Privacy Policy 

Statement explains how insHealth manages and uses your personal data. We are an Occupational Health provider responsible for safeguarding the privacy of your information and complying fully with the General Data Protection Regulations (GDPR).

1. Data Controller and Contact Information

The Data Controller for your information is insHealth, located at 3 Oxford Place, Leeds, LS1 3AX.

If you have any further questions after reading this document, you may speak with a member of our clinical staff or contact our Data Protection Officer directly.

2. What Data Do We Process?

To provide Occupational Health services, we must obtain personal and often sensitive medical information.

Information from Your Employer

To begin the referral process, your employer provides details such as:

  • Identity: Your name, date of birth, address, and telephone number.

  • Work Context: Your job details and a description of the issues they seek advice on.

  • Sensitive History: Information regarding sickness absence or medical treatments currently being taken.

We recommend that employers discuss the referral and the information provided with you before it is sent to us.

Information Obtained During Your Consultation

During an Occupational Health consultation, our clinicians (doctors or nurses) will ask about health issues and your work.

  • Clinical Records: Clinicians will write a clinical record, which is a professional requirement for registered practitioners.

  • Confidentiality: This file is confidential and is not accessible by your employer.

  • Special Category Data: Medical information, including symptoms, history, and treatments, is regarded as Special Category Data.

3. How We Use and Share Your Data

Consent for Consultation

Your consent to collect personal, sensitive information is required before we can perform an assessment. Providing consent to process this data is not the same as providing consent for us to write a report to your employer.

Information Shared with Your Employer

We require your explicit consent before sending any personal information, such as an outcome report, to your employer.

  • Review Process: The clinician will discuss the information they intend to send to the employer. Usually, this report is written during your consultation.

  • Right to Review: You can have a copy of this report. If the report cannot be finished during the session, it may be sent to you for review first.

  • Supplementary Advice: If an employer seeks clarification on an existing report that does not change the clinical opinion or add more sensitive data, additional consent is not usually requested. However, for material changes, we will contact you or request a further consultation.

Data Sharing Agreement

Referrals to insHealth require employers to agree to our Data Sharing Agreement. This ensures the employer maintains appropriate data security and confidentiality once they receive your Occupational Health report.

4. Legal Basis for Processing

We process personal and sensitive information in accordance with the GDPR on the lawful basis of Consent and for the purpose of Occupational Medicine.

5. Data Retention and Security

We follow established timescales and recommendations from the Health & Safety Executive for data retention:

  • General OH Records: 10 years from the date of the last entry.

  • Health Surveillance Records: 40 years (e.g., hearing and breathing tests), as industrial diseases can develop later in life.

  • Pre-employment Questionnaires: 3 years.

  • Third-Country Processing: Your data is not transferred to other countries.

6. Your Rights as an Individual

Under the GDPR, you have the following rights regarding your data:

  • Right to be Informed: This privacy statement serves to inform you of the data we collect.

  • Right of Access: You have the right to access the personal data we hold about you by contacting the Data Controller.

  • Right to Rectification: If you feel the information we hold is inaccurate, you can request it be reviewed and changed.

  • Right to Erasure: You can request the erasure of your data. However, we may not be able to agree if the records are required for legal claims or statutory health surveillance requirements.

  • Right to Restrict Processing: You can restrict further activity involving your data, which may occur if you no longer wish to have Occupational Health involvement.

Portability and Change of Provider

If your employer changes Occupational Health providers, we will seek evidence of your consent before transferring your records to the new provider. You have the right to state if you do not want your information transferred.

7. Contractual Requirements and Complaints

Consequence of Withholding Consent

It is a contractual requirement between insHealth and your employer that we process personal sensitive information to provide Occupational Health advice. Without your consent for this processing, we cannot provide the clinical service. This may mean health risks are not minimised, potentially causing harm to both the individual and the employer.

Complaints

If you are unhappy with how we manage your information, please contact our Data Protection Officer. You also have the right to complain to the Information Commissioner’s Office (ICO).

By booking an appointment with insHealth, you acknowledge that you have read and understood this Privacy Statement.