About privacy, confidentiality and subject access requests.
In line with the General Data Protection Regulation (GDPR) we want to provide you with more details about how we collect and use your personal information. To make it easy for you to find out why we collect or use your information we have created a ‘Staff Privacy Notice’ which includes details about:
- your rights relating to the information we hold about you
- how we ensure your personal information is kept safe
- the types of personal information UCL or any third parties collect and use your information
- the legal basis we rely on to use your information
- why UCL is processing your information
- what information of yours is shared with others
- contact details of whom you can contact if you have concerns
The staff privacy notice can be found here: Staff Privacy Notice
Confidentiality in OHW
All medical information that is shared with us will be treated in the same way as anything you discuss with your GP.
All staff (clinical and administrative) within OHW have a legal and contractual obligation to maintain client confidentiality, whether working in a clinical or administrative capacity.
If confidentiality is broken without good reason (for example, the individual is at risk of harm - see below) an individual can sue through a civil court. That person can also complain to the Information Commissioners Office if there is a breach of General Data Protection Regulations (2018), the General Medical Council (GMC) or the Nursing and Midwifery Council (NMC).
The right to confidentiality is protected by:
The Common Law Duty of Confidentiality. The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s informed consent.
Article 8 of the European Convention on Human Rights which covers the ‘right to respect for private and family life’ now incorporated in UK law by Human Rights Act 1998
General Data Protection Regulations (2018) / UKDPA (2018 The General Data Protection Regulation (GDPR) & Data Protection Act (DPA) 2018 applies to all ‘personal data’. Personal data is defined as any data which relate to a living individual who can be identified from that data.
All data subjects should be made aware of the boundaries of confidentiality within OHW. Data subjects must be made aware of who has access to the records kept in OHW.
Disclosure of confidential information:
The Department of Health (2018) advises three circumstances making disclosure of confidential information lawful are;
- Where the individual to whom the information relates has consented
- Where disclosure is necessary to safeguard the individual, or others, or is in the public interest
- Where there is a legal duty to do so, for example a court order. Any practitioner considering making a disclosure in the public interest must ensure that they are acting within their professional boundaries and codes of conduct and must always discuss their intention to make such a disclosure with the Director of OHW or a Consultant Occupational Physician if the Director is unavailable
To discuss this further please don’t hesitate to contact us.
Obtaining your OHW medical record – Subject access requests
Data subjects have the right to access personal data about themselves, which is held in either computerised or manual form, whenever the record was compiled.
All requests for access to occupational health records must be made in accordance with via the UCL Data Protection Officer. All responses to an SAR must be made within a month and the data subject cannot be charged for an initial copy.