Privacy Notice

1. Introduction
Drayton Medical Services Ltd is committed to protecting your personal information and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This Privacy Notice explains how Drayton Medical Services Ltd, as an Occupational Health Service provider, collects, uses, stores and protects personal and special category data relating to employees and service users.
We process personal data in accordance with:
Article 6(1)(f) – Legitimate interests
Article 9(2)(b) and (h) – Employment, social protection law and occupational medicine
Article 9(3) – Processing by or under the responsibility of a health professional

2. What Data Will Be Collected
The following categories of personal data may be collected, held and shared by Drayton Medical Services Ltd:
Personal information (e.g. name, address, date of birth, contact details)
Personal characteristics (e.g. ethnicity, gender)
Employment information, including past and present job roles
Health and medical information, which is classified as special category data

3. Why Data Is Collected and the Lawful Basis for Processing
3.1 Lawful Bases
We process personal data under the following lawful bases:
Legal Obligation
Processing is necessary to comply with legal duties, including health and safety and employment legislation. Drayton Medical Services Ltd acts as an agent and Occupational Health provider to employers.
This includes processing data to:
Assess an employee’s working capacity
Support employers in meeting health and safety obligations
Consider reasonable adjustments to support an employee’s ability to work

Vital Interests
Processing may be necessary to protect life and prevent serious harm, including managing risks arising from work activities.
Special Category Data
Health information is processed for the purposes of:
Preventive or occupational medicine
Assessment of working capacity
Medical diagnosis
Provision or management of health or social care
This includes information obtained during consultations and, with consent, from GPs, Consultants, Specialists and Therapists. Processing is subject to professional confidentiality obligations and safeguards required by relevant medical and nursing regulatory bodies.

4. Statutory Health Surveillance
Statutory Health Surveillance is conducted where required by law to monitor exposure to specific workplace hazards (e.g. asbestos, lead) or to protect public health (e.g. Hepatitis B).
Where Health Surveillance is requested, a basic health record may be created containing:
Employee’s name, address and National Insurance number
Substance or process exposure details
Surveillance undertaken, tester name and outcome (e.g. fit, unfit, fit with adjustments)

5. Who Data Is Collected From
Personal data may be collected from:
The data subject (the employee)
The employer (e.g. HR teams or line managers), with consent
Treating healthcare professionals, with consent
Associate Occupational Health professionals commissioned as part of assessment processes
All third-party providers are required to follow informed consent and data protection obligations.

6. How Data Is Collected
Information may be collected:
Verbally (telephone consultations or face-to-face appointments)
In writing, including:
Health questionnaires
Management referral forms
Emails
Medical reports and GP correspondence
Information may be received electronically or via secure postal services. All data sharing is subject to consent and safeguarding arrangements.

7. Storage and Use of Records
Personal data is stored electronically on secure systems. Information may be processed or stored outside of Drayton Medical Services Ltd systems where necessary, but always in line with GDPR requirements.
Access to records is restricted on a strict need to know basis. Administrative staff may access limited information for operational purposes such as appointment booking or report processing. All staff are bound by confidentiality policies and contractual obligations.

8. Your Rights
You have the right to:
Access your Occupational Health records (in full or in part)
Authorise a third party to access records on your behalf
Request correction of inaccurate or incomplete data
Object to information being shared with other healthcare providers for your care (noting this may limit treatment options)
Requests for access can be made by contacting our administration team.
There are limited circumstances where medical records can be erased; generally, correct clinical information cannot be deleted. You may seek independent legal advice if you believe there is no lawful basis for retention.

9. Concerns and Complaints
If you have concerns about providing information or how your data is used, please contact the staff member handling your case or the Operations Manager.
You have the right to complain to the Information Commissioner’s Office (ICO):
Website: https://ico.org.uk/global/contact-us/
Helpline: 0303 123 1113

10. Personal Data Breaches
All Occupational Health staff and systems (including Clinic Assist) act as data processors.
Any personal or special category data breach (including loss, unauthorised disclosure or alteration) must be reported immediately to the Data Controller.
The Data Controller will notify the ICO within 72 hours, where required.

11. Retention of Records
Clinical information is retained only as long as necessary:
Pre-employment forms: 1 year
Occupational Health files: 6 years after employment ends
Health Surveillance records: 40 years, or transferred to a new OH provider or HSE if we cease trading

12. Data Controller Details
Data Controller:
Drayton Medical Services Ltd
The Sanderson Suite
280A Havant Road
Drayton
Portsmouth
Hampshire
PO6 1PA