0 Shortlist Search
Enter your keyword, course, subject or interest
EC Default Banner

College Employee Occupational Health Privacy Notice

Who is collecting the information?

Edinburgh College is the Data Controller. We have an appointed Data Protection Officer (DPO), who can be contacted by emailing: DataProtection@edinburghcollege.ac.uk.

Why are we collecting it, and what are we doing with it (Purpose)?

As your employer, we have a duty of care to all our staff. We collect personal data for occupational health (OH) and to assess the working capacity of each employee. We also process employee personal data to ensure the health and safety of employees at work and to consider any reasonable adjustments that may be required to support their ability to work.

What personal data do we collect?

Personal data

  • Name
  • Date of birth
  • Address
  • Telephone number
  • Email
  • Jobe role
  • Your GP contact information and (if applicable) any hospital contact information if you have a specific health condition.

Special Category Personal Data

  • Attendance/Sickness Record (if applicable)
  • Health conditions
  • Medical Reports (if you choose to bring them to an OH meeting)

How are we collecting this information? What is the source?

We collect your information in a number of ways, depending on the circumstances. The following details are the main ways that data is collected.

Management Referral

When making a referral, managers/HR are asked to confirm that the employee has been informed of the details of the referral before submitting. The referral will not be able to go ahead if this is not confirmed with the employee. The OH Referral Form requires confirmation that the employee has been fully informed of the referral, informed of their rights and, if applicable, their consent under the Access to Medical Reports Act 1988 (AMRA) must be received prior to an OH assessment and report is carried out.

Under AMRA employees have the right to see the report before it is sent to their line manager and HR. Under Section 3 of AMRA requires that medical reports and applications for them are not processed unless the individual has consented. This is consent under AMRA and not under data protection law. Under Section 4 and 5 of AMRA employees have rights and can request inaccurate information is corrected. If the medical professional considers this is accurate a note on the report will be added to accurately reflect this. At the time of receiving the report to review, employees are given a time frame for contacting Occupational Health with consent under AMRA to release the report.

New Employment Health Questionnaires

As referenced earlier, as an employer, the College has a duty of care to all employees to ensure their health and safety at work and, when applicable, identify and implement any reasonable adjustments required to enable the employee to work. Therefore, the College requires new employees to complete a health screening in order to determine if the individual is fit for the tasks that they will be performing and identify any reasonable adjustments that may be required.

The questionnaire is used solely for the purposes of assessing fitness to work and if necessary implementing reasonable adjustments to ensure the employee is able to work.

Health Surveillance

For certain roles, health surveillance may be necessary when a risk assessment indicates that an individual may be exposed to specific hazards within the workplace, such as noise. The employer will be sent a fitness-to-work certificate following the health surveillance appointment.

The lawful basis for the processing

The lawful basis for processing for these purposes are GDPR Article 6(1)(b) “Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”. For the processing of special category personal data (i.e. health data), the lawful basis is GDPR Article 9(2)(h) “Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3”. GDPR Article 9(3) states that processing is permitted “when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy.”

All health professionals will adhere to their governing body of professional standards with regards to confidentiality.

Please note any reference to consent is not consent to process personal data under data protection law. Consent is in relation to the Access to Medical Reports Act 1988 (AMRA) only. It provides an employee with the opportunity to view and correct an OH report prior to it being provided to the employer.

Who we share the information with

For the purposes of Management Referrals, your OH Report is shared with your line manager and the HR department. However, this is only shared if you have provided your consent under AMRA. For the purposes of New Employment Questionnaires and Health Surveillance, this is shared, if necessary, with the College’s HR department to ensure that reasonable adjustments are made and the College is meeting its duty of care and ensuring the health and safety of the workforce.

How long do we hold the personal data?

The Occupational Health records will be kept for the length of employment and for 7 years after leaving employment (this applies to Management Referrals and New Employment Health Questionnaires). Once this retention period has passed, these records will be securely destroyed in accordance with College procedures.

For health surveillance records, these are required under the Control of Substances Hazardous to Health Regulations (COSHH) 2002 and the related Health and Safety at Work etc. The Act of 1974 stipulates that records must be kept for 40 years. Following this time period, the documents will be securely destroyed in accordance with College procedures.

Individuals’ rights in relation to this processing

Under data protection law, you have a number of rights; some of these rights only apply if certain conditions are met. Your rights are: right to be informed (e.g. privacy notice), right of access, right of rectification, right of erasure (commonly known as the right to be forgotten), right to restrict processing, right to object, right to data portability and the right to know of any automated decision making (including profiling). It’s worth noting that you can exercise your rights either verbally or in writing, and the College would be required to process your request within one month.

The rights that apply to this particular processing are:

  • Right to be Informed – i.e. a privacy notice.
  • Right of Access – this means you have the right to access your personal information.
  • Right to Rectification – this means you have the right to correct inaccurate or incomplete personal information.
  • Right to Erasure – commonly known as the Right to be Forgotten (RTBF) – this means you can request that your personal data be deleted.
  • Right to Data Portability – this means you have the right to request your information in a machine-readable format (e.g. a .csv file) to be provided to you or transferred in that format to another organisation.
  • Right to Restriction – this means you can restrict the processing of your information and links with some of the other rights.
  • Right to Object – this means you can object to how your data is used.
  • Right to be informed of automated individual decision-making (including profiling) – we do not use this for OH purposes, and therefore this does not apply.

Some of the rights above have caveats and only apply in certain circumstances. You can exercise your rights at any time, and the College would be required to answer within a month upon receipt of your request. If you wish to exercise your rights or have any queries in relation to this, please contact the Data Protection Team at DataProtection@edinburghcollege.ac.uk.

Complaints to the UK Information Commissioner’s Office (ICO)

If you are concerned about how your personal data is being used by the College, in the first instance, please contact the College Data Protection Officer (DPO) at DataProtection@edinburghcollege.ac.uk. If you are not satisfied with the outcome, then you can complain to the regulator of data protection, the UK Information Commissioner’s Office (ICO). The ICO guides on the ICO website.

You can email them at casework@ico.org.uk, call them on 0303-123-113, or you can send a letter to them at the following address:

Customer Contact
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF