Version: 1.2
Effective date: 1st October 2023
Introduction
COPE Occupational Health Services Ltd ("COPE") is fully committed to compliance with the Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR). This privacy notice explains how we collect, process, store, and retain personal data in connection with the occupational health services we provide to our customers and their employees. It also sets out our obligations under medical records-related legislation.
Legal Basis for Processing Data
COPE processes personal data based on specific lawful purposes, as outlined by the UK GDPR, including providing occupational health services. We collect and process data that is necessary for conducting occupational health assessments, ensuring that it is relevant and limited to what is required for the service being provided.
What Data Do We Collect?
Personal Data: This includes data such as an employee’s name, date of birth, national insurance number, and contact details (e.g., email, phone number). This information is used to correctly identify employees and maintain appropriate communication.
Special Category Data: As an occupational health provider, we are required to collect sensitive information, such as medical history, symptoms, and ongoing treatment. This data is considered special category data under Article 9(2)(h) of the UK GDPR, which relates to health services and is processed with the explicit consent of the individual.
How Is Data Obtained?
COPE as Data Controller and Data Processor
COPE acts as a Data Controller for clinical data obtained during consultations. However, in some instances, depending on the service provided (e.g., health surveillance or medical assessments), COPE may act as a Data Processor. In such cases, the customer (employer) remains the Data Controller for occupational health reports, fitness for work certificates, and any occupational health advice provided to the employer.
Retention of Data
Data is retained in line with relevant statutory requirements:
Data Storage and Security
All data is stored within the UK on secure systems. Electronic records are encrypted, and access is restricted to authorized personnel. Paper records are stored in locked cabinets. Data transfers, when necessary, are securely handled using encrypted formats, and COPE ensures that no records are retained following confirmed receipt by the new service provider or employer.
Third-Party Processing and International Transfers
Where third parties are involved in processing, we ensure they provide adequate guarantees of data protection and confidentiality, with appropriate data processing agreements in place. No personal data is transferred outside of the UK or EEA by COPE or our third parties.
Feedback and Data Protection Queries
We regularly gather feedback on our services through anonymous surveys. To raise any concerns or requests related to data protection, please contact data.protection@copeohs.com. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) if necessary.
Copyright 2024 - All Rights Reserved.
COPE Occupational Health Services Limited | 5 Castle Quay, Nottingham, England, NG7 1FW | Company Number: 03425211
Careers | Privacy Policy | Complaints & Feedback| Modern Day Slavery Policy | Anti Bribery & Corruption Policy | Carbon Reduction Statement