Version: 1.2

Effective date: 1st October 2023

Introduction

COPE Occupational Health Services Ltd ("COPE") is fully committed to compliance with the Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR). This privacy notice explains how we collect, process, store, and retain personal data in connection with the occupational health services we provide to our customers and their employees. It also sets out our obligations under medical records-related legislation.

Legal Basis for Processing Data

COPE processes personal data based on specific lawful purposes, as outlined by the UK GDPR, including providing occupational health services. We collect and process data that is necessary for conducting occupational health assessments, ensuring that it is relevant and limited to what is required for the service being provided.

What Data Do We Collect?

Personal Data: This includes data such as an employee’s name, date of birth, national insurance number, and contact details (e.g., email, phone number). This information is used to correctly identify employees and maintain appropriate communication.

Special Category Data: As an occupational health provider, we are required to collect sensitive information, such as medical history, symptoms, and ongoing treatment. This data is considered special category data under Article 9(2)(h) of the UK GDPR, which relates to health services and is processed with the explicit consent of the individual.

How Is Data Obtained?

• Personal Data: Collected from our clients (the employers) when they refer employees for occupational health services. The employer remains the Data Controller of this information.
• Special Category Data: Collected directly by COPE’s medical professionals during consultations. We only process this data with explicit consent from the employee.

COPE as Data Controller and Data Processor

COPE acts as a Data Controller for clinical data obtained during consultations. However, in some instances, depending on the service provided (e.g., health surveillance or medical assessments), COPE may act as a Data Processor. In such cases, the customer (employer) remains the Data Controller for occupational health reports, fitness for work certificates, and any occupational health advice provided to the employer.

Retention of Data

Data is retained in line with relevant statutory requirements:

• Occupational Health Surveillance Records: Retained for 40 years.
• Other Health Records: Kept for 7 years after the last employee contact or cessation of the contract.
• Physiotherapy and Ergonomics Records: Retained for up to 8 years in accordance with professional guidelines.

Data Storage and Security

All data is stored within the UK on secure systems. Electronic records are encrypted, and access is restricted to authorized personnel. Paper records are stored in locked cabinets. Data transfers, when necessary, are securely handled using encrypted formats, and COPE ensures that no records are retained following confirmed receipt by the new service provider or employer.

Third-Party Processing and International Transfers

Where third parties are involved in processing, we ensure they provide adequate guarantees of data protection and confidentiality, with appropriate data processing agreements in place. No personal data is transferred outside of the UK or EEA by COPE or our third parties.

Feedback and Data Protection Queries

We regularly gather feedback on our services through anonymous surveys. To raise any concerns or requests related to data protection, please contact data.protection@copeohs.com. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) if necessary.