SKC Occupational Health Limited is both Data Controller and Data Processor and committed to protecting the rights of the individual, acknowledging that any personal data handled will be processed in accordance with the Data Protection Act 1998 (DPA) and the new General Data Protection Regulations (GDPR) 2018.


What Data Will Be Collected
The following data may be collected, held and shared by SKC Occupational Health :

  • Personal information (e.g. Name, Address, Date of Birth)
  • Characteristics (ethnicity, gender)
  • Past and present job roles
  • Health information.

Who It Will Be Collected From

  • Human Resources
  • Managers
  • Employees
  • Other health professionals (e.g. GP, specialist, physio).

How It Will Be Collected

  • Post
  • Email
  • Verbal (Either by telephone or face to face)
  • Health Questionnaires
  • Health Assessment (e.g. skin or vision assessment).

Why It Is Collected

  • For the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee.
  • To ensure the health and safety of employees at work and to allow consideration of any adjustments that may be required to support their ability to work.
  • Data may also be used for research, audit or statistics but will be anonymised if this is the case.

Lawful Basis For Processing (from the General Data Protection Regulations)

  1. Article 6(1)(f) Processing is necessary for the purposes of the legitimate interests (see note 1) pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
  2. Additional condition for the processing of Special Category DataArticle 9(2)(h) Processing is necessary for the purposes of Occupational Medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health and social care or treatment, or the management of health or social care systems and services on the basis of EU or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in in para 3 (below).

Article 9(3)2Personal data may be processed for the purposes referred to in (2)(h) when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under EU or Member State law or rules established by national competent bodies.

How Long Your Data Will Be Held For

  • Information will be held for 6 years after leaving employment or 75 years of age (whichever is soonest) as recommended by the British Medical Association (BMA) unless there is a recognised clinical need or statutory requirement to retain it for longer
  • New employee assessments will be discarded after 2 years if the offer of the job is not taken up.

How Your Data Will Be Stored (see note 2)

  • Records are kept mainly on paper as part of a structured filing system and are stored in accordance with the BMA’s medical records storage policy and in compliance with GDPR. They are accessible only to SKC Occupational Health .
  • Some records are kept digitally on a separate personal drive within the IT system and are password protected.

Who Your Information Will Be Shared With

  • Information about you will not be shared with third parties without your consent unless the law allows this, or there is a serious risk to life.
  • Results of Health Surveillance will be passed on to the employer under Reg. 11 COSHH Regulations 2002 and ACOP 2103 for retention as required by the Health and Safety Executive (HSE).

Your Rights

  • You have the right to see any information held about you in your Occupational Health Clinical Record. The request should be made in writing and will be responded to within 4 weeks, without charge.
  • You can also request that an amendment is attached to it if you believe any of the information held by SKC Occupational Health is inaccurate or misleading.
  • You have the right to withdraw consent at any time, for any reason. Please ensure SKC Occupational Health has received this information.
  • In the case of request for erasure, retention may be lawful (e.g. if required for legal compliance).

1.Where there is the legitimate interest of the employer e.g. for the OH Practitioner to advise on fitness to work for the efficient and safe running of its business, to comply with its legal obligations under health and safety Law and employment law in particular the Equality Act, or with respect to its legal duties for sick pay.

2 Article 9(3) e.g. by a regulated health professional. This incorporates common law and GMC/NMC (Ref) duty of confidentiality into the GDPR.