OccHealthNet

Legal

Privacy Notice

How OccHealthNet collects, uses, and protects your personal information.

Last reviewed: May 2025Applies to: occupational health patientsLawful basis: UK GDPR Article 6(1)(f), Article 9(2)(b) and (h), Article 9(3)

About this notice

OccHealthNet is committed to protecting your personal information. This notice explains what data we collect, why we collect it, how it is stored, and your rights under UK data protection law.

OccHealthNet acts as your occupational health provider and, in doing so, also acts as an agent for your employer to help them comply with health and safety and employment legislation.

What data we collect

  • Personal details (name, address, date of birth)
  • Personal characteristics (e.g. ethnicity, gender)
  • Past and present job roles
  • Health and medical information — this is classed as “special category” data under UK GDPR

Why we collect it — our lawful basis

We process your data on the following grounds:

  • 1

    Legal obligation

    To help you and your employer comply with health & safety and employment legislation, including assessing your working capacity and considering any workplace adjustments.

  • 2

    Vital interests

    To protect your health from potential harm arising from work processes.

  • 3

    Special category data

    For occupational medicine, health surveillance, medical diagnosis, and the provision of health or social care. This includes information from consultations and, with your consent, from your GP, consultants, and other treating professionals. Processing is subject to professional safeguards set by relevant nursing and medical bodies.

  • 4

    Statutory health surveillance

    Where required by specific legal regulations (e.g. monitoring exposure to substances such as asbestos or lead, or protecting against Hepatitis B). A basic statutory record is kept containing: name, address, National Insurance number, substance or process exposure details, surveillance carried out, and outcome.

Where your data comes from

  • Directly from you — verbally, by telephone, in person, or in writing
  • From your employer (HR or line managers) — with your consent
  • From treating healthcare professionals (GP, consultants, specialists, therapists) — with your consent

How we store and process your data

Your records are stored and processed securely using the following systems:

Records & communications

Google Workspace (Gmail, Drive)

Appointment booking

Acuity Scheduling (name & contact details only)

Information may be processed and stored at locations other than Hall Road Clinic. All reasonable steps are taken to ensure your data is handled securely and in accordance with this notice. Administrative staff may access your information on a need-to-know basis (e.g. to book appointments or process reports) and are bound by confidentiality obligations.

Website cookies and analytics

Our website uses Vercel Analytics to collect anonymised page-view data. This tool is cookieless by design — it does not set tracking cookies, does not use third-party cookies, and does not track you across other websites.

We use localStorage (browser storage) to remember your analytics preference. This is not a cookie but is subject to the same UK PECR consent rules. A consent banner will appear on your first visit; analytics will only load if you choose to accept. You can change your preference at any time using the link in the footer of our website.

How long we keep your data

Pre-employment forms
1 year from receipt
Occupational health files
6 years after leaving employment
Health surveillance records
40 years — or transferred to a new OH provider / HSE if we cease trading

Your rights

  • 1

    Right of access

    You may request a copy of your occupational health records at any time, or authorise a third party (e.g. a legal adviser) to do so on your behalf.

  • 2

    Right to rectification

    You may ask us to correct information you believe to be inaccurate or incomplete.

  • 3

    Right to object

    You may object to your information being shared with other healthcare providers. Please note this may limit the care we can provide. You also have the right to have errors corrected.

  • 4

    Right to erasure

    There are limited circumstances in which information may be removed from your medical record. If you believe there is no lawful purpose for which we hold your data, please contact us to discuss.

  • 5

    No automated decision-making

    OccHealthNet does not use automated decision-making or profiling in respect of your data.

  • 6

    Concerns

    If you are uncomfortable providing any information requested, please raise this with Dr Aslam directly.

Data breaches

Any OccHealthNet staff member handling personal or sensitive data is a data processor. All data processors are required to report any breach — including data that is lost, stolen, altered, or disclosed without consent — to the data controller immediately. The data controller will report qualifying breaches to the ICO within 72 hours.

Contact us & complaints

For any queries about this notice or how your data is handled, please contact our Data Controller:

Data controller
Dr Aslam — OccHealthNet
Email
majed.aslam@occhealthnet.org
Address
Hall Road Clinic, 8 Hall Road, Aveley, RM15 4HD

You have the right to complain to the Information Commissioner's Office (ICO) if you have concerns about how your data is handled. Call the ICO helpline on 0303 123 1113.