Occupational Health privacy notice

Information you need to know

The Occupational Health Team is part of Liverpool John Moores University. See further information on the institution.

Liverpool John Moores University is a Data Controller.

Our Data Protection Officer can be contacted at DPO@ljmu.ac.uk.

This privacy notice explains how we use your personal information and your rights regarding that information.

For information about how the wider university uses personal data, please see the Privacy notice section of our website.

The Occupational Health Unit also adheres to the data protection principles set by:

• The General Medical Council
• Faculty of Occupational Medicine
• The Nursing and Midwifery Council

Information we are collecting

We may collect a range of personal information about you. This includes personal details such as your name, address and date of birth, and may also include your National Insurance number where this is required for health surveillance purposes.

We also collect:

• contact details, including your:
  • telephone number
  • personal email address
• information relating to your employment

In some cases, we process healthcare contact details where these are relevant to the services being provided.

We may also process health information, which is classed as special category personal data. This can include:

• details of medical conditions or health concerns
• information obtained through medical investigations
• the results of any biological monitoring or testing

Source of the personal data

Most of the personal data we process is collected directly from you, for example when you complete occupational health questionnaires or attend appointments.

In some circumstances, we may also receive relevant information from third parties, where this is necessary to support occupational health services. This may include:

• information from your GP or medical specialist
• health screening, surveillance or test results provided by accredited providers
• limited information from your employer, such as details of your:
  • role
  • workplace requirements

We only collect information from third parties where it is relevant, proportionate, and lawful to do so.

Why we are collecting your data and the legal basis for this

We process personal data in accordance with the principles of the GDPR and only where there is a valid lawful basis to do so.

We collect and use your personal data to securely identify you and to provide appropriate occupational health support. The purposes for processing your data depend on whether you are a student or a member of staff.

If you are a student, we may process your data to:

• assess your fitness to train or study on a professional course (including Adult Nursing, Mental Health Nursing, Paramedic Science, Midwifery, Social Work, Child Nursing, Biomedical Science, Teaching or Pharmacy)
• carry out occupational health assessments required for:
  • Research Passports
  • NHS or other clinical placements
  • field trips or placement activities
• assess your fitness to study at LJMU where you have been referred to Occupational Health by tutors or Student Governance
• provide advice and recommendations on reasonable adjustments to support a disability or health condition

If you are a member of staff, we may process your data to:

• assess your fitness for employment
• carry out fitness for fieldwork assessments
• provide advice and recommendations on reasonable adjustments to support a disability or health condition

Under UK GDPR, our lawful bases for processing personal data are:

• Article 6(1)(b) - processing is necessary for the performance of a contract, such as your contract of employment.
• Article 6(1)(c) - processing is necessary to comply with our legal obligations, including employment law.
• Article 6(1)(e) - processing is necessary to perform a task in the public interest, including meeting our duties under the Health and Safety at Work etc. Act 1974 to protect your health and safety as far as reasonably practicable.

To process special categories data, we rely on additional legal grounds:

• It is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
• Your explicit consent.
• It is necessary to comply with our legal obligations.
• It is necessary to protect your vital interests or the vital interests of another person.

Who has access to this data

Occupational Health is a medically confidential service. Your medical records are stored securely and are only accessible to members of the Occupational Health Team.

The Occupational Health Team includes Occupational Health nurses, administrative staff, and an Occupational Health Physician. The Occupational Health Physician is provided to the university by our third party partner, Workforce Wellbeing.

All student and staff records are held securely on the university’s Occupational Health system. Access to this information is restricted to authorised Occupational Health staff and is limited to what is necessary to provide Occupational Health services. Occupational Health physicians only access records for this purpose and using university managed equipment.

We do not share your medical information with any third party, including your GP, without your express consent, unless we are legally required to do so or there is a serious risk to health or safety.

Where appropriate, Occupational Health may provide reports to HR or line managers (for staff), or Programme Leaders or relevant university staff (for students), but these reports will normally only include information about your fitness for work or study and any recommended adjustments.

Reports are always discussed with you and agreed with you before they are sent.

In exceptional circumstances, where information must be shared without your consent because withholding it could pose a risk to your health or safety, or the health or safety of others, Occupational Health may share limited information with HR or management. If this happens, you will be informed as soon as possible.

We may share fully anonymised statistical information with senior members of the university to support service planning and to help monitor health and wellbeing trends within the organisation. This information does not identify individuals.

How the university protects your data

We are committed to keeping your personal data safe in line with data protection legislation and the university’s information security and data protection policies.

All members of the Occupational Health team are bound by a strict duty of medical confidentiality. This applies to:

• face to face consultations
• telephone and email communications
• the creation, storage and maintenance of medical records

How long the university keeps your data

We only keep your personal data for as long as it is reasonably necessary for the purposes set out in this privacy notice, and in line with the university’s Records Retention Policy.

Occupational Health records relating to staff and student referrals are normally retained for six years after the end of your relationship with LJMU.

In some cases, longer retention periods apply where we have a legal obligation to do so. For example, Health surveillance records are retained for 40 years in accordance with the Control of Substances Hazardous to Health Regulations 2002 (COSHH).

When retention periods expire, your data is securely and appropriately disposed of.

Your rights

As a data subject, you have a number of rights. You can:

• access and obtain a copy of your data on request - this could be in a portable electronic format
• request that the university changes incorrect or incomplete data if you think that it is inaccurate or out of date
• request that the university delete or stop processing your data, for example where the data is no longer necessary or legally required for the purposes of processing

If your personal data has been provided by consent, you have a right to withdraw that consent at any time.

If you would like to exercise any of these rights, please contact the Data Protection Officer at DPO@ljmu.ac.uk.

If you do not provide data

If you do not provide the information we request, we may be unable to provide occupational health services or complete an assessment.

Where we rely on your consent to process or share certain information, you may withdraw that consent at any time.

If you are a member of staff and you withdraw your consent for Occupational Health to share information with the referring manager or HR, the referring manager will be informed that consent has been withdrawn, and management will need to make decisions based on the information already available to them.

Any Occupational Health report created will be retained securely on your Occupational Health record and clearly marked to show that consent has been withdrawn.

In some circumstances, where information must be shared to protect your health and safety or the health and safety of others, limited information may still be disclosed in line with our legal obligations. If this happens, you will be informed.

Transfers of data outside the UK

We normally keep your personal data within the UK. In some cases, however, we may need to transfer it to another country - for example, to deliver a contract with you or to work with a partner organisation such as a university based overseas.

Whenever this happens, we make sure your information stays protected. This could be through a UK “adequacy regulation” (which confirms that the other country’s data protection laws are up to UK standards) or by putting strong safeguards in place.

These safeguards might include:

• model contractual clauses
• formal data sharing or processing agreements
• binding corporate rules

In short, even if your data travels abroad, it will continue to be treated with the same care and respect as it would under UK law.

Automated decision-making

We do not use computers to make decisions about you based solely on your personal data. Any decisions that affect you will always be made by a human, ensuring that you are treated fairly.

How to complain to the university

You have a right to complain to the university if you think it has not properly responded to your request for personal information or feel it has not handled your personal data responsibly.

If you are not satisfied with how your request for information or how your personal data has been handled, you should set out your complaint in writing to:

Maria Burquest
University Secretary and General Counsel
Legal and Governance Services
2nd Floor Exchange Station
Tithebarn Street
Liverpool
L2 2QP

or by email via DPO@ljmu.ac.uk.

How to complain to the Information Commissioner’s Office

You have the right to complain to The Information Commissioner if you believe that our processing of your personal data does not meet our data protection obligations. The Information Commissioner can be contacted using the following details:

• Post: Information Commissioners Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK95AF.
• Telephone: 0303 123 1113.
• Email: contact can be made by accessing the ICO website.