Clinical Privacy Notice
Issue 16, May 2023
Definitions
Data – information held by Express Medicals
Data controller – Express Medicals, and relevant subcontractors with whom we have a join data controller agreement
Data processor – relevant subcontractors with whom we have a data processing agreement
Data subject / you – the individual undergoing testing with Express Medicals
Employer – the company who booked your testing and receives results. This may be a direct employer, an employment agency, a sponsor or sub-sponsor.
Information Commissioner’s Office / ICO - the UK's independent regulatory office in charge of upholding information rights
Personal data – any data from which an individual can be identified e.g. name, date of birth, National Insurance number
Results – the outcome of any medical assessment, screening or testing undertaken on a data subject
Sensitive personal data – this will include data relating to the health of an individual
Sponsor – as per Employer, particular to Network Rail and London Underground. A data subject working, or planning to work on, the Network Rail infrastructure will have one “primary sponsor” and may have up to two additional “sub-sponsors”.
We/our –Express Medicals
Introduction
Employers have a duty of care - and with regard to some medical conditions, a legal obligation – to protect their workforce by ensuring that they are fit to carry out their duties safely.
Personal and sensitive data may only be collected, processed, stored and disclosed by Express Medicals with your explicit consent. There are, however, extenuating circumstances which will override this requirement – for example, where disclosure is required by law or where there is immediate danger to your health.
If consent is not given, data collection must not take place. You have the right to withdraw consent at any time up until the result / outcome is known; we have a duty of care, and an obligation under Network Rail standards (if applicable), to report results and outcomes which may have an impact on your own safety or the safety of others. See Network Rail Specifics section on page 2 for further information on our obligations regarding Sentinel uploads.
For drug and alcohol tests it is important to note that refusal or withdrawal of consent will almost always lead to a fail result being issued.
All data is handled in accordance with relevant Data Protection legislation, and all reasonable efforts are made to protect the confidentiality, integrity and availability of your data at every stage from collection to archiving or destruction. This includes any data obtained by Express Medicals from data subjects, employers, data controllers and data processors - including intellectual property - for the purpose of providing or facilitating professional services.
Purposes for which personal data may be held
Personal data is collected primarily for the purposes of:
medical assessment
health surveillance
drugs and alcohol screening/testing
Sensitive personal data includes information relating to the following matters:
medical history
details of any prescribed or over the counter medication used
lifestyle information, including the use of alcohol, tobacco or illicit drugs
Processing of personal data
Some of our data collection is paper-based. Details of assessments are recorded on forms which are processed and stored in a secure facility at our Head Office.
Express Medicals also uses a range of electronic products and platforms to process your data. Some of these are required by specialised organisations responsible for recommending industry standards and maintaining industry-specific databases (e.g. Sentinel), and others are purchased by Express Medicals in order to optimise the efficiency and security of data processing. Express Medicals will not transfer your data outside the European Economic Area (EEA) without appropriate protection. We will never sell your data on, or use it for other purposes than that for which it was originally collected.
Third party data controllers and data processors
In order to optimise the delivery of our services, Express Medicals has contracts with a network of approved suppliers. In addition to those mentioned above, these suppliers deliver key services including:
· Laboratory testing of biological samples for diagnostic purposes
· Provision of occupational health and specialist services e.g. counselling
· Scanning, indexing and secure destruction of paper clinical records
Disclosure of results
In all cases, results will be reported back to you and/or the person(s) who are formally designated to receive results e.g. your employer.
Results may be conveyed as follows:
Post – all outgoing mail is sent in envelopes marked “Private & Confidential”
Email – appropriate measures are applied to ensure the security of results sent via email
Secure customer portal
Industry-specific database e.g. Sentinel for Network Rail
Network Rail specifics:
The following instances will result in a fail being uploaded to Sentinel and you will be banned from working on Network Rail infrastructure for 5 years:
A breath alcohol reading above the Network Rail cut-off limit
Refusal to consent to laboratory analysis of a urine sample following a non-negative result on an instant urine test
This is governed by Network Rail and any appeals regarding your results should be directed to them via your sponsor.
Retention and destruction of records
Medical records are retained by Express Medicals in line with our retention schedule. Records are not held for longer than is necessary, and the retention schedule takes into consideration the retention requirements of any applicable legislation or standards e.g. The Control of Asbestos at Work Regulations; Network Rail.
Express Medicals keeps electronic records of data subjects’ information on databases which can only be accessed by authorised Express Medicals personnel.
Express Medicals has a contract with an approved supplier for the collection, secure transport, scanning and secure destruction of all our paper records.
Any extraneous paper records containing sensitive personal data are disposed of securely.
Your data protection rights
Under data protection law, you have rights including:
Your right of access - You have the right to ask us for copies of your personal information.
Your right to rectification - You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing - You have the right to ask us to restrict the processing of your information in certain circumstances.
Your right to object to processing - You have the right to object to the processing of your personal data in certain circumstances.
Your right to data portability - You have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
Please direct all such requests for the attention of our Data Protection Officer, who can be contacted as below:
Data Protection Officer
Express Medicals Plc
8 City Business Centre
Lower Road
London
SE16 2XB
dpo@expressmedicals.co.uk
02075006900
Express Medicals are registered with the Information Commissioner’s Office (ICO) as a data controller. Our registration number is ZB498529.
How to complain
If you are unhappy with how we have used your data you can make a complaint to the ICO – contact details below.
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113