How Drayton Medical Services uses your personal information

1. What this notice is about
This notice explains:
What personal information Drayton Medical Services Ltd (DMS) collects about you
Why we collect it
How it is used and kept safe
What your rights are
DMS is committed to protecting your personal information and complying with the UK General Data Protection Regulation (UK GDPR).

2. Who we are
Drayton Medical Services Ltd provides Occupational Health services to employers.
When we handle your information, we do so as part of providing those services safely, lawfully, and professionally.

3. What information we may collect
We may collect, hold, and share the following information about you:
Personal details
Name
Address
Date of birth
National Insurance number
Personal characteristics
Sex or gender
Ethnicity
Employment information
Current and previous job roles
Information relating to your work duties
Health information (special category data)
Medical and health information discussed during appointments
Information needed to assess your fitness for work
Health information is classed as “special category data” and is given additional protection under the law.

4. Why we collect your information
We collect and use your information to:
Assess your fitness and ability to work
Help protect your health and safety at work
Support your employer in meeting their legal duties
Recommend reasonable adjustments where needed
Carry out statutory health surveillance where legally required

5. Our lawful basis for using your data
Under UK GDPR, we must have a lawful reason to process your data. Our lawful bases include:
Legal obligation
We are required by law to process certain information to meet:
Health and Safety legislation
Employment legislation
This includes supporting your employer, as we act as their occupational health provider.
Vital interests
We may process information where it is necessary to protect life or prevent serious harm.
Occupational health and medical purposes
We process health information for:
Preventive and occupational medicine
Assessing fitness for work
Medical diagnosis and treatment
Managing health and wellbeing
This may include information (with your consent) from:
Your GP
Consultants
Specialists
Therapists
All processing follows professional and regulatory safeguards.

6. Statutory Health Surveillance
Some health surveillance is required by law, for example where employees are exposed to:
Asbestos
Lead
Other hazardous substances
Infectious diseases such as Hepatitis B
Where statutory health surveillance is required, a basic health record may be kept, including:
Your name, address, and National Insurance number
The substance or process you are exposed to
Details of surveillance carried out
Name of the tester and outcome (e.g. fit, fit with adjustments, unfit)

7. Where your information comes from
We may collect information from:
You (the employee)
Your employer, with your consent (e.g. HR or line manager)
Healthcare professionals, with your consent (e.g. GP, consultants)
Associate occupational health professionals we refer you to, who must also follow data protection and consent rules

8. How your information is collected
Information may be collected:
Verbally (telephone or face‑to‑face conversations)
In writing (emails, letters, referral forms, questionnaires, reports)
Electronically or by post
All information is handled with informed consent and appropriate safeguards.

9. How your information is stored and used
Your information is stored securely on DMS systems
Access is limited to staff who need the information to do their job
Administrative staff may access information to book appointments or process reports
All staff are:
Trained in confidentiality
Contractually required to protect your information
We take reasonable steps to ensure your data is kept secure and used appropriately at all times.

10. Your rights
You have the right to:
Access your records
You can request a copy of some or all of your occupational health records, or authorise someone else (e.g. a solicitor) to do so.
Please contact our administration team to request an access form.
Correct information
If you believe information is incorrect or out of date, you have the right to ask for it to be corrected.
Object to sharing
You can object to your information being shared with other healthcare providers.
Please note that this may limit the care or advice we can provide.
Raise concerns
If you are uncomfortable providing any information, please speak to:
The person requesting the information, or
The DMS Operations Manager

11. Deletion of records
In most circumstances, we are required by law to keep accurate occupational health records and cannot delete correct information.
If you believe there is no lawful reason for us to hold your data, you may raise this with us or seek independent legal advice.

12. Complaints
If you are unhappy with how your information is handled, you can complain to the Information Commissioner’s Office (ICO):
Website: https://ico.org.uk/global/contact-us/
Telephone: 0303 123 1113

13. Data breaches
All DMS occupational health staff and systems (including Clinic Assist) are classed as data processors.
Any suspected data breach is reported to the Data Controller (Operations Manager)
Serious breaches are reported to the ICO within 72 hours, as required by law

14. How long we keep your information
We only keep information for as long as necessary:
Pre‑employment records: 1 year
Occupational health files: 6 years after employment ends
Health surveillance records: 40 years These may be transferred to another OH provider, or to the HSE, if required

15. Data Controller details
Data Controller:
Drayton Medical Services Ltd
The Sanderson Suite
280A Havant Road
Drayton
Portsmouth
Hampshire
PO6 1PA