Telephone: 01905 700 401 or 01905 612 056
We want you to be comfortable about Patient confidentiality. Our clinical staff are governed by the regulations laid out by the Chartered Society of Physiotherapy and the Health & Care Professions Council. Our administrative staff are supervised under the same regulations. Our clinical partners are subject to the same regulations in their own right and by agreements with us. Other suppliers only have access to information when needed under strictly controlled conditions and confidentiality.
2. Information use
Sun Rehabilitation and Workspace Health are an Occupational Health (OH) Providers registered with and regulated by the Information Commissioner (ICO) www.ico.org.uk under the Data Protection Act 2018.
- We are a Data Controller
- Sometimes a Joint Data Conroller
- Our Technology and Clinical Partners are Data Processors under our Direction
We use your information to provide you with our Occupational Health services which are designed to help you be well at work. These may include:
- Display Screen Assessments
- Case Management
- Workplace Assessments
- Vehicle Assessments
- Training and Advice
- Statistical Information to Prevent Injuries at Work
In some specific cases where we conduct onsite company-based clinics, we only process referral data in providing that treatment. In these cases, we do so under a processing contract with that Data Controller. We may gather and report anonymised statistical data to demonstrate the service provision.
3. Information we Collect
- Contact Details, Age, Gender, Personal and Job Role Information
- Information about Work Patterns, Work Environment, and Equipment
- Health Information
Health information is collected should we feel this will have an impact on the type of treatment requested. Sometimes, we use photographs to help use be accurate in describing the problems and recommending treatment. Before any photography is taken, this will be discussed with the Patient at the time.
4. Information Sharing
We will not disclose your information outside of the Sun Rehabilitation business and your Referrer/Employer except as below:
- We will share your information with our Network or Regulated, Physiotherapy and Occupational Health partners where appropriate. This allows us to provide you with Occupational Health services closer to your home or place of work.
- With our data hosting partners working to strict security and compliance standards. These parties are Data Processors under our control by Contract.
- Where your Employer or Occupational Health service has Referred you, we may provide them with a Report following an Assessment. Where we have gathered data as a requirement of Health and Safety at work such as DSE (Display Screen Equipment) Assessments we will tell you if we intend to provide a report to your Employer. If we provide Physical Assessments in a therapy clinic this is normally after the Initial Assessment, and if treatment is given during the course of treatments and at your treatment discharge. In this later case:
A. You will be asked on a Consent Form to choose how this is handled under the Access to Medical Reports Act.
B. Summary details of this information can be found in the Access to Medical Reports section of this Policy.
5. Your Rights
Your privacy rights and preferences are important to us. In some cases, you have the right to change your mind in respect of information that you have given us. This is covered under the rights set out below. You as the Data Subject have the following rights under Data Protection Legislation:
- Right to be Informed
- Right of Access
- Right to Rectification
- Right to Erasure
- Right to Restrict Processing
- Right to Data Portability
- Right to Object
- Right to Decision-Making and Profiling
For example, our consent documents, privacy information web pages and other information that we provide to you are part of our obligations under item one, the right to be informed and in some situations our need to gain your consent.
6. Lawful Basis
The lawful basis for collecting and processing patient data is not always simple. We have set out below a rational for the lawful use of data for the various and sometimes complex circumstances that exist in our organisation when we provide occupational services.
Basic Contact Data
Our lawful basis for holding your basic contact details is where we have an arrangement directly with you the patient. Lawful basis is “Contract/Pending Contract” (Article 6(1)B of the GDPR Regulations). Where we hold a contract directly or indirectly with your employer or occupational health referrer for delivering these services lawful basis is:
6(1) If “Legitimate Interest”
We may use this contact information to contact you to better understand your needs and process the referral. This, for example may include your preferred treatment location.
Sensitive or Special Category Health-Related Information:
Where a referral containing health-related data comes from a third party such as an occupational health referrer or employer we will hold that data securely and use it to arrange appropriate services for the patient. If we do not receive clear information from the third party we will hold patient data securely for a short time on the assumption that the provider has a clear legal basis to supply the data to us.
If we do not receive sufficient information to confirm the legal basis from the referrer we shall delete the data. We may not then be able to complete the commission for work until we have collected the required data again.
As Health Care professionals based on our Contract with the Patient or the Employer or OH Referrer to provide OH services.
As described in Article 9(2)H of the GDPR Regulations “purposes of preventive or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis.” This is subject to paragraph 3 (which states “when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy”).
We will ask the employee/patient for medical treatment and reporting consent at the earliest opportunity in our assessment. This is to ensure the preferences of the employee/patient are clear for the sharing of any report with other parties such as the patients occupational health referral company and employer. This provides choice for the patient specifically under the separate “Access to Medical Reports”.
In the case of Occupational Health & Safety regulations where there is a statutory requirement, we will conduct face to face and automated Assessments (such as DSEQ) within accepted confidentiality guidelines for these activities.
There may be times when we disclose information under a legal obligation, in this case we will disclose information that is required of us by law on receipt of an appropriate request.
Although very unlikely, should you need any urgent care while being treated by one of our professionals we may share your information with emergency services under the Vital Interest Lawful Basis (9(2)C of the GDPR Regulations but by verbal consent if you are able. This is reserved for rare situations where your life may be at risk or you need urgent care to protect your health.
Telephone Consultations Only
Our assessors shall take appropriate measures to properly identify the patient on the call before discussing sensitive information. The telephone consultation will often include the sharing between patient and healthcare practitioner of sensitive health related information. The lawful basis remains in this case as stated above. In the case of a telephone consultation it is NOT considered practical to seek signed consent. To ensure we have considered the rights and preferences of the patient we will seek to verbally obtain the consent of the patient during the call. The practitioner shall document this on the normal consent form and sign as the Clinician. They will note the patient was not present and the form will be processed and filed in the normal way with its case documentation.
Online Forms and Questionnaires
Where we gather and process information from an online tool or form, we may use formulaic computations to process and automate our service. This may include providing general automated guidance such as in our DSEQ product where we provide guidance from a logic-based formula based on the answers provided. We may score a risk level from this data to provide a focus for action by the employee or employer. You can always contact us via your line manager or if necessary, directly to discuss any concerns that you have related to the outcome of this. We may also statistically use this data (anonymously) to advise your employer as to Occupational Health matters and to develop/refine our services. Beyond providing guidance we would always refer (where we are the Data Controller) or recommend the referral of an assessment to a trained human reviewer prior to any decision based on that computed information.
7. Data Processing
We process data when we receive a referral from the employee/patient or a third party servicing the employee/patient. Where we have asked for or received health-related information and are providing an assessment or treatment we will process this data as required under Article 9(2)H of the GDPR Regulations. Your employer or occupational health provider should explain to you that they intend to pass your referral data to us.
Data – Our Cloud Providers
We only hold and process sensitive health-related information in secure systems and/or the data is encrypted.
Our main provider (Data Processor) is the well-established global cloud service firm Citrix. Your data is held in secure, certified data centres (run by Amazon Web Services) within the European Union. Data is encrypted in transit and at rest to ensure its security. Citrix maintain strict levels of compliance with recognized international security standards (ISO 27002). Some Citrix data processing takes place in certified data centres in the USA (and other countries) under a contract containing clauses agreed by the European Union to provide the same level of protection. This is in compliance with the General Data Protection Regulations. For transparency we have provided the documents below which set out agreements with Citrix. These include the data processing contract as required under the regulations along with a description of procedural and technology security protections that are in place. Also included is a list of Citrix partners that are held to the same contractual terms.
All of our clinical partners across our network clinics and teams of assessors are subject to the same conditions of professional confidentiality as Sun Rehabilitation and are regulated in a similar way. We have established contracts of engagement with these partners controlling how they process your personal data in line with the data protection regulations.
8. Data Retention
We are bound by our professional body (Chartered Society of Physiotherapy) and governing authority (Health & Care Professions Council), to keep records of your assessments you receive. Our normal retention period shall be eight years (if a retention period for a particular type of information is unclear we will revert to the recommended periods set by the NHS). The legal basis under which we retain these records is Article 9(2)G “substantial public interest” to ensure that we can support your ongoing care if needed and 9(2)F “exercise or defense of legal
9. Contacting Us
If you have a simple question about our service please give us a call: 01905 700401
If you wish to make a formal request under Data Protection Regulations, such as:
- A Formal Question
- Require Information
- Accessing your Records
- Rectify Error in Records
- Erasing your Record
- Restrict Processing
- Take your Record Elsewhere
- Exercise your Rights
Please submit a request in writing to the Data Manager, Workspace Health, Workshop Business Centre, Main Street, Pinvin, Worcestershire, WR10 2ES or to firstname.lastname@example.org
This helps us to agree a way forward having considered your problem fully. If you have difficulty in doing this we can help you. However, please take care not to write sensitive health or personal information in an email as this form of communication is NOT secure. Alternatively, you may complete the secure online form here. https://podio.com/webforms/20473046/1400870
Please provide enough information for us to be able to contact you or find our records of your recent assessment or treatment. The Information Commissioner also has some useful advice on handling complaints https://ico.org.uk/for-the-public/raisingconcerns/.
We carry out identity checks to ensure we are talking with the right person. We will answer a lawful request and will not normally charge you for accessing your data protection rights so long as your request is clear, reasonable and does not breach any other rights or obligations.
We have 30 days to review your request and respond to you once we have identified you and understand the scope of your request (in some clearly defined circumstances this can take longer). We will work to respond as soon as we practically can. If you are not happy with the outcome of a request to us please do get in touch again. We will try to resolve the issue with you. In any event you may complain to the Office of the Information Commissioner if you feel that you cannot reach a resolution with us. The ICO website is www.ico.org.uk for general advice or concerns https://ico.org.uk/concerns/
10. Access to Medical Reports
ACCESS TO MEDICAL REPORTS ACTS 1988 (Revised September 1995).
Summary of Rights Related to Medical Reports obtained from GP’s to Medical Consultants. No application may be made to a General Practitioner or Specialist/Consultant for a Medical Report relating to an employee without:
The employee being notified that a Report is being requested and, they give consent to the application being made.
An employee has the right to:
- Refuse to Allow to a Report to be Requested from a General Practitioner or Specialist
- Request to see the Report Before it is Sent
- Refuse to Allow the Report being Sent (After Review)
- Request Changes to Report Before it is Sent because He/She Considers it to be Incorrect or Misleading (Request Made to GP in Writing)
- Request that His/Her views are attached to the Report if there is any of it with which they disagree with and the GP or Specialist is not prepared to alter. (Request Made to GP in Writing)
If the employee requests access to the Report before it is supplied, Sun Rehabilitation Ltd must:
- Notify the Employee when the Report is being Requested from the GP or Specialist
- Notify the GP or Specialist that the Employee has made such a Request
The GP or Specialist may not then supply the Report unless consent has been given; OR the Report has been amended to take account of the employee’s views or statement of those views has been attracted to it; OR a period of 21 days from the date the application for the Report was made had gone by without the employee having contacted the GP to make arrangements to see the Report.
If an employee consents to the Report being obtained without requiring access to it prior to it being given to Sun Rehabilitation Ltd, but subsequently decides that he/she wishes to have access to it, he/she may approach the GP or Specialists direct. In such circumstances the GP or Specialist may not give the Report to Sun Rehab Ltd without the employee’s consent (subject to any amendments), or until a period of 21 days has passed since the employee indicated his/her wish to see the Report, without the employee having contacted the GP to make arrangements to see the Report.
A GP or Specialist is required to give an employee access to any Medical Report supplied about him/her for employment or insurance purposes in the previous six months, at the employee’s request.
A GP or Specialist is not obliged to give access to Medical Reports where disclosure would, in the opinion of the GP or Specialist, cause serious harm to the physical or mental health of the employee, or others, would indicate the intentions of the GP or Specialist in respect of the employee or where disclosure would reveal information about another person who has supplied information to the GP or Specialist, unless that person has consented, or is a health professional where the information was provided in a professional capacity.
In these circumstances the GP or Specialist will inform the employee of this, and will give access to any parts of the Report not affected by the above clauses. The GP or Specialists will not pass on the Report unless the employee gives consent.
Independent Medical Reports – Medical Reports prepared by Sun Rehab OH Practitioners and sent to your Employer.
It is Sun Rehab’s policy that its Physiotherapists should be prepared to discuss with the employee the purpose of the Assessment, content of their Reports and especially the type of questions that they are being asked to answer.
You can withhold your consent at any stage of the Assessment and cannot be compelled to proceed. However, you must understand that management will then have to proceed and cannot be compelled to proceed using only their current knowledge and without any expert medical opinion.
Should you wish to amend a Report before it is released then you have the right to suggest amendments regarding ‘’facts’’ but not the OH Physiotherapists opinion. Should you wish to make any comment about the Occupational Health Report please contact your Human Resources Department or Manager who will liaise with Sun Rehabilitation on your behalf.