Data Protection Policy

• Ensure that all staff have signed confidentiality statement and have read confidentiality and data protection policy.
• Only keep relevant information that was used for the occupational health assessment and ensure signed consent from patient to do so. 
• All data subjects prior to assessment should be provided with a consent form to complete and must have access to a copy of Oakwood OH Consultancy’s privacy notice. Oakwood OH Consultancy understands it is the data subject’s right to withdraw consent at any stage and their consent choice may change at any time.
• When storing information, it should be in scanned into secure cloud storage and transferred securely electronically for third party OH providers via an acceptable method from their instruction. The originals are then securely shredded one month after the assessment, once receipt is confirmed. Please see below for data storage timescales.
• If a data subject does not consent to have their information stored this should be confidentially shredded once the report has been released (providing that the client has given consent to release).
• All electronic data regarding a data subjects should be password protected and stored on the encrypted cloud storage. It should only be given client (to their preferred email address) or to their employer if written consent is obtained.
• Any information sent to a data subject/company via email should be via a password protected link with an expiry date of 14 days from the encrypted cloud storage and has the recipient receipt email choice ticked and if a password protected PDF has been requested by the company instead, ensure adequate encryption and the password must not be sent in the same email. The read receipt or a reply to the email or payment of the invoice for occupational medical services will ensure Oakwood OH Consultancy knows it has securely reached the intended email address only. If information is sent via post. It should be recorded when and to whom it was sent. The encrypted cloud storage maintains an accurate record of electronic sharing activity that can be audited as required.
• If a data subject requests their records, once identity has been confirmed (DOB, 1st line of address and full name), then this can be sent electronically to the email address provided by the data subject via secure, password protected, expiring web-link from the encrypted cloud storage or by secure, password protected encrypted email. If the case was seen for another Occupational Health provider, the data subject will be directed to that company with a link on how to make a subject access request.
• If a data subject asks for the confidential information to be erased then, once identity has been confirmed, this can be confidentially shredded providing no additional legislation states storage is mandatory (e.g. Ionising Radiation. In these circumstances, advice should be sought from the company’s Data Protection officer).
• All the IT systems and devices using software are checked for updates at least weekly (patch management)
• Disposal of confidential data following expiry of the timescales stipulated is to be done by secure file shredding software. Paper copies must be securely disposed of in the locked collection container to be collected by ISO certified confidential waste disposal company.

Data following assessment for third party OH providers

The paperwork of the assessments should be scanned and saved onto encrypted cloud storage unless explicitly instructed to store by other secure methods.

The administrative team will review patient information stored for third party OH providers and confidentially dispose of any information once it has reached agreed reasonable time for storage outlined above and below.

Information sent to third party OH providers should be done via the secure, encrypted cloud storage link or password protected PDF within an encrypted email unless authorized by the other OH provider to do so in a different manner. A password protected and expiring link timescale of 30 days should be applied and the following added to the email explaining data storage:

His/her occupational health report and notes are attached (or by downloading and saving from this link). The password will follow in a separate email shortly. Please ensure both my notes and report and any other relevant information to the case I have assessed for you are securely saved in a manner consistent with industry guidance and processed in accordance with the employee's consent (https://www.fom.ac.uk/media-events/news/guidance/guidance-on-the-general-data-protection-regulation). These are securely stored for 1 month by my company, as per previous communication. I have asked for a read receipt to confirm your receipt and reassurance these will be securely saved and my copies can be securely deleted as outlined above. Thank you for taking the time to tick the read receipt.

If there are any questions regarding my occupational medical assessment after 1 month, I am more than happy to provide further assistance following receipt and review of any relevant records for that case (e.g., my notes, report, additional clinical information).

Data can be stored for longer for other Occupational Health companies, Oakwood OH Consultancy Ltd, but only subject to clear explicit mutual agreement in the manner clearly stipulate by the data controller (the parent occupational health company)

Data Storage Timescales

Data should only be kept for reasonable period of time. There are 3 categories of assessments and the reasonably timescale for retention depends on which category a data subject’s assessment is in.

1. Oakwood OH Consultancy clients regarding management referral consultations and pension assessments. - Data from these assessments should be stored electronically on encrypted cloud storage. The reasonable timescale is deemed to be 6 years based on guidance from the Society of Occupational Medicine and Faculty of Occupational Medicine (https://www.fom.ac.uk/media-events/news/guidance/guidance-on-the-general-data-protection-regulation). Standard email communication is kept for 12 months via the secure email provider’s logs.
2. Assessments for other OH providers - The assessments should be scanned electronically and the paper copies shredded once the password protected, expiring web-link is sent from the encrypted cloud storage unless the other Occupational Health provider has advised secure storage by another means. The scanned information should only be kept for 1 month following assessment. This is in case queries from this assessment arise (less likely after 1 month) and deemed sufficient time for the host Occupational Health provider to download and save the assessment reducing the need for unnecessary reassessments and administrative processing of data with the communication outlined to them when sending the occupational medical information to them. (please see detailed section above).
3. Health Surveillance/Statutory Medicals - Data from these assessments should be stored either by paper case records in a locked filing cabinet or stored electronically on encrypted cloud storage. The reasonable timescale is deemed to be while that employee (data subject) is an employee of the company Oakwood OH Consultancy provides health surveillance for.  In the case of statutory medicals (e.g., COSHH, Lead, Asbestos) the records need to be kept for 40 years. Their occupational health surveillance records can be sent securely to the new Occupational Health provider (with the employee’s consent). Data from Ionising Radiation Medicals will be kept for 50 years.

In the unlikely event a breach is detected:

The company’s data protection officer must be notified as soon as possible. All affected parties (individuals, companies) must be informed as soon as possible (and definitely) within 72 hours. 

Appropriate advice must be sought from competent specialists with expertise in the relevant area to understand what has caused the breach, what steps are being taken to correct this and prevent future breaches occurring. 

A significant review meeting is to be arranged promptly with senior company individuals and the Data Protection Officer to review if additional measures are required.

If clarification is required, advice should be sought from the company’s Data Protection Officer in conjunction with the latest advice from the information commissioner’s office.

All threats/potential threats should have full details recorded and shared with affected clients.