All OHS staff work to a strict code of ethics concerning the confidentiality of consultations and medical records. All staff, both clinical and non-clinical, cannot and will not disclose medical information of employees in their charge without the prior consent of those employees.
OHS will provide advice to the University and its departments without breaching medical confidentiality by disclosing any medical conditions. This advice should be treated by the recipients as sensitive personal data in respect of the General Data Protection Regulation (GDPR) and related UK data protection legislation.
Liaison with others
Personal information conveyed to Occupational Health will not be disclosed to anyone without your explicit and informed consent (other than in exceptional circumstances as outlined below). By law we will need to give an outcome of the assessment to the relevant manager; this will almost always be limited to a recommendation of fitness to continue with the usual work. If there is evidence of a medical condition arising from work activities we will discuss this with you and seek your consent to provide advice to your manager about the next steps at work to protect your health.
Limitations to confidentiality
We can only release information without your consent in very rare, exceptional circumstances - these are:
- instruction to disclose by a Court Order
- if disclosure is necessary to prevent the exposure of you or others to a risk of death or serious harm; in these cases we will continue to work with you and keep you informed - only the minimum information would be disclosed
How we manage the information you share with us
We keep paper based and electronic records of the information you provide to us. All personal and sensitive data that we hold is processed according to the requirements of the Data Protection Act and GDPR legislation 2018.
The Occupational Health Service collects anonymized statistical information for audit, evaluation and freedom of information purposes only.
Accessing medical records held by Occupational Health
Individuals have the right to ask for and obtain confirmation as to whether or not the University Occupational Health Service (OHS) holds any personal data which concerns them.
If personal data is held by OHS, individuals then have the additional rights to access that data and be provided with a copy of that data. To do this please complete the ‘Access to Medical Records form’ and send a signed copy to firstname.lastname@example.org.
General Data Protection Regulation (GDPR)
Medical data the Occupational Health Service collects, stores and shares (with individual's consent as captured in the previous paragraph) is classed as special category data under GDPR and is subject to specific processing conditions. OHS uses your personal information to allow us to advise and support you in accordance with your requirements and the consent you have given us.
Correcting incorrect data held by Occupational Health
The University Occupational Health Service (OHS) is obligated to ensure, as much as is reasonable, that the data it holds on individuals is accurate and up-to-date. If an individual’s personal details or medical conditions change, OHS asks that the individual informs them of any changes as soon as possible.
Individuals also have the right to ask OHS to correct their data if they believe it to be incorrect, incomplete or inaccurate. This can be done by emailing email@example.com detailing any changes that you believe need to be made. Depending on the nature of the changes, OHS may have to contact you to discuss this further.
Right to erasure
Individuals have the right to request that the data held on them by the University Occupational Health Service (OHS) is deleted - this is sometimes referred to as the ‘right to be forgotten’.
It is important to note that this is not an absolute right, meaning that other rights and legal duties must be safeguarded, eg fulfilling an employer’s legal obligation to protect the health and safety of its employees as set out in the Health & Safety at Work Act 1974 and where the individual has been subjected to Health Surveillance assessments under specific Health and Safety Executive legislation. The Information Commissioner’s Office website provides more details on when this right can be applied.
Medical record retention schedules
Your Occupational Health records will be stored by Occupational Health Service for as long as you are a ‘worker’ with the University of Oxford plus 6 years or until your 75th birthday, whichever is the sooner. Where the job application has been rejected, the medical records will be kept for 2 years. Further information in regards to these schedules can be found on the NHS Information Governance Alliance (IGA) guidance.
However where there is Health Surveillance assessments under 'Control of Substances Hazardous to Health' (COSHH) or any other Health and Safety Executive (HSE) legislations for health surveillance - such as noise or hand-arm vibration syndrome - the medical records specific to relevant legislation will be kept for a minimum of 40 years and in line with the retention schedules set out within the HSE regulations. Occupational Health notes and any results that accompany these tests should be kept for the same period.