K2 Associates Ltd is keeping and processing records that include personal information about clients and patients. Under the General Data Protection Regulation there are certain duties and rights related to holding this information. Due to the medical nature of our services we hold additionally medical, work and financial information. This type of information is classified as sensitive and there are additional legal and professional requirements safeguarding it.

What information do we hold?

The information we hold is kept to a minimum and required for the provision of occupational health services. This includes information we are required to hold to comply with professional standards. These standards are set by the General Medical Council, Nursing and Midwifery Council, Health and Safety Executive and others.

We do not hold the same details about every individual as every case is different and therefore different requirements may apply.

Data we may hold:

  • Name, date of birth, national insurance number, contact details, address
  • Employer details
  • Workplace details
  • Medical information
  • Results of medical tests
  • Details about your GP or specialists
  • Information from other parties like your GP or other professionals

Reason for holding this information

Our clinical staff needs to maintain personal information to meet statutory requirements and guidelines. It also enables us to keep an accurate record of contacts that we have had with you for medical and workplace assessments.

Article 9 of the GDPR refers to holding and processing special category data. This includes health data. In Article 9 paragraph 2 (h) processing of occupational health data is stated as being justified.

Source of information
To carry out occupational health assessment we receive information from your employer and yourself. In some cases, we may receive additional information from other professionals.

Right to be forgotten
The GDPR does include a right of the data subject to request erasure. However regarding medical data this right is superseded by other laws and regulations. Therefore the right to be forgotten is limited due to other legal requirements.

Duration information is kept
The requirement to keep information and retention time is regulated by a number of laws and regulations. The most important ones are:

  • Health and Safety at Work Act 1974
  • Management of Health and Safety at Work Regulations 1999
  • Workplace (Health, Safety and Welfare) Regulations 1992
  • Control of Substances Hazardous to Health Regulations 2002
  • Control of Asbestos Regulations 2012
  • The Control of Lead at Work Regulations 2002
  • Ionising Radiation Regulations 2017
  • Work in Compressed Air Regulations 1996
  • The Control of Noise at Work Regulations 2005
  • Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995
  • The Control of Vibration at Work Regulations 2005
  • Confined Space Regulations 1997
  • Working at Height Regulations 2005, amendment 2007
  • Personal Protective Equipment Regulations 1992
  • Display Screen Equipment Regulations 1992
  • The Working Time Regulations 1998, amendment 2003
  • The Private and Voluntary Health Care (England) Regulations 2001

InformationRetention Period
Health surveillance medical information40 years from last entry
Occupational health medical recordsAt least 8 years from date of last entry, best practice is 10 years from last entry
Financial informationMinimum of 6 years from last entry

The listed retention times are minimum times and information is assessed individually if a longer retention time is required (for example for assessing vaccination and immunity the life time vaccinations schedule is required to assess appropriately).

Confidentiality and security
Medical records are kept confidential on a central server. The information is only accessed by occupational health staff for the provision of the service. Paper notes are used for a duration of 3 months to up to 3 years depending on details. They are then stored electronically according to GDPR requirements.

Due to professional requirements data cannot be anonymised for the performance of the medical assessment. We use encryption for safeguarding.

We do not share information with third party organisations without the consent of the data subject. We do only release a report to your employer with your consent. You can withdraw consent at any time until the time the report has been sent.

There are some legal requirements which can overrule the need for consent. There can be a legal obligation for disclosure due to the power to order a disclosure as it can be exercised by courts, tribunals or regulators or if a disclosure is in the public interest (e.g. if a person is putting others at significant risk).

Access to personal information
You have the right to request access to the information held about you. Please use our contact page to get in touch with us. The first copy is free which will usually be send by email. Repeated or excessive requests can be chargeable.

Due to the sensitive nature of the information we may request additional information to establish your identity.

Medical information has to comply with additional requirements. A healthcare professional can therefore withhold information if it is felt it may cause serious harm to the physical or mental health of the individual if disclosed.

Should any information we hold not be accurate we would expect you to inform us so we can amend your information.

Raising Concerns
If you have any concerns about the data we hold about you or how we use and process it, please get in touch with us via the contact page of the website to contact our Data Protection Officer. If you are still not satisfied you may contact the Information Commissioner’s Office. Our registration number is Z1336689.

Access to information from other healthcare professionals

We do not have access to your GP notes or the medical files of other healthcare professionals. In case we feel access to medical information of other healthcare professionals being of benefit we will ask you for consent before contacting your GP or specialist.

Decision making

We do not use automated decision making. Assessments are carried out by qualified healthcare professionals.

For answers to any further questions you may wish to refer to our Terms and Conditions. The link to access our terms and conditions can be found at the bottom of this page.

Cookie Policy

How we use cookies
We use cookies on this website. These will be used to improve your experience when browsing around our website. No information that is identifiable to you is used in a cookie. We identify you solely by placing a small file on your computer to help us identify which pages are being used. This helps us analyse data about webpage traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes.

How to manage cookies
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer (this may prevent you from taking full advantage of the website). To find out how to use these options please follow the instructions for your browser.

How to control cookies