Privacy Notice of the UK Occupational Health Services

Effective Date: 01/03/2024

Our privacy notice is part of our approach to transparency and protection of your personal information.  

Abbott Healthcare Connections Ltd (“Abbott” or “we” or “us”) is the Data Controller for the processing of your personal data for the purposes of occupational health assessments for which you have been referred by your employer or voluntarily self-referred.  At Abbott, we are committed to complying with our obligations under the UK Data Protection Act 2018 , the UK and EU General Data Protection Regulation (GDPR) and other applicable privacy laws.

How we look after your Data

This Privacy Notice is a Statement of how we process your personal data and which provides you with additional information relating to the processing of your personal data and how you may exercise your data protection rights. It should be read in conjunction with Abbott’s Privacy Policy.

What is Personal Data? “Personal Data” is any information that identifies you or from which you could be identified, in particular by reference to an identifier such as a name, an identification number, location data, an online identified or one or more factors specific to the physical, psychological, genetic, mental, economic or social identity. Personal Data includes subsets of special categories of information that reveal information about your health, among other things.

Information you are asked to provide:

Before attending your appointment

If you are referred or have voluntarily self-referred for a Health Assessment with us, you will be asked to complete a questionnaire and health profile before attending your appointment. Within the questionnaire you are asked to provide:

  • Name
  • Address
  • Gender
  • Age (Date of Birth)
  • NI Number
  • Employer details
  • GP details
  • Working History
  • Medical History (including any current conditions)

We may also receive some of these basic details from your employer if you have been referred to us by them or directly from you if you have voluntarily self-referred in order to carry out an assessment. These are verified with you via the questionnaire we ask you to complete above.

We require this personal data in order to identify you within our systems and ensure that your information is processed securely. Additionally, this range of personal data allows our systems and clinicians to provide an accurate, tailored Health Assessment.

During your appointment

Throughout your appointment we collect varying amounts of personal data. The amount of personal data that we collect will differ based upon the appointment service that you are referred or voluntarily self-referred for. Personal data that we collect may include:

  • Medical and lifestyle history
  • Observations and measures of your physical characteristics
  • Observations and measures of your psychological wellbeing
  • Ethnic and social identity
  • Economic status
  • Relationship status
  • Occupational status

We aim to deliver a thorough assessment during your visit and collect the above data in order to fully assess your fitness to complete your role or to provide a general overview of your current health status and provide the most clinically suitable recommendations where required. Should there be any part or test within the appointment that you do not wish to complete, please inform your clinician on the day of the appointment.

After your appointment

Communication with other health professionals – during your appointment journey it may be necessary to share your personal data with another health professional who is involved in your care (e.g. your GP, nurse, a consultant, external practitioners (where they are working with you on our behalf) or laboratory staff).

Voluntary Medicals - In the case of any voluntary self-referral, we do not share your personal data with any other professional external healthcare provider. The decision is entirely yours as to whom you wish to share your medical information.

Specimen transport - physical specimens (e.g. blood, urine or saliva sample) may be collected during your appointment. Specimens may be tested in laboratories that are not located at the site where your Health Assessment is carried out. In such cases, your specimens will be transported to the laboratory via an authorised and vetted courier.

Disclosures within Abbott – there may be entities within Abbott that are involved in providing and managing your healthcare assessment.  All of Abbott’s entities sign up to the same standards, policies and rules as we do here in the UK, so your information is protected. Abbott may require transferring your personal data to other jurisdiction different from the country or region where you are based (e.g., outside of the European Union if you are a based in an EU country). 

These jurisdictions may include the United States. To safeguard your personal information, we will only make such transfers based on (i) a decision by the European Commission that permits this, or in the case of the United Kingdom, a decision by the Information Commissioner’s Office (ICO), or (ii) subject to EU-approved Standard Contractual Clauses or, for the UK, an ICO approved International Data Transfer Agreement (UK IDTA) or UK Addendum.

Disclosures to your employer – we will only ever disclose information about your initial health assessment to your employer with your consent. However, where assessing for fitness to work in accordance with specific industry requirements, the outcome and any relevant restrictions will be disclosed as part of your Employers legal obligations. This may also involve an upload to a relevant industry data base (e.g. Sentinel). Please note, where you may use our medication checking service (Chemist on Call) the results and recommendations of the medications we have checked will be provided to your employer as part of the results process. If you have any concerns about what is or is not shared with your employer, please speak to your clinician at your assessment or contact the customer service team after the appointment.

In cases of voluntary self-referrals, please see paragraph headed ‘Voluntary Medicals above.

Disclosures to any other outside parties – there may be occasions where we are legally obliged to share your data with an organisation outside of you, Abbott or your Employer. We will seek your consent before we share anything where it is appropriate to do so but there may be some occasions where we cannot. Please see below for further information on how we handle requests to access your data.

Fair and Lawful Processing:

In order to provide you with an Occupational Health assessment, we are the ‘Data Controller’ of the data we collect and use about you. Due to the nature of Occupational Health, there may be some instances where we are an Independent Controller with your employer, and we work together with them on Occupational Health matters.

Each organisation is required to demonstrate that they are processing personal data fairly and lawfully. To do this we must have a ‘lawful basis for processing’ personal data which is outlined below;

In order to assess your working capacity

Customers obligations:

Article 6 = Legal Obligation (Health & Safety, Working with dangerous Chemicals etc.)

Article 9 = Occupational Health (Assessment of the working capacity of the employee)

Abbotts obligations:

In order to inform your employer of their obligations to action any support you may need or any medical condition or history you believe is relevant 

Article 6 = Consent

Article 9 = Explicit Consent

In order to assess and provide you with a general overview of your medical health status having voluntarily self-referred

Article 6 = Consent

Article 9 = Explicit Consent

In order to investigate, establish or defend any claims that may result from your treatment

Article 6 = Legitimate Interest in defence of a legal claim

Article 9 = Defence of Legal Claim

We may also look to continually improve clinical treatment; therefore, we may use aggregated anonymised data as part of a research project or an assessment of our services.

How long will we keep my personal data for?

Subject to applicable data subject rights, we will not hold personal data for longer than required to comply with our legal obligations. Where we are under a legal obligation to retain data, we will retain it in accordance with the applicable legal requirement.

Document Type
Retention Period
Statutory or Recommended
Reference Used
Where is Data Stored
Type of dataMaximum retention periodStatutoryReason for length of period 
Occupational Health Records – relating to all information held unless covered by another Regulation.During employment and for 6 years following the end of employment or until the 75th birthday, which ever is sooner. Or until record formally transferred on end of contract.RecommendedEthics Guidance for Occupational Health Practice, London. Faculty of Occupational Medicine, 2012. Records Management Code of Practice for Health and Social Care. London: Information Government Alliance/Department of Health, 2016. Ohaw.co/IGA2016Electronic or paper files within AHCC
Health Records and Clinical Records kept by reason of COSHH.40 years following date of last entry. Or until record formally transferred on end of contract.StatutoryControl of Substances Hazardous to Health Regulations 2002. All records kept as not practical to separate from individual OH records.Electronic or paper files within AHCC
Health Records and Clinical Records kept under Ionising Radiation Regulations 2017.30 years following date of last entry or until 75th birthday. Or until record formally transferred on end of contract.StatutoryIonising Radiation Regulations 2017. All records kept as not practical to separate.Electronic or paper files within AHCC
Health Records and Clinical Records including biological monitoring results kept under Control of Lead at Work Regulations 2002.40 years following date of last entry. Or until record formally transferred on end of contract.StatutoryControl of Lead at Work Regulations 2002.Electronic or paper files within AHCC
Health Records and Clinical Records kept under Control of Vibration at Work Regulations 2005.“For the duration they remain under health surveillance and possibly longer.” For practical purposes in OH record keeping treated as per OH records kept for 6 years post surveillance programme or until records formally transferred.StatutoryControl of Vibration at Work Regulations 2005.Electronic or paper files within AHCC
Health Records and Clinical Records kept under Control of Asbestos Regulations 2012.40 years following date of last entry. Certificates only need to be kept for 4 years from the date of issue but for practical purposes unlikely to be able to separate. Or until record formally transferred on end of contract.StatutoryControl of Asbestos at Work Regulations 2002 (SI 2002/2675). Also see the Control of Asbestos Regulations 2006 (SI 2006/2739) and the Control of Asbestos Regulations 2012 (SI 2012/632).Electronic or paper files within AHCC
Records of tests and examinations of control systems and protective equipment under the Control of Substances Hazardous to Health Regulations (COSHH) 2002.5 years from the date on which the tests were carried out.StatutoryControl of Substances Hazardous to Health Regulations (COSHH) 2002.Electronic or paper files within AHCC
Records relating to children and young adults.Retain until individuals 25th birthday or 26th if 17 at conclusion of contract.Recommended Electronic or paper files within AHCC. This item dealt with as per NHS guidance as no specific OH guidance relating to children – 2 links here BMA.
Assessments under health and safety regulations and records of consultations with safety representatives and committees.6 years post contract end.RecommendedBest practice.Electronic or paper files within AHCC
Travel health consultation and vaccine records.10 years from date of last entry or post contract.RecommendedRCN Competencies for Travel Health.Electronic or paper files within AHCC

Document Type
(Type of data):
 
Occupational Health Records – relating to all information held unless covered by another Regulation.
 

Retention Period
(Maximum retention period):
 
During employment and for 6 years following the end of employment or until the 75th birthday, which ever is sooner. Or until record formally transferred on end of contract.
 

Statutory or Recommended
(Statutory):
 
Recommended
 

Reference Used
(Reason for length of period):
 
Ethics Guidance for Occupational Health Practice, London. Faculty of Occupational Medicine, 2012. Records Management Code of Practice for Health and Social Care. London: Information Government Alliance/Department of Health, 2016. Ohaw.co/IGA2016
 

Where is Data Stored: 
Electronic or paper files within AHCC

Document Type
(Type of data):
 
Health Records and Clinical Records kept by reason of COSHH.

 

Retention Period
(Maximum retention period):
 
40 years following date of last entry. Or until record formally transferred on end of contract.

 

Statutory or Recommended
(Statutory):
 
Statutory

 

Reference Used
(Reason for length of period):
 
Control of Substances Hazardous to Health Regulations 2002. All records kept as not practical to separate from individual OH records.

 

Where is Data Stored: 
Electronic or paper files within AHCC

Document Type
(Type of data):
 
Health Records and Clinical Records kept under Ionising Radiation Regulations 2017.

 

Retention Period
(Maximum retention period):
 
30 years following date of last entry or until 75th birthday. Or until record formally transferred on end of contract.

 

Statutory or Recommended
(Statutory):
 
Statutory

 

Reference Used
(Reason for length of period):
 
Ionising Radiation Regulations 2017. All records kept as not practical to separate.

 

Where is Data Stored: 
Electronic or paper files within AHCC

Document Type
(Type of data):
 
Health Records and Clinical Records including biological monitoring results kept under Control of Lead at Work Regulations 2002.

 

Retention Period
(Maximum retention period):
 
40 years following date of last entry. Or until record formally transferred on end of contract.

 

Statutory or Recommended
(Statutory):
 
Statutory

 

Reference Used
(Reason for length of period):
 
Control of Lead at Work Regulations 2002.

 

Where is Data Stored: 
Electronic or paper files within AHCC

Document Type
(Type of data):
 
Health Records and Clinical Records kept under Control of Vibration at Work Regulations 2005.

 

Retention Period
(Maximum retention period):
 
“For the duration they remain under health surveillance and possibly longer.” For practical purposes in OH record keeping treated as per OH records kept for 6 years post surveillance programme or until records formally transferred.

 

Statutory or Recommended
(Statutory):
 
Statutory

 

Reference Used
(Reason for length of period):
 
Control of Vibration at Work Regulations 2005.

 

Where is Data Stored: 
Electronic or paper files within AHCC

Document Type
(Type of data):
 
Health Records and Clinical Records kept under Control of Asbestos Regulations 2012.

 

Retention Period
(Maximum retention period):
 
40 years following date of last entry. Certificates only need to be kept for 4 years from the date of issue but for practical purposes unlikely to be able to separate. Or until record formally transferred on end of contract.

 

Statutory or Recommended
(Statutory):
 
Statutory

 

Reference Used
(Reason for length of period):
 
Control of Asbestos at Work Regulations 2002 (SI 2002/2675). Also see the Control of Asbestos Regulations 2006 (SI 2006/2739) and the Control of Asbestos Regulations 2012 (SI 2012/632).

 

Where is Data Stored: 
Electronic or paper files within AHCC

Document Type
(Type of data):
 
Records of tests and examinations of control systems and protective equipment under the Control of Substances Hazardous to Health Regulations (COSHH) 2002.

 

Retention Period
(Maximum retention period):
 
5 years from the date on which the tests were carried out.

 

Statutory or Recommended
(Statutory):
 
Statutory

 

Reference Used
(Reason for length of period):
 
Control of Substances Hazardous to Health Regulations (COSHH) 2002.

 

Where is Data Stored: 
Electronic or paper files within AHCC

Document Type
(Type of data):
 
Records relating to children and young adults.

 

Retention Period
(Maximum retention period):
 
Retain until individuals 25th birthday or 26th if 17 at conclusion of contract.

 

Statutory or Recommended
(Statutory):
 
Recommended
 

Reference Used
(Reason for length of period):
 
Ethics Guidance for Occupational Health Practice, London. Faculty of Occupational Medicine, 2012. Records Management Code of Practice for Health and Social Care. London: Information Government Alliance/Department of Health, 2016. Ohaw.co/IGA2016
 

Where is Data Stored: 
Electronic or paper files within AHCC. This item dealt with as per NHS guidance as no specific OH guidance relating to children – 2 links here BMA.

Document Type
(Type of data):
 
Assessments under health and safety regulations and records of consultations with safety representatives and committees.

 

Retention Period
(Maximum retention period):
 
6 years post contract end.

 

Statutory or Recommended
(Statutory):
 
Recommended
 

Reference Used
(Reason for length of period):
 
Best practice.

 

Where is Data Stored: 
Electronic or paper files within AHCC

Document Type
(Type of data):
 
Travel health consultation and vaccine records.

 

Retention Period
(Maximum retention period):
 
10 years from date of last entry or post contract.

 

Statutory or Recommended
(Statutory):
 
Recommended
 

Reference Used
(Reason for length of period):
 
RCN Competencies for Travel Health.

 

Where is Data Stored: 
Electronic or paper files within AHCC

Your rights over your personal data:

The law gives you certain rights in respect of the information that we hold about you. Below is a short overview of the key rights available to you.

  • Data Subject Access Request - with some exceptions designed to protect the rights of others, you have the right to a copy of the personal data that we hold about you. For more information on this right, please see the section below.
  • Right to Rectification - you have the right to have the personal data we hold about you corrected if it is factually inaccurate. This right does not extend to matters of opinion, such as an assessment of your wellbeing from a clinician or an assessment of your fitness to work.
  • Right to Erasure - in some limited circumstances, you have the right to have personal data that we hold about you erased (the “right to be forgotten”). This right is not generally available where we still have a valid legal reason to keep the data (e.g. because we are obliged to do so by law).
  • Right to Restrict Processing - you also have the right in some circumstances to request that temporary restrictions are placed on how we process your personal data. For example, if you contest its accuracy or where we are processing it based on our legitimate interest, and you contest our assessment that our interest overrides your rights.

Where we seek your consent to share any Personal Data with someone like your employer, at any point you can contact us to remove that consent and change your mind. To do so, simply contact the customer service team via AHCC.customerservice@abbott.com.

To exercise any of your rights please contact DataProtectionUK@abbott.com or speak to your clinician.

Requests to access your data:

You may request copies of your occupational health records or parts thereof, at any time. You may also request that a copy of your occupational health records is sent to a third party, such as a solicitor.

If you want to access to your occupational health records, we need to confirm the following details from you;

  • Your full name and title.
  • Your date of birth.
  • Your address.
  • Your employer details.
  • The scope of what information you require.

It should also contain a signature, if in letter form. If we receive the request by e-mail or phone call, we may make an additional security check to ensure you are who you say you are. This is designed to protect your information.

If the request comes from a third party, such as a solicitor, then it is essential that we have the following information included in a consent form from the individual. The consent form should include:

  • The individual’s full name and title.
  • Their date of birth.
  • Their address.
  • Their employer details
  • They must also expressly request their occupational health records from us (please do not ask for the occupational health records from their company as these records will only be the outcome reports which the company hold and not our full medical records).
  • It must explicitly consent to us sending the records to the named third party, i.e. contain the words ‘I consent to the release …’
  • It must be signed by the individual.

If we receive a request from a third party, we may contact you to verify that the request is legitimate, and you have asked them to request the data.

How do we protect your data?

We have a wide range of measures in place to help ensure your information is protected both within our own organisation and those partners and suppliers that we chose to work with. These range from training for our staff through to technical security measures with things like data encryption and cyber security software. We look to keep this updated as best we can and encourage a culture effective information handling amongst our staff.

What happens if things go wrong?

Where something does not live up to our normal high standards you may have cause to raise a concern regarding an element of your customer journey. It is important that we learn from these episodes to continually enhance services and as such we carry out thorough investigations. In order to fully investigate your concern, we may need to share information with our Data Privacy team. In any case, we will only share a limited amount of information, as little as is necessary to investigate the concern. We may also need to share details of your concern with the clinicians who conducted your appointment for the purposes of the investigation. If the concern has come via a third party (e.g. a regulatory body or solicitor) we may need to disclose your data with them in order to resolve, defend or investigate a concern.

Further Information and how you can get in touch:

For further information about how your data may be processed or to ask any questions, please raise this with the customer service team, AHCC.customerservice@abbott.com. If you are not satisfied with how we handle your personal data or a request to exercise one of your rights in relation to your data, you can contact the Data Protection Officer via DataProtectionUK@abbott.com.

Should you remain dissatisfied you have a right to complain to the Information Commissioner’s Office on 0303 123 1113 or through their website https://ico.org.uk/