UCL Human Resources


Workplace Health Confidentiality Statement

On this page:

Privacy statement 

In line with the General Data Protection Regulation (GDPR) we want to provide you with more details about how we collect and use your personal information. To make it easy for you to find out why we collect or use your information we have created a ‘Staff Privacy Notice’ which includes details about: 

  • your rights relating to the information we hold about you 
  • how we ensure your personal information is kept safe 
  • the types of personal information UCL or any third parties collect and use your information 
  • the legal basis we rely on to use your information 
  • why UCL is processing your information 
  • what information of yours is shared with others 
  • contact details of whom you can contact if you have concerns 

The Workplace Health privacy notice can be found here:  Workplace Health privacy notice  

↑ Back to top

Confidentiality in Workplace Health 

All medical information that is shared with us will be treated in the same way as anything you discuss with your GP. 

All staff (clinical and administrative) within Workplace Health have a legal and contractual obligation to maintain client confidentiality, whether working in a clinical or administrative capacity. 

If confidentiality is broken without good reason (for example, the individual is at risk of harm - see below) an individual can sue through a civil court. That person can also complain to the Information Commissioners Office if there is a breach of General Data Protection Regulations (2018), the General Medical Council (GMC) or the Nursing and Midwifery Council (NMC). 

The right to confidentiality is protected by: 

  1. The Common Law Duty of Confidentiality. The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s informed consent. 

  1. Article 8 of the European Convention on Human Rights which covers the ‘right to respect for private and family life’ now incorporated in UK law by Human Rights Act 1998 

  1. General Data Protection Regulations (2018) / UKDPA (2018 The General Data Protection Regulation (GDPR) & Data Protection Act (DPA) 2018 applies to all ‘personal data’. Personal data is defined as any data which relate to a living individual who can be identified from that data. 

All data subjects should be made aware of the boundaries of confidentiality within Workplace Health. Data subjects must be made aware of who has access to the records kept in Workplace Health.  

Disclosure of confidential information: 

The Department of Health (2018) advises three circumstances making disclosure of confidential information lawful are; 

  1. Where the individual to whom the information relates has consented 

  1. Where disclosure is necessary to safeguard the individual, or others, or is in the public interest 

  1. Where there is a legal duty to do so, for example a court order.  Any practitioner considering making a disclosure in the public interest must ensure that they are acting within their professional boundaries and codes of conduct and must always discuss their intention to make such a disclosure with the Director of Workplace Health or a Consultant Occupational Physician if the Director is unavailable.

To discuss this further please don’t hesitate to contact us

↑ Back to top

Obtaining your Workplace Health medical record – Subject Access Request (SAR) 

Data subjects have the right to access personal data about themselves, which is held in either computerised or manual form, whenever the record was compiled. 

All requests for access to occupational health records must be made in accordance with UCL's Data Protection Policy via the UCL Data Protection Officer. All responses to an SAR must be made within a month and the data subject cannot be charged for an initial copy. 

UCLs Data Protection Policy 

↑ Back to top