Occupational health plays a vital role in safeguarding the physical and mental well-being of workers. Ensuring you have a fully fit workforce is vital to business continuity.
In order to provide Occupational Health Services (OHS), Occupational Health Providers (OHPs) process significant volumes of sensitive personal data. Most of this data is collected and processed electronically, meaning there is a legal requirement from UK data privacy legislation, and industry quality standards, requiring data controllers (those responsible for the data processing) to demonstrate accountability to data subjects (workers).
OHPs handle sensitive personal information, including medical histories, diagnoses, and treatment plans. This is described as ‘special category data’ in the UK GDPR. Special category data includes anything that may reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, and data concerning sex life or sexual orientation.
This data requires strict protection to maintain confidentiality and prevent unauthorised access or misuse. Personal data breaches can have severe consequences, including restriction of business operations, reputational damage, and other regulator enforcement action (e.g. fines).
SEQOHS and Data Protection
The Safe Effective Quality Occupational Health Service (SEQOHS) standards, developed by the Faculty of Occupational Medicine, are divided into six domains, each focusing on different aspects of OHS provision.
They provide a framework for delivering high-quality occupational health services. Data protection is an integral part of these standards, highlighting the need for robust data management practices, processing efficiency, and information security.
Let’s look at each of the three domains which cover the data privacy:
- Governance and Finance: This domain ensures effective clinical governance and compliance with professional requirements, including ethics and evidence-based guidelines.
- Outputs and Outcomes: This domain focuses on delivering informative and balanced reports, conducting health assessments, and providing evidence-based health promotion activities.
- Information and Communication: This domain emphasises maintaining clear and accurate records, ensuring information security, and obtaining consent for data sharing in compliance with legal and ethical standards.
The UK GDPR applies data processing principles to any processing of personal data and it is no different in the occupational health world. The key processing principles are:
- Lawfulness, fairness, and transparency: Personal data must be processed lawfully, fairly, and in a transparent manner. Workers should be informed about how their data is collected, used, and stored. An employee privacy notice or a page about data processing in a staff handbook is a great way to meet this principle.
- Purpose limitation: Personal data should be collected for specific, explicit, and legitimate purposes. It should not be further processed in a way that is incompatible with those purposes. OHPs should only process personal data for specific purposes, that would be outlined to workers in advance of the processing taking place.
- Data minimisation: Personal data should be adequate, relevant, and limited to what is necessary for the purposes for which it is processed. This asks those providing services to use the minimal amount of personal data to achieve their aim.
- Accuracy: Personal data should be accurate and, where necessary, kept up to date. Organisations have a legal responsibility to ensure data provided to OHPs is accurate and up to date, in order to ensure accurate processing, and minimise risks of a personal data breach.
- Storage limitation: Personal data should be kept for no longer than is necessary for the purposes for which it is processed. Organisations and OHPs need to understand the minimum and maximum legal and regulatory retention periods for the storage of personal data.
- Integrity and confidentiality: Personal data should be processed in a way that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage. Personal data of workers must be processed in a secure manner (e.g. via encrypted referral management systems), with access restricted to only those that need it.
Effective information governance with regard to data processing in an occupational health setting is not simply a matter of compliance; it is fundamental to maintaining the trust between employees and their employers.
Employees need to feel confident that their sensitive personal information will be treated with the utmost confidentiality. If they are concerned that their sensitive personal data could be misused or mishandled, it could deter them from seeking occupational health support, which could have negative consequences for their well-being and the productivity of the organisation.
By adhering to the SEQOHS guidance and the UK GDPR, OHPs can demonstrate their commitment to data privacy and build long-term, trust-based relationships with their clients. This is essential for delivering effective and quality OHS that support the well-being of workers and contribute to a healthy and productive workplace.
Through our ongoing work with OHPs, CSRB understands the need to have robust data privacy processes in place to protect this critical sensitive personal data.
We provide support to OHPs across the UK, both with regard to the implementation of an information governance framework (including the drafting of policies and procedures) and the provision of relevant and engaging data privacy training for all stakeholders.
Please get in touch with us here or call 0117 325 0830 to learn more about how our certified data protection practitioners can support your occupational health organisation.
