How Working Well uses your information
Working Well is the name of the occupational health service provided by ²gether NHS Foundation Trust. This Privacy Notice is for anyone who is referred to Working Well, either by their employer or through self-referral. It explains how and why the Trust, as a data controller, collects and uses information about you.
What information do we collect about people who use our service?
Information which Working Well may hold about you includes the following:
- Details about you, such as your name and address and other contact details such as an email address and telephone number
- Details about where you work and what your job is.
- Information about your health, and how this affects your job
- Results of investigations, such as laboratory tests, x-rays, etc.
- Your immunity to certain diseases
- Relevant information from your employer, including the reason for any referral to Working Well, and relevant information about any absences from work.
What other information about you do we hold?
- As well as information that you provide to us directly, we may also use information from other sources to help us provide you with an effective occupational health service. This may include, for example, information from your GP or other Specialist who may be involved in your care
- Your information may also be collected for other purposes that you should be aware of, such as CCTV recordings used for crime prevention, or if you make a complaint/enquiry or if you complete a survey.
Why do we collect your information?
- Our health care professionals collect your information to enable us to provide you with the best possible occupational health service on behalf of your employer, with whom we have a contract to provide such services.
- Our staff may check your details with you to ensure they are up-to-date and correct. So, if your details have changed (such as your name or address) you need to let us know.
What is our legal basis for using your information?
Working Well will not collect, hold or otherwise process your information unless it has a legal basis to do so.
Data protection law allows us to handle your personal information:
- to fulfil the terms of a contract, and
- in connection with our legitimate interests, or the legitimate interests of a third party.
As an occupational health service we also handle information about your mental and physical health. This is known as ‘special category data’.
We handle this type of information for the purposes of preventative or occupational medicine, and the assessment of the working capacity of the employee
Whom might we share your information with?
Information that we collect about your healthcare may be made available to your employer with whom we have a contract to provide occupational health services but only if you have given us consent to do so. We share your name and the services you have received with a link person at your employer for invoicing purposes. That link person might be a member of the finance team or a HR Manager.
There are exceptional circumstances whereby the Trust may share information about you without your knowledge, for example, in an emergency where you or someone else might suffer substantial harm or distress, where it relates to a ‘communicable disease’ or a serious crime, or if information is required by law (such as a court order).
Staff should discuss with you what information they are sharing, why and with whom. If we ask for your consent to share your information, you can withdraw that consent at any time simply by telling your Occupational Health clinician.
Where, and for how long, do we keep your information?
All occupational health records are stored in electronic form in the UK.
We keep a record of your information for a set length of time, depending on the type of information it is.
You can find further information on the rules that the Trust must follow here (this will take you to a website provided by the Information Governance Alliance – see ‘Records Management Code of Practice for Health and Social Care 2016’). Appendix 3, No. 11 deals with occupational health records.
What are my rights?
The Data Protection Act gives you certain rights in respect of the information we hold about you.
Working Well may refuse your request (in full or in part) where there is a legal basis to do so, and you will be notified of this.
Requesting a copy of information that we hold about you
You are entitled to a copy of information that we hold about you. Normally this is available to you free of charge, but we may charge a reasonable fee to cover administrative costs such as copying, or if you request another copy of the same information.
We must provide you with the requested information (where it is appropriate to do so) within 1 month once we have sufficient details to be able to process the request. However, we may extend this period for a further 2 months if the request is particularly complex. We may also refuse to respond to requests which are bulky, complex or repetitive.
There is information at the bottom of this page on how to make a request.
Objecting to Working Well using your personal data
You have the right to object to us using/sharing your information.
Objections will be considered and you will be notified of our decision and the reason for it.
Where we have asked for your consent to collect and use your information, you have the right to withdraw that consent at any time.
If you want to object to our using your information, you should contact Working Well. Contact details are at the bottom of this page.
Asking to have your personal data corrected
You are entitled to have personal data corrected if it is inaccurate or incomplete.
We must respond to your request within 1 month. However, we may extend this period by up to a further 2 months for complex requests.
We may refuse the request if we believe the information is accurate/complete or there is a legal basis to do so. If that is the case, you will be notified of this. You have the right to complain to the Information Commissioner’s Office and to seek correction by order of a Court.
If you believe your information is inaccurate or incomplete, you should contact Working Well to ask for it to be corrected. Contact details are at the bottom of this page.
Blocking the use of your personal data
You can ask us to block the use of your personal data in some circumstances:
- Where you think your personal data is incorrect.
- Where you have objected to us using your personal data.
- When our use of your personal data is unlawful but you don’t want us to erase your data completely.
- If we no longer need the personal data but the you need us to keep it in connection with a legal claim.
Where use of your information is blocked temporarily (for example while we check whether it is accurate) we will inform you when that block is lifted.
If you want to block the use of your information, you should contact Working Well. Details are at the bottom of this page.
Asking to have your personal data erased
This is more commonly known as the ‘right to be forgotten’. You may ask to have your data erased where:
- It no longer needs to be kept by us (when it has gone beyond the minimum retention period)
- Where you withdraw your consent or object to the use of your data and there is no requirement for us to retain the data
- It has been used unlawfully
- There is a legal obligation that we must comply with
We may refuse your request (in full or part) where there is a legal basis to do so. If that is the case, you will be notified of this.
Details on submitting a request are at the bottom of the page.
How can you be sure we handle your information properly?
It is a legal requirement to ensure that all information about you is kept confidential.
2gether NHS Foundation Trust has to complete a Data Security and Protection declaration for NHS Digital every year, and the Trust Board also has to make a declaration to its regulator, NHS Improvement, that the Trust complies with the National Data Security Standards.
The Trust has policies and procedures to make sure that staff know how to handle your information properly, and keep it confidential.
Our staff only look at your information when it is absolutely necessary.
Staff have to complete data security training once a year to make sure that they understand what is required of them. Staff also have regular training so that they understand how to use computerised record systems
What to do if you have concerns about the use of your information
You can contact John McIlveen, who is the Data Protection Officer for ²gether NHS Foundation Trust, at:
If we can’t resolve your concern, you have the right to lodge a complaint with the Information Commissioner’s Office, whose contact details can be found here.
How to submit a request
Requests must be in writing. You can submit a request either by emailing Workingwell@nhs.net
by posting a letter to:
The Service Director
The Orchard Centre
Gloucester Royal Hospital