Privacy Notice of the UK Occupational Health Services

How we look after your Data

This Notice is a Statement of how Abbott Healthcare Connections Ltd (“the Company” or “we” or “us”) processes your personal data. This GDPR Privacy Notice provides you with additional information relating to the processing of your personal data and how you may exercise your data protection rights. It should be read in conjunction with Abbott’s Privacy Policy.

What is Personal Data? “Personal Data” is any information that identifies you or from which you could be identified, in particular by reference to an identifier such as a name, an identification number, location data, an online identified or one or more factors specific to the physical, psychological, genetic, mental, economic or social identity. Personal Data includes subsets of special categories of information that reveal information about your health, among other things.

Information you are asked to provide:

Before attending your appointment

If you are referred for a Health Assessment with us, you will be asked to complete a questionnaire and health profile before attending your appointment. Within the questionnaire you are asked to provide:

• Name
• Address
• Gender
• Age (Date of Birth)
• NI Number
• Employer details
• GP details
• Working History
• Medical History (including any current conditions)

We may also receive some of these basic details from your employer if you have been referred to us by them in order to carry out an assessment. These are verified with you via the questionnaire we ask you to complete above.

We require this personal data in order to identify you within our systems and ensure that your information is processed securely. Additionally, this range of personal data allows our systems and clinicians to provide an accurate, tailored Health Assessment.

During your appointment

Throughout your appointment we collect varying amounts of personal data. The amount of personal data that we collect will differ based upon the appointment service that you are referred for. Personal data that we collect may include:

• Medical and lifestyle history
• Observations and measures of your physical characteristics
• Observations and measures of your psychological wellbeing
• Ethnic and social identity
• Economic status
• Relationship status
• Occupational status

We aim to deliver a thorough assessment during your visit and collect the above data in order to fully assess your fitness to complete your role and provide the most clinically suitable recommendations where required. Should there be any part or test within the appointment that you do not wish to complete, please inform your clinician on the day of the appointment.

After your appointment

Communication with other health professionals – during your appointment journey it may be necessary to share your personal data with another health professional who is involved in your care (e.g. your GP, nurse, a consultant, external practitioners (whey they are working with you on our behalf) or laboratory staff).

Specimen transport - physical specimens (e.g. blood, urine or saliva sample) may be collected during your appointment. Specimens may be tested in laboratories that are not located at the site where your Health Assessment is carried out. In such cases, your specimens will be transported to the laboratory via an authorised and vetted courier.

Disclosures within the Company – there may be entities within the Company that are involved in providing and managing your healthcare assessment. These entities are within the EU however some are based in the United States and the Philippines. All of the Company’s entities sign up to the same standards, policies and rules as we do here in the UK, so your information is protected.

Disclosures to your employer – we will only ever disclose information about your initial health assessment to your employer with your consent. However, where assessing for fitness to work in accordance with specific industry requirements, the outcome and any relevant restrictions will be disclosed as part of your Employers legal obligations. This may also involve an upload to a relevant industry data base (e.g. Sentinel). Please note, where you may use our medication checking service (Chemist on Call) the results and recommendations of the medications we have checked will be provided to your employer as part of the results process. If you have any concerns about what is or is not shared with your employer, please speak to your clinician at your assessment or contact the customer service team after the appointment.

Disclosures to any other outside parties – there may be occasions where we are legally obliged to share your data with an organisation outside of you, the Company or your Employer. We will seek your consent before we share anything where it is appropriate to do so but there may be some occasions where we cannot. Please see below for further information on how we handle requests to access your data.

Fair and Lawful Processing:

In order to provide you with an Occupational Health assessment, we are the ‘Data Controller’ of the data we collect and use about you. Due to the nature of Occupational Health, there may be some instances where we are an Independent Controller with your employer, and we work together with them on Occupational Health matters.

Each organisation is required to demonstrate that they are processing personal data fairly and lawfully. To do this we must have a ‘lawful basis for processing’ personal data which is outlined below;

In order to assess your working capacity

Article 6 = Legal Obligation (Health & Safety, Working with dangerous Chemicals etc.)

Article 9 = Occupational Health (Assessment of the working capacity of the employee)

In order to inform your employer of their obligations to action any support you may need

Article 6 = Legitimate Interest (as we are under contractual obligation with your employer)

Article 9 = Occupational Health (Assessment of the working capacity of the employee)

In order to inform your employer of any medical condition or history you believe is relevant

Article 6 = Consent

Article 9 = Explicit Consent

In order to investigate, establish or defend any claims that may result from your treatment

Article 6 = Legal Obligation (Health & Safety, Working with dangerous Chemicals etc.)

Article 9 = Defence of Legal Claim

We may also look to continually improve clinical treatment; therefore, we may use non-identifiable data as part of a research project or an assessment of our services.

How long will we keep my personal data for?

Subject to applicable data subject rights, we will not hold personal data for longer than required to comply with our legal obligations. Where we are under a legal obligation to retain data, we will retain it in accordance with the applicable legal requirement.

Your rights over your personal data:

The law gives you certain rights in respect of the information that we hold about you. Below is a short overview of the key rights available to you.

• Data Subject Access Request - with some exceptions designed to protect the rights of others, you have the right to a copy of the personal data that we hold about you. For more information on this right, please see the section below.
• Right to Rectification - you have the right to have the personal data we hold about you corrected if it is factually inaccurate. This right does not extend to matters of opinion, such as an assessment of your wellbeing from a clinician or an assessment of your fitness to work.
• Right to Erasure - in some limited circumstances, you have the right to have personal data that we hold about you erased (the “right to be forgotten”). This right is not generally available where we still have a valid legal reason to keep the data (e.g. because we are obliged to do so by law).
• Right to Restrict Processing - you also have the right in some circumstances to request that temporary restrictions are placed on how we process your personal data. For example, if you contest its accuracy or where we are processing it based on our legitimate interest, and you contest our assessment that our interest overrides your rights.

Where we seek your consent to share any Personal Data with someone like your employer, at any point you can contact us to remove that consent and change your mind. To do so, simply contact the customer service team.

To exercise any of your rights please contact DataProtectionUK@abbott.com or speak to your clinician.

Requests to access your data:

You may request copies of your occupational health records or parts thereof, at any time. You may also request that a copy of your occupational health records is sent to a third party, such as a solicitor.

If you want to access to your occupational health records, we need to confirm the following details from you;

• Your full name and title.
• Your date of birth.
• Your address.
• Your employer details.
• The scope of what information you require.

It should also contain a signature, if in letter form. If we receive the request by e-mail or phone call, we may make an additional security check to ensure you are who you say you are. This is designed to protect your information.

If the request comes from a third party, such as a solicitor, then it is essential that we have the following information included in a consent form from the individual. The consent form should include:

• The individual’s full name and title.
• Their date of birth.
• Their address.
• Their employer details
• They must also expressly request their occupational health records from us (please do not ask for the occupational health records from their company as these records will only be the outcome reports which the company hold and not our full medical records).
• It must explicitly consent to us sending the records to the named third party, i.e. contain the words ‘I consent to the release …’
• It must be signed by the individual.

If we receive a request from a third party, we may contact you to verify that the request is legitimate, and you have asked them to request the data.

How do we protect your data?

We have a wide range of measures in place to help ensure your information is protected both within our own organisation and those partners and suppliers that we chose to work with. These range from training for our staff through to technical security measures with things like Encryption and Cyber Security software. We look to keep this updated as best we can and encourage a culture effective information handling amongst our staff.

What happens if things go wrong?

Where something does not live up to our normal high standards you may have cause to raise a concern regarding an element of your customer journey. It is important that we learn from these episodes to continually enhance services and as such we carry out thorough investigations. In order to fully investigate your concern, we may need to share information with our Data Protection team. In any case, we will only share a limited amount of information, as little as is necessary to investigate the concern. We may also need to share details of your concern with the clinicians who conducted your appointment for the purposes of the investigation. If the concern has come via a third party (e.g. a regulatory body or solicitor) we may need to disclose your data with them in order to resolve, defend or investigate a concern.

Further Information and how you can get in touch:

For further information about how your data may be processed or to ask any questions, please raise this with the customer service team. If you are not satisfied with how we handle your personal data or a request to exercise one of your rights in relation to your data, you can contact the Data Protection Officer via DataProtectionUK@abbott.com.

Should you remain dissatisfied you have a right to complain to the Information Commissioner’s Office on 0303 123 1113 or through their website https://ico.org.uk/