewed the purposes of our processing activities and have identified the most appropriate lawful basis (or bases) for the activities we carry out as being under Article 6 item (f) legitimate interests, and under Article 9(2) item (h) for the purposes of occupational medicine.
3. What data do we process and how long do we process it for?
The personal information we process about employees is: full name, title, date of birth, address, contact telephone numbers, ethnicity (only when completing our COVID-19 Risk assessment), work email address and personal email address.
We also process information about your health in the form of an Occupational Health record which will include details of any medical examinations and health assessments that you have had from the time you joined your employer as well as other relevant medical history. The Occupational Health record will also include advice and reports that have been provided, with your consent, to your employer.
Throughout the duration of our contract with your employer, as their Occupational Health Provider, Occupational Health records are processed and managed by us for the period of your employment and for a minimum of six years after you have left employment. After this time if we have permission from your employer then the Occupational Health record will be deleted.
There is however a requirement under Health and Safety Legislation to retain certain health records relating to Health Surveillance for a period of 40 years, these records will be held separately on the OH electronic system and will not be deleted until they are 40 years old.
If our contract ends with your employer, we will no longer process any information or data about you and all your personal data and health records will be passed to your employer’s next Occupational Health Provider.
4. How do we ensure your data remains secure?
For most of our customers, all data and information is held on our secure system which is compliant with Cyber Essentials standards for security and is subject to annual penetration testing. Access to any data held on our system is restricted to nominated employees within TP Health who are required to have access to the data in order to provide an Occupational Health service. They can only access the data using TP Health’s secure IT Network and we have a strong password policy in place.
For some customers data and information is held on the customers own secure IT network. Access to any data held on a customer’s network is restricted to only the TP Health members of staff who are authorised to work on that contract or site.
We use special anti-virus and anti-malware software in order to help reduce the risk of any malicious computer virus or cyber-attack on our computers and we have a programme in place that ensures all software security updates are applied as soon as they are released. We also ensure that all your data is fully encrypted when it is being stored or moved (for example when we send a report to your employer) so in the highly unlikely event of it being stolen, it cannot be accessed and used.
5. What do we do with your data?
Personal information such as your name, address and email address is used for the following purposes:
- To arrange and book appointments with the Occupational Health Team
- To contact you if we need to move or change an appointment
- To contact you to undertake a telephone or video appointment
- To verify that we are speaking to the correct person, if you phone us to query your health records
- To send text message reminders about your appointment
- To contact you for feedback about your appointment with Occupational Health by text message or email
Depending on the nature of your job your Health Records may be used for the following purposes:
- To determine your fitness to work
- To assess if you need any adjustments or support in the workplace because of a health condition
- To establish if any risks in the workplace may have an adverse effect on your health
- To provide information about your fitness to work back to your employer
For all our customers, we routinely carry out an analysis of Health Data that we have recorded about their workforce. We produce aggregated reports using data we have collected and these reports are fully anonymised which means it is impossible to identify an individual from the information contained within a report. These reports are used to help our customers understand the activity within their contract and to help identify any health related trends and patterns across the workforce that would enable them to target certain health related interventions. The reports are not used for marketing activities or shared with third parties for commercial purposes.
You should be aware that all clinical and administrative staff working at TP Health, including our Nurses and Doctors work as a team, and may share the information with their colleagues within the Occupational Health team as part of their role to ensure effective communication in the protection and management your health at work, unless you expressly ask them not to.
6. Phone Calls
Phone calls made to and from our TP Health main switchboard are recorded purely for training and monitoring purposes. The recordings do not form part of the Occupational Health Record and are held encrypted on our servers for 130 days after which they are fully deleted. Controls are in place to ensure that only authorised staff have access to phone recordings, and we can provide a copy of any recordings relating to an individual on request.
Phone calls that are not made from the TP Health phone network, including calls made using a customer provided phone are not recorded.
7. When will we share information with other people?
We are required to share information with your employer with consent. When we provide any information to your employer then this is restricted to an opinion on whether or not you are medically fit to do a particular task and whether any modifications or adjustments are recommended.
Depending on the contract that we have with your employer we may, during the course of our occupational health service, transfer some of your information to other clinical or specialist professionals who carry out occupational health service interventions in partnership with our company. Examples of this are if you are referred to support services such as counsellors, physiotherapists and laboratory services providers who may need your personal details in order to be able to provide you with support or treatment or process blood tests.
We use third party expertise to support and host our IT network and infrastructure and only use datacentres that are based in the UK.
We also use third party expertise for the electronic scanning of medical records and storage of archived paper records and our main telephone system is internet based (VOIP) and is also hosted by a third party.
All third parties are bound by the same strict codes of conduct and practice in relation to confidentiality and have restricted access to Occupational Health records and information.
We will never share your information with third parties or your employer for promotional or marketing purposes.
8. Your Rights in Respect of Data Processing
Can I ask request that my records are deleted?
Because processing your information and data for the purpose of Occupational Health is in the legitimate interests of both you and your employer, we cannot accommodate requests for health records to be deleted.
These records may also be required in a court of law should there be any dispute about your employment in the future, or if there was a health-related incident at your employer’s premises that required formal investigation. You can however request factual information that is incorrect to be changed or removed from your records, but you cannot alter the opinion of a clinical professional.
You can also request that personal details, such as your email address or address, are deleted as long as we can retain sufficient information to be able to identify your health record. To request any deletions or changes you can contact us at address given in the contact section at the bottom of this privacy notice.
Phone recordings do not form part of your Occupational Health Record and you therefore can contact us to request that these are deleted.
Can I withdraw consent for any of my information to be used in the way described above?
As described above because processing your information and data for the purpose of Occupational Health is in the legitimate interests of both you and your employer we cannot accommodate requests to delete data and information and therefore we must continue to store and therefore process your records for the required retention period.
Health professionals belonging to regulated professions do however also have an ethical and legal duty to comply with the common law of confidentiality as provided by Article 5 of the GDPR. This common law does mean you have a right to withhold or withdraw your consent for us to provide information about your health to your employer. If you choose to do this, we will be obliged to notify your employer of your decision.
It is important to understand that if you withdraw consent this may mean that your employer may have to make decisions without the benefit of impartial occupational health input and advice. If your role requires you to participate in Health Surveillance or routine Fitness to Work Medicals and you withdraw consent to participate in these medicals, then your employer may have to suspend you from the workplace.
Can I request a copy of my records?
You can request a full or part copy of your Occupational Health records at any time by writing to us at the address given in the contact section at the bottom of this privacy notice.
9. OH Direct
OH Direct is an online system that allows customers to purchase Occupational Health Services directly from our website. Included within OH Direct is a feature that allows a new customer to make a direct referral about one of their employee’s which will involve sharing personal information and in many circumstances special category health information about an employee. It is the responsibility of the referring customer to ensure they have made the employee aware that they are passing this information to TP Health.
Information collected via an OH Referral in OH Direct is securely transferred to our main Case Management System where it is stored and managed in the same way as all our other data and information as outlined in section 1 – 9 above. A copy of the referral form is held securely on the OH Direct system for a period of 6 months after which it is fully deleted. Any personal information including contact numbers and email addresses included within an OH Direct referral will only be used for the purpose outlined in section 5. Information collected in this way will not be used for marketing or promotional purposes.
Contact details about the referring customer (not the referred employee) may be used for marketing or promotional reasons if you have given us permission to use them in this way.
10. Coronavirus – Covid-19 Testing
Existing law that allows patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this current Pandemic and outbreak.
Using this law, the Secretary of State has required NHS Digital; NHS England and Improvement; Arm’s Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the Covid-19 outbreak. Any information used or shared during Covid-19 will be limited to the period of the outbreak unless there is another legal basis to use the data.
Testing for the Covid-19 Virus
TP Health have established robust clinical procedures and protocols that are enabling us to support our customers with Coronavirus (Covid-19) testing programmes.
During the course of these activities we may collect, use and protect the following personal data in order to ensure we can identify you correctly and contact you about appointments and test results:
- First and last name
- Contact email address
- Contact phone number
- Employer Reference Number
- Your date of Birth
How we use your Information
If we have been appointed to undertake tests by our customers, we will undertake the following roles as Data Controller:
- Scheduling and notifying test appointments for those eligible to take part
- Performing an ID verification check at the test site
- Providing your test kit
- Collection and delivering the completed tests and forms to a laboratory
- Informing you of the test result
- If you test positive, collection of additional postcode and gender information from you to provide this information for Public Health England and NHS Track and Trace purposes
- If you test positive informing your employer so that they can conduct their own track and trace activities
If your employer asks us to conduct a test, we will use your name and contact details to arrange an appointment. We will also use your personal details and employer reference number to check who you are on your arrival at the testing location.
When you arrive at a TP Health testing location you will receive test kit instructions on how to be tested together with a unique testing bar code. Once you have taken the test you will return the sealed test to a member of our team. Completed tests with the bar code will then be sent by TP Health to an approved laboratory for further analysis.
The laboratory will analyse the sample and return the test result to us. We will then inform you of your result by telephone or email.
TP Health works with a variety of laboratory partners some of whom have been chosen by TP Health and others who have been chosen by our customers. The laboratory partner we are using will be made clear at the testing location and by your employer.
Laboratory partners will act as Data Controllers and be responsible for:
- Providing testing kits
- Receiving and processing your test
- Analysing your test results
- Passing results back to TP Health
- Sharing positive results with Public Health England and other regulatory or health bodies to help plan and respond to the COVID-19 pandemic
Our current laboratory partners include:
- Oncologica: oncologica.com/cookie-law-privacy-policy/
- Screen 4:
- Synlab: synlab.com/privacy-policy
The General Data Protection Regulations require us to define a Lawful basis for processing your data and information. We have reviewed the purposes of our processing activities in relation to covid-19 testing and have identified the lawful basis (or bases) for the activities we carry out as being under Article 6 item (f) legitimate interests, and under Article 9(2) item (h) for the purposes of occupational medicine.
Retention and Storage of your Covid-19 Testing Information
TP Health will retain all test results (together with data identifying the person to whom the test relates) for six months after which all data will be anonymised. Information that is processed by TP Health and its laboratory partners that identifies you will be stored securely and processed in the UK.
11. Visitors to our Website, Portal, Main Website and Cookies
Please refer to our Cookies Policy for how we may use information obtained from cookies: https://tphealth.co.uk/cookie-policy/
12. Links to Other Websites
This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.
We may invite you to take a test to see if you currently have coronavirus. The test is voluntary, and you do not have to take it. If you decide to take a test, then you need to follow the instructions your employer has given you. The test will confirm whether you currently have coronavirus.
This is so that you can:
- Take steps to look after yourself
- Protect others
- Know if you’re fit and well to return to your critical role
- Potentially reduce the time you have to self isolate for
We may, during the COVID-19 crisis, need to ask you for personal information, including sensitive personal information, (for example age, NHS number, underlying conditions) that you have not already supplied. This is so that we can assist you and prioritise our services.
Once you have taken the test, your sample will be analysed in a laboratory, and you will be informed of the result (positive, negative or inconclusive) by text and/or email. You will be given advice on any next steps that need to be taken following your result.
Within this current pandemic your test results will be sent to a central database. We may share your information with other public authorities, emergency services, and other stakeholders as necessary and proportionate to do so. This is to ensure that confidential patient information can be used and shared appropriately and lawfully for purposes related to the COVID-19 response.
The database is held by NHSX and controlled by NHS England (on behalf of all UK countries). All information in this database is held securely, and access to this information is tightly governed, in line with Data Protection requirements.
13. Automated Individual Decision Making
TP Health occasionally use publicly published evidence-based algorithm-based assessments to make automated decisions about an individual’s health or risk. Outcomes are reached based on the answers an individual provides to a specific set of pre-defined questions within our online system. Whenever an individual is asked to complete one of these assessments by answering these questions the reason for doing so is made clear and the published source of the algorithm is also provided to the individual. Participation in the assessment and completion of the questions is not mandatory.
If you have any concerns about the outcome of any of these assessments, then you can contact using the details below.
14. Changes to this Privacy Notice
We keep our privacy notice under regular review. This privacy notice was last updated on 1st August 2022.
15. Contact Details
TP Health contact details for all Data Protection matters are below. These are also the contact details for our Data Protection Officer: TP Health, Rickyard Barn, Pury Hill Business Park, Nr Alderton, Towcester, Northamptonshire NN12 7LS
- Telephone: 01327 810 262
- Email: email@example.com
If you believe we are processing your personal data not in accordance with the law, you can complain to the Information Commissioner’s Office at www.ico.org.uk