Introduction
UCL Workplace Health respects your privacy and is committed to protecting your personal data.
Please read this Privacy Notice carefully – it describes why and how we collect and use personal data and provides information about your rights. It applies to personal data provided to us, both by individuals themselves or by third parties and supplements the following wider UCL privacy notice(s):
- General privacy notice when you visit UCL’s website
We keep this Privacy Notice under regular review. It was last updated on 7th February 2024.
About us
UCL Workplace Health is University College London’s (UCL) occupational health service.
UCL, a company incorporated by Royal Charter (number RC 000631), is the entity that determines how and why your personal data is processed. This means that UCL is the ‘controller’ of your personal data for the purposes of data protection law.
Personal data that we collect about you
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store and transfer different kinds of personal data about you. This may include:
- Your name, date of birth and contact details;
- Personal characteristics (e.g. ethnicity, gender)
- Health information, which is classed as “special category data” (e.g. medical records and reports, health surveillance records).
- Past and present job roles.
- The names and other details about third parties who are involved in the issues we are helping you with.
How will it be collected
- Verbally e.g. telephone calls, face-to-face consultations
- In writing e.g. forms you and/or your employer may complete e.g. health assessment forms, management referral forms and forms from other parties e.g. GP letters. These may be sent to us electronically or by post.
How we use your personal data
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- To register you as a client and to manage our relationship with you.
- For the purpose of undertaking occupational health assessments
- For the assessment of your fitness to undertake work.
- For the purposes of assessing eligibility for ill health retirement benefits in accordance with the stated criteria of the relevant scheme
- To provide advice and support to you in the management of a work-related health problem or health problem that affects you at work.
- Establish baseline health records where you may be working with workplace allergens or substances which have the potential to cause disease (e.g. laboratory animals or ionising radiation sources)
- Monitor your health if you continue to be exposed to workplace allergens or substances which may cause disease.
- Within the established practice of medical confidentiality, provide advice to your line manager/academic supervisor on the management of work-related health problems or health problems that may affect you at work.
Where the processing is based on your consent, you have the right to withdraw your consent at any time by contacting us using the details set out below. Please note that this will not affect the lawfulness of processing based on consent before its withdrawal.
We may also use anonymised data, meaning data from which you cannot be identified, for the purposes of:
- Service evaluation;
- Education and research;
Who we share your personal data with
In line with the principles of medical confidentiality, no access is granted to OH records outside of UCL Workplace Health, and no medical information is shared, without the individual’s informed consent. This is a professional requirement separate to any requirements of data protection legislation.
Results of Health Surveillance will be passed on to the employer under Reg. 11 COSHH Regulations 2002 and ACOP 251, and under Schedule 6 (Regulation 25(2)(b) of the Ionising Radiation Regulations 2017, for retention as required by the Health and Safety Executive (HSE) in the Health Record which is kept by your employer.
All pathology is undertaken by an accredited external laboratory who are GDPR compliant.
Referrals to NHS Specialists are not made without consultation with service users and only with their agreement.
Internal | External |
Human Resources | The Doctors Laboratory (pathology services) |
Line managers/Academic supervisors | Royal Brompton and Harefield NHS Trust (laboratory animal allergy) |
Safety Managers | Dict8 Medical Transcription |
Radiation Protection Officers | ASE (Eyecare Plans) Ltd |
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes – we only permit them to process your personal data for specified purposes and in accordance with our instructions.
We may in exceptional circumstances share personal data where disclosure is necessary to safeguard the individual, or is justified in the public interest (see https://www.ucl.ac.uk/human-resources/health-wellbeing/workplace-health-confidentiality-statement#confidentiality).
Lawful basis for processing
Data Protection Legislation requires that we meet certain conditions before we are allowed to use your data in the manner described in this notice, including having a "lawful basis" for the processing. The basis for processing will be as follows:
- Consent. You have given us your consent for processing your personal data.
- Legitimate interest
- Legal obligation – The employer has a duty to carry out health surveillance under the Health and Safety Act 1974 and associated regulations.
- Vital interests – The processing is necessary to protect someone’s life e.g. protect from potential harm that can arise from the work processes.
- Special category – Purposes of Occupational Medicine – Article 9(2)(h) – where processing is required for medical treatment undertaken by health professionals, including assessing the working capacity of employees and the management of health or social care systems and services. Occupational Medicine is a special category and thus ‘processing is necessary for the purposes of preventive or Occupational Medicine” and Article 9(3) states that processing is permitted “when the data is processed by a regulated health professional”.
Information security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We have established procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Data retention
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Your occupational health records are processed for six years after you have left employment with your employer, and after this time your occupational health record will be securely deleted. This is with the exception of health surveillance data, which will be retained for 40 years to comply with COSHH 2002 legislation.
Your rights
Under certain circumstances, you may have the following rights under data protection legislation in relation to your personal data:
- Right to request access to your personal data;
- Right to request correction of your personal data;
- Right to request erasure of your personal data;
- Right to object to processing of your personal data;
- Right to request restriction of the processing your personal data;
- Right to request the transfer of your personal data; and
- Right to withdraw consent.
If you wish to exercise any of these rights, please contact the Data Protection Officer.
Contacting us
You can contact UCL by telephoning +44 (0)20 7679 2000 or by writing to: University College London, Gower Street, London WC1E 6BT.
Please note that UCL has appointed a Data Protection Officer. If you have any questions about this Privacy Notice, including any requests to exercise your legal rights, please contact our Data Protection Officer using the details set out below:
Data Protection & Freedom of Information Officer
Complaints
If you wish to complain about our use of personal data, please send an email with the details of your complaint to the Data Protection Officer so that we can look into the issue and respond to you.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) (the UK data protection regulator). For further information on your rights and how to complain to the ICO, please refer to the ICO website.
Definitions
‘Data Controller’ means UCL Workplace Heath when processing occupational health data on behalf of UCL and any other third parties under a separate services agreement.
‘UCL Workplace Health’ means an internal department of UCL (University College London) responsible for conducting occupational health assessments on behalf of UCL and other third parties.