Workspace Health take the privacy of our customer data very seriously. We aim to be compliant with all appropriate reguations related to the confidentiality and protection of personal data that we handle and store. We are subject to strict professional guidance related to sensitive health data and want you to have a high level of confidence that we respect your rights.
This document provides information about how we collect and process personal data for the people that we assess, report on and offer goods to. Your rights and protections are a high priority. The information provided below is to more fully explain our privacy approach. Should you have any questions or, if you think there is information that would help us improve tis document, please contact:
Telephone: 01905 700 401
We want you to be comfortable about your confidentiality and how we handle your data. Our staff are Governed by the regulations laid out by the Chartered Society of Physiotherapy and the Health & Care Professions Council. DSE Assessors are controlled by our internal processes and procedures, our administrative staff are also supervised under the same regulations. Other suppliers only have access to information when needed under strictly controlled conditions and confidentiality.
2. Information Use
Workspace Health is a DSE Assessor and Ergonomic Office Furniture provider registered with and regulated by the Information Commissioner (ICO) www.ico.org.uk under the Data Protection Act. You can find more details of the likely changes on the ICO website https://ico.org.uk/for-organisations/data-protection-and-brexit/.
- We are a Data Controller
- Sometimes Joint Data Conroller
- Our Clinical Partners are Data Processors
We use your information to provide you with our DSE Assessments and Ergonomic Furniture which are designed to help you be well at work. These may include:
- Wellbeing Advice
- Active Working Strategy
- Risk Assessment
- Vehicle Assessment
- Training and Advice
- Statistical Information
In some specific cases where we conduct onsite company-based clinics, we only process referral data in providing that treatment. In these cases, we do so under a processing contract with that Data Controller. We may gather and report anonymised statistical data to demonstrate the service provision.
3. Information we Collect
- Contact Details
- Job Role
- Health Information (IF IMPACTING ON TREATMENT)
Sometimes, we use photographs to help use be accurate in describing the problems and recommending treatment. Before any photography is taken, this will be discussed.
4. Information Sharing
We will not disclose your information of the Workspace Health business and our Referrer. However, we will share your information with our network of regulated partners if appropriate. With our data hosting providers working to strict security and compliance standards. These parties are Data Processors under our control by contract. Where your employer has referred you, we may provide them with reporting documentation. You will be asked on a consent form to choose how this is handled under the Access to Medical Reports Act.
5. Your Rights
Your privacy rights and preferences are important to us. In some cases, you have the right to change your mind in respect of information that you have given us. This is covered under the rights set out below. You as the Data Subject have the following rights under Data Protection Legislation:
- Right to be Informed
- Right of Access
- Right to Rectification
- Right to Erasure
- Right to Restrict Processing
- Right to Data Portability
- Right to Object
- Right to Decision-Making and Profiling
For example, our consent documents, privacy information web pages and other information that we provide to you are part of our obligations under item one, the right to be informed and in some situations our need to gain your consent.
6. Lawful Basis
The lawful basis for collecting and processing patient data is not always simple. We have set out below a rationale for the lawful use of data for the various and sometimes complex circumstances that exist in our organisation when we provide occupational
Basic Contact Data
Our lawful basis for holding your basic contact details is where we have an arrangement directly with you the patient. Lawful basis is “Contract/Pending Contract” (Article 6(1)B of the GDPR Regulations). Where we hold a contract directly or indirectly with your employer or occupational health referrer for delivering these services lawful basis is:
6(1) If “Legitimate Interest”
We may use this contact information to contact you to better understand your needs and process the referral. This, for example may include your preferred treatment location. Where a referral containing health-related data comes from a third party such as an occupational health referrer or employer we will hold that data securely and use it to arrange appropriate services for the patient. If we do not receive clear information from the third party we will hold patient data securely for a short time on the assumption that the provider has a clear legal basis to supply the data to us.
If we do not receive sufficient information to confirm the legal basis from the referrer we shall delete the data. We may not then be able to complete the commission for work until we have collected the required data again.
As described in Article 9(2)H of the GDPR Regulations “purposes of preventive or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis." This is subject to paragraph 3 (which states “when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy”).
We will ask the employee/patient for medical treatment and reporting consent at the earliest opportunity in our assessment. This is to ensure the preferences of the employee/patient are clear for the sharing of any report with other parties such as the patients occupational health referral company and employer. This provides choice for the patient specifically under the separate “Access to Medical Reports“.
There may be times when we disclose information under a legal obligation, in this case we will disclose information that is required of us by law on receipt of an appropriate request.
Although very unlikely, should you need any urgent care while being treated by one of our professionals we may share your information with emergency services under the Vital Interest Lawful Basis (9(2)C of the GDPR Regulations but by verbal consent if
you are able. This is reserved for rare situations where your life may be at risk or you need urgent care to protect your health.
Telephone Consultations Only
Our assessors shall take appropriate measures to properly identify the patient on the call before discussing sensitive information. The telephone consultation will often include the sharing between patient and healthcare practitioner of sensitive health related information. The lawful basis remains in this case as stated above. In the case of a telephone consultation it is NOT considered practical to seek signed consent. To ensure we have considered the rights and preferences of the patient we will seek to verbally obtain the consent of the patient during the call. The practitioner shall document this on the normal consent form and sign as the Clinician. They will note the patient was not present and the form will be processed and filed in the normal way with its case documentation.
7. Data Processing
We process data when we recieve a referral from the employee/patient or a third party servicing the employee/patient. Where we have asked for or received health-related information and are providing an assessment or treatment we will process this data as required under Article 9(2)H of the GDPR Regulations. Your employer or occupational health provider should explain to you that they intend to pass your referral data to us.
Data – Our Cloud Providers
We only hold and process sensitive health-related information in secure systems and/or the data is encrypted.
Our main provider (Data Processor) is the well-established global cloud service firm Citrix. Your data is held in secure, certified data centres (run by Amazon Web Services) within the European Union. Data is encrypted in transit and at rest to ensure its
security. Citrix maintain strict levels of compliance with recognised international security standards (ISO 27002). Some Citrix data processing takes place in certified data centres in the USA (and other countries) under a contract containing clauses agreed by the European Union to provide the same level of protection. This is in compliance with the General Data Protection Regulations. For transparency we have provided the documents below which set out agreements with Citrix. These include the data processing contract as required under the regulations along with a description of procedural and technology security protections that are in place. Also included is a list of Citrix partners that are held to the same contractual terms.
All of our assessors are subject to the same conditions of professional confidentiality as Workspace Health and are regulated in a similar way. We have established contracts of engagement with these partners controlling how they process your personal data in line with the data protection regulations.
8. Data Retention
We are bound by our professional body (Chartered Society of Physiotherapy) and governing authority (Health & Care Professions Council), to keep records of your assessments you receive. Our normal retention period shall be eight years (if a retention period for a particular type of information is unclear we will revert to the recommended periods set by the NHS). The legal basis under which we retain these records is Article 9(2)G “substantial public interest” to ensure that we can support your ongoing care if needed and 9(2)F “exercise or defence of legal
9. Contacting Us
If you have a simple question about our service please give us a call:
Telephone: 01905 700401
If you wish to make a formal request under Data Protection Regulations, such as:
- A Formal Question
- Require Information
- Accessing your Records
- Rectify Error in Records
- Erasing your Record
- Restrict Processing
- Take your Record Elsewhere
- Exercise your Rights
Please submit a request in writing to the Data Manager, Workspace Health, Workshop Business Centre, Main Street, Pinvin, Worcestershire, WR10 2ES.
This helps us to agree a way forward having considered your problem fully. If you have difficulty in doing this we can help you. However, please take care not to write sensitive health or personal information in an email as this form of communication is NOT secure. Alternatively, you may complete the secure online form here. https://podio.com/webforms/20473046/1400870
Please provide enough information for us to be able to contact you or find our records of your recent assessment or treatment. The Information Commissioner also has some useful advice on handling complaints https://ico.org.uk/for-the-public/raisingconcerns/. We carry out identity checks to ensure we are talking with the right person. We will answer a lawful request and will not normally charge you for accessing your data protection rights so long as your request is clear, reasonable and does not breach any other rights or obligations.
We have 30 days to review your request and respond to you once we have identified you and understand the scope of your request (in some clearly defined circumstances this can take longer). We will work to respond as soon as we practically can. If you are not happy with the outcome of a request to us please do get in touch again. We will try to resolve the issue with you. In any event you may complain to the Office of the Information Commissioner if you feel that you cannot reach a resolution with us. The ICO website is www.ico.org.uk for general advice or concerns reporting https://ico.org.uk/concerns/
It is Workspace Health’s policy that its assessors should be prepared to discuss with the employee the purpose of the assessment, content of their reports and especially the type of questions that they are being asked to answer. You can withhold your consent at any stage of the purpose and cannot be compelled to proceed. However, you must understand that management will then have to proceed and cannot be compelled to proceed using only their current knowledge and without any expert medical opinion.
Should you wish to amend a report before it is released then you have the right to suggest amendments regarding ‘’facts’’ but not the assessors opinion. Should you wish to make any comment about the occupational health report please contact your Human Resources Department or Manager who will liaise with Workspace Health on your behalf.