Fusion Occupational Health Limited has a responsibility to document how we will protect your personal data. This is a legal requirement of the UK GDPR under the ‘Right to be informed’.
This privacy notice will outline our responsibilities to you. This privacy notice was last updated in September 2023.
1.0 Key Terms
1.1 Whilst every effort has been made to outline our responsibilities to you in as clear, concise, and easy to understand manner as possible, we do need to use certain terms throughout this privacy notice.
1.2 We will now provide an easy-to-understand definition of each term:
- Client or Clients: The organisation or data subjects, whereby Fusion Occupational Health Limited will be processing personal data;
- Data Controller: A data controller has the responsibility of deciding how personal data is processed, the purpose for the data processing, and how to securely protect the personal data;
- Data Processing Agreement (DPA): A data processing agreement, or DPA, is an agreement between a data controller (such as a company) and a data processor (such as a third-party service provider). It regulates any personal data processing conducted for business purposes;
- Data Processor: In a similar way to data controllers, data processors must protect people’s personal data. However, they only process it in the first place on behalf of the data controller. They would not have any reason to have the personal data if the data controller had not asked them to do something with it;
- Data Protection Act (DPA 2018): The DPA 2018 sets out the legal data protection framework in the UK. It contains three separate data protection regimes:
- Part 2: sets out a general processing regime (the UK GDPR);
- Part 3: sets out a separate regime for law enforcement authorities; and
- Part 4: sets out a separate regime for the three intelligence services.
- Data Subject: A data subject is a living person who can be identified from personal data, very often an employee of the client, for example;
- GDPR: This stands for General Data Protection Regulation (GDPR), the UK’s agreed standards for data protection that are also written into UK law through the Data Protection Act 2018 (DPA 2018).
- Individual Rights: In UK data protection law, individuals have rights over their personal data. These rights allow the individual to ask the data controller to do something, or stop doing something, with their personal data. There are eight individual rights;
- Information Commissioner’s Office (ICO): The Information Commissioner’s Office (ICO) is the UK’s independent body set up to uphold information rights;
- Joint Data Controller: If two or more data controllers jointly determine the purposes and means of processing the same personal data, they are joint controllers.
- Lawful Basis: A lawful basis is the legal reason or legal grounds relied upon for the processing of an individual’s personal data. There are six lawful bases to choose from: consent, contract, legal obligation, legitimate interest, public task, and vital interests;
- OHS: Means the Occupational Health & Safety provider. In this instance, Fusion Occupational Health Limited.
- Personal Data: Personal data is information about who you are, where you live, what you do, and more. It is all information that identifies you as a data subject;
- Privacy and Electronic Communications Regulations 2003 (PECR): PECR sits alongside the DPA 2018 and the UK GDPR. This legislation gives people specific privacy rights in relation to electronic communications, and electronic processing of their personal data;
- Processing: Processing means taking any action with someone’s personal data, including processing the data for a specific purpose, storing the data, and archiving the personal data.
- Sub Processors: A data sub processor is a data processor handling data on behalf of a company that is also acting as a data processor. Acting as a sub processor, the company will have or potentially will get access to the personal data of the data controller’s customers.
2.1 The scope for Fusion Occupational Health Limited is any data subject, whose personal data is processed, upon instruction from the client in line with UK privacy legislation including the DPA (2018), PECR (2003), and UK GDPR.
2.2 We also acknowledge any additional responsibilities requested by the industry regulator in the UK, the Information Commissioner’s Office (ICO). We also adhere to a strict information governance code of conduct by Safe Effective Quality Occupational Health Service (SEQOHS), a professional occupational health body, whilst also adhering to the Society of Occupational Medicine (SOM) ‘Data Processing Code of Conduct for Occupational Health and Wellbeing Services’.
2.3 The DPA (2018) and UK GDPR have a material scope covering personal data that is processed either electronically or is processed as part of a physical paper filing system.
2.4 Fusion Occupational Health Limited will adhere to the seven UK GDPR data processing principles when handling personal data:
- Lawfulness, Fairness, and Transparency
- Purpose Limitation
- Data Minimisation
- Storage Limitation
- Integrity and Confidentiality (Security)
2.5 All associates and employees of Fusion Occupational Health Limited who interact with clients and data subjects are responsible for ensuring that this privacy notice is drawn to their attention, at the earliest available opportunity.
3.1 Fusion Occupational Health Limited is a private limited company, based in Wales, under company registration number 10168800, complying with the laws of the United Kingdom, paying particular reference to the Companies Act (2006).
3.2 Fusion Occupational Health Limited is registered with the ICO under registration number ZA199275.
3.3 Fusion Occupational Health Limited acts as a data controller, joint data controller, and data processor. We are responsible for the personal data that we process, and have our own measures for ensuring compliance with the UK data controller regulations, personal data we are legally responsible for.
3.4 Fusion Occupational Health Limited’s processing of personal data is necessary for the purpose of preventative or occupational medicine, for the assessment of the working capacity, medical diagnosis, and the management of employee/individual health.
3.5 From time to time we may appoint sub-processors on behalf of Fusion Occupational Health Limited. We will always ensure that a written agreement is in place with each of our data processors documenting how personal data will be processed, safeguarded, and stored. Fusion Occupational Health Limited has the overall responsibility for all data processors.
3.6 Fusion Occupational Health Limited has a duty of care acting as a data controller to appoint a Data Protection Officer (DPO). We have a legal obligation to notify the ICO of their name and contact details. Our appointed Data Protection Officer (DPO) is CSRB Limited. They can be contacted by via email at firstname.lastname@example.org.
3.7 Fusion Occupational Health Limited uses lawful bases, as set out in UK GDPR Article 6, when we process your personal data:
- Contract – personal data is processed by us for the purposes of supplying our preventative or occupational health services to you. A detailed contract and accompanying Data Processing Agreement (DPA) will be reviewed and signed by both parties;
- Legal Obligation – processing is necessary for the purposes of supplying our preventative or occupational health services to you. This processing complies with the UK’s legal provision set out in the Data Protection Act (2018) Schedule1, Part 1, Section 1(a). The processing of personal data on behalf of an employer by an Occupational Health and Safety provider (OHS) also extends to a data subject who intends to or has entered a legal contract with that employer, this may include job applicants subject to pre-employment health screening or assessments and the processing of a data subject who has left the employment of the employer “a Leaver”;
- Legitimate Interests – personal data is processed by us to communicate with the client, data subject, or individual regarding relevant important business or commercial information, and to inform you of complimentary services provided by us, in addition to solicited direct marketing to existing clients under the PECR ‘soft opt-in’ exemption.
3.8 Fusion Occupational Health Limited may process certain special category data on behalf of our clients. This may include the following categories of personal data:
- personal data revealing racial or ethnic origin;
- personal data revealing political opinions;
- personal data revealing religious or philosophical beliefs;
- personal data revealing trade union membership;
- genetic data;
- biometric data (where used for identification purposes);
- data concerning health;
- data concerning a person’s sex life; and
- data concerning a person’s sexual orientation.
3.9 Fusion Occupational Health Limited ensures that all processing of the above special category data is lawful, fair, transparent, and complies with all the data processing principles of the UK GDPR.
3.10 Fusion Occupational Health Limited can only process special category data if we can meet one of the specific conditions in Article 9 of the UK GDPR. We may also have to meet additional conditions set out in the DPA (2018). The Article 9 conditions we use are:
- Explicit consent
- Employment, social security, and social protection (if authorised by law). This condition is met if:
- the processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the data controller or the data subject in connection with employment, social security, or social protection; and
- when the processing is carried out, the data controller has an appropriate policy document in place (e.g., data processing agreement).
There are additional safeguards in place, as required in Part 4 of Schedule 1 of the DPA 2018, which document that:
- the processing is necessary for the purposes of performing or exercising obligations, or rights which are imposed or conferred by law on the data controller, or the data subject in connection with employment, social security, or social protection; and
- when the processing is carried out, the data controller has an appropriate policy document in place (that complies with the data processing principles outlined in Article 5 of the UK GDPR).
- Health or social care (with a basis in law). This condition is met if the processing is necessary for health or social care purposes, which means the purposes of:
- preventive or occupational medicine;
- the assessment of the working capacity of an employee;
- medical diagnosis;
- the provision of health care or treatment;
- the provision of social care; or
- the management of health care systems or services, or social care systems or services.
3.11 Fusion Occupational Health Limited may transfer personal data we collect about you to countries outside the UK, including the EEA/EU/USA. We treat each international data transfer individually and assess the risk associated with the transfer and whether a suitable level of adequacy with UK data privacy legislation is available, within the country to where the personal data is being transferred.
3.12 Data transfers within the EEA/EU/UK can flow freely under the ‘Adequacy Decision’ agreed between the UK and European Parliament on 27 June 2021. If the international data transfer is outside the EU/EEA/UK, then risk assessment criteria and appropriate safeguards would be put in place, such as Data Protection Impact Assessments (DPIAs).
4.1 Fusion Occupational Health Limited processes personal data in a fair way. We do this by putting the individual’s rights at the heart of all processing in regard to personal data. There are eight individual rights:
- Right to be informed – data subjects have the right to know why we are collecting and processing personal data, this right is met by the provision of this privacy notice and any subsequent privacy documentation;
- Right of access – you have the right to know what personal data we have on record and request a copy;
- Right of rectification – you have the right to correct personal data that we hold about you that is inaccurate or incomplete;
- Right to be forgotten – in certain circumstances, you can ask for the personal data we hold about you to be erased from our records;
- Right to restriction of processing – where certain conditions apply, you have a right to ask us to only process your personal data for certain processing activities;
- Right of portability – you have the right to have the personal data we hold about you transferred to another data controller;
- Right to object – you have the right to object to certain types of data processing, such as marketing;
- Right to object to automated processing, including profiling – you also have the right to object to the legal effects of automated processing or profiling.
4.2 Fusion Occupational Health Limited will only handle personal data in ways that individuals would reasonably expect, and not use it in ways that have unjustified adverse effects on them.
4.3 Fusion Occupational Health Limited will obtain personal data in a fair way.
4.4 Fusion Occupational Health Limited always considers the rights and freedoms of data subjects when processing personal data. This could be for individuals or those part of a wider group.
4.5 Fusion Occupational Health Limited will have a written agreement with each client setting out the terms and responsibilities that the OHS and the client agree to as part of the service delivery. An OHS and/or the client may take specialist legal advice in the drafting of an agreement. The following terms should be referenced.
- 4.5.1 Purpose for processing data.
- 4.5.2 Fair processing.
- 4.5.3 Roles and responsibilities.
- 4.5.4 Definitions.
- 4.5.5 Legal basis for sharing data.
- 4.5.6 Data security and technical measures.
- 4.5.7 Data retention periods.
- 4.5.8 Data transfer into the OHS (Beginning of Contract).
- 4.5.9 Data transfer from the OHS (End of Contract).
- 4.5.10 Data destruction.
- 4.5.11 Subject Access Requests.
- 4.5.12 Data breach notification procedure.
- 4.5.13 Compliance and monitoring of data processing activities.
- 4.5.14 Key contacts for data processing purposes.
5.1 Transparency is fundamentally linked to fairness. Fusion Occupational Health Limited will always be clear, open, and honest with people from the start, about who we are, and how, and why we need to use your personal data.
5.2 Fusion Occupational Health Limited will inform clients and data subjects from the outset regarding the types of personal data we need to process, usually within our business terms, contract documentation, this privacy notice, and other privacy documentation.
5.3 Fusion Occupational Health Limited processes the following personal data types as a minimum:
- Contact Data (e.g., name, email address, telephone number, address);
- Identity Data (e.g., date of birth, passport number, driving licence number);
- Location and Other Data (e.g. occupational/social history, travel details where necessary);
- Special Category Data (information relating to health, which could include reasons for absence and GP reports and notes, and biometrics as outlined in paragraph 3.8 above).
5.4 Fusion Occupational Health Limited informs individuals about all personal data processing in a way that is easily accessible and easy to understand, using clear, and plain language. We do this ensuring all Fusion Occupational Health Limited’s employees receive annual data protection and UK GDPR training, whilst having a company information governance framework with up-to-date policies, procedures, and processes.
5.5 Fusion Occupational Health Limited hope we can resolve any query or concern you raise about our use of your personal data. You can contact Fusion Occupational Health Limited in the first instance at any time by telephone on 0333 241 3082, via email email@example.com or you can write to us at Fusion Occupational Health Limited, 1st Floor, Fusion House, Block A, Van Court, Caerphilly Business Park, Caerphilly CF83 3ED.
5.6 Fusion Occupational Health Limited has appointed a certified Data Protection Officer (DPO) to act in the interests of all parties. Should you require further information with regards to personal data processing and the protection of your personal data, please contact our nominated DPO at CSRB Limited. They can be contacted by via email at firstname.lastname@example.org.
5.7 Should we not be able to resolve the complaint, you have the right to lodge a complaint with the lead authority. The lead authority in the UK is the Information Commissioner’s Office (ICO), who may be contacted by telephone on 0303 123 1113 or by visiting www.ico.org.uk.
6.0 Purpose Limitation
6.1 Fusion Occupational Health Limited will always be clear about what the purpose is for any personal data processing from the very start. We process your personal data for the following purposes:
- For the purpose of preventative or occupational medicine;
- For the assessment of employee working capacity;
- For the management of employee health;
- For legal purposes for testing and reporting of COVID test results;
- Carry out our obligations arising from any contracts entered into between you and us;
- Notify you about important legal changes to our company and the services we provide;
- Provide you with information, products, or services that you request from us or which we feel may be of interest you to you, where you have consented to be contacted;
- With your consent, Fusion Occupational Health Limited may share your personal data with our associate companies on a case by case basis so that they may provide an expert assessment and support:
- OH Physicians
- Health Assured – EAP Service
- Laboratories for biometrics
6.2 There is a legal obligation to share Covid 19 test results with the Public Health Authorities. This data will be shared with them directly from the testing laboratory.
6.3 Although Fusion Occupational Health Limited do not use explicit consent as the purpose to process data, where we process special categories of information relating to an employee’s health we will always obtain informed consent to those activities unless this is not required by law or the information is required to protect in an emergency. This is in line with our medical best practice ethics.
6.4 Fusion Occupational Health Limited will record our purposes for personal data processing as part of our contract obligations. We will also specify them in any additional privacy documentation provided.
6.5 Fusion Occupational Health Limited will only use your personal data for a new purpose if this is either compatible with the original purpose, or we obtain consent, or we have a clear obligation, or function set out in law.
6.6 Where relevant, Fusion Occupational Health Limited, may also share personal data with third parties, such as:
- Trusted third party partners who we work alongside and who process personal data on our behalf, with regards to agreements and contracts, or for the provision of supplementary support services. Disclosure of the nominated trusted third-party partner would be provided at the agreement/contract stage and a relevant Data Processing Agreement (DPA) would be put in place to protect all personal data, from a data controller, data processor, and data subject perspective;
- Fraud prevention agencies, money laundering agencies, and other professional associations;
- Regulators and law enforcement agencies, including the Police, HM Revenue and Customs, or any other relevant authority who may have jurisdiction. We would always inform you ahead of acting on any instructions to proceed.
6.7 Fusion Occupational Health Limited collects personal data from you directly via the following channels:
- Using our online portal or paper-based questionnaire to complete a health assessment;
- Taking part in an occupational health consultation (telephone, video, or face to face) following a management referral;
- By attending any face to face appointments for health surveillance, health and wellbeing events, etc;
- Requesting a COVID Test by telephone, completing a booking form, or providing details for the test record;
- Voluntarily completing a customer survey or provide feedback on any of our message boards or via email;
6.8 Fusion Occupational Health Limited may also receive your personal data indirectly your employer organisation. Your employer will notify you of the personal data they shared with us as part of the recruitment or management referral processes. Our Company will also inform you of the information that has been shared when we contact you at your consultation/appointment.
7.0 Data Minimisation
7.1 Fusion Occupational Health Limited always ensures the personal data we are processing is:
- adequate – sufficient to properly fulfil our stated purpose;
- relevant – has a rational link to that purpose; and is;
- limited to what is necessary – we do not hold more than we need for that purpose.
The UK GDPR does not define these terms. As this is the case, Fusion Occupational Health Limited accepts these terms may have a differing definition from one individual to the other, as the processing will depend on the specified purpose for collecting and using the personal data.
7.2 In order to assess whether we are holding the right amount of personal data, we demonstrate clearly why we need it, before any data processing activities take place.
7.3 For special category data or criminal offence data, we understand the importance of collecting and retaining only the minimum amount of information.
7.4 Fusion Occupational Health Limited undertakes an annual data protection audit with an external certified data protection service provider, to review our personal data processing, and to check that the personal data we hold is still relevant and adequate for the stated purposes.
8.1 Fusion Occupational Health Limited will take all reasonable steps to ensure the personal data we hold is accurate and up to date.
8.2 Fusion Occupational Health Limited will take reasonable steps to ensure that personal data we hold is not incorrect. This may involve contacting you via our official communication channels, to ensure all personal data held is accurate.
8.3 Fusion Occupational Health Limited will always record the source of where personal data came from and ensure the source is compliant with UK privacy laws, including the UK GDPR.
8.4 If we need to keep a record of a mistake, where we have clearly identified it as a mistake, we add this to our records of processing for audit purposes, and continuous improvement.
8.5 All of Fusion Occupational Health Limited’s records clearly identify any matters of opinion, and where appropriate whose opinion it is, and any relevant changes to the underlying facts.
8.6 Fusion Occupational Health Limited will comply with the individual’s right to rectification, and carefully consider any challenges to the accuracy of the personal data.
8.7 As a matter of good practice, we keep records of processing of any challenges to the accuracy of the personal data.
9.0 Storage Limitation and Deletion
9.1 Fusion Occupational Health Limited will not keep personal data for any longer than is necessary to fulfil the original stated purpose for the processing of such personal data.
9.2 Fusion Occupational Health Limited will only keep personal data for the period outlined to meet the requirements of the contract, legal obligation, or legitimate interest identified.
9.3 Any retention of personal data will be carried out in compliance with legal, professional body, and regulatory obligations. These data retention periods are subject to change, due to any revisions of associated legislation, regulations, or requirements.
9.4 Fusion Occupational Health Limited acknowledges that UK privacy legislation does not determine how long personal data needs to be kept. This is up to the data controller to determine and document accordingly at the earliest possible opportunity.
9.5 Fusion Occupational Health Limited has a personal data retention policy in place, which documents the categories of personal data we hold, what we use it for, and how long we intend to keep it.
9.6 Fusion Occupational Health Limited periodically reviews the personal data we hold, and erases or anonymises it, when we no longer need to process it for the original purpose.
9.7 Fusion Occupational Health Limited also considers any challenges to the retention of personal data. We understand that individuals have a right to erasure if we no longer need their personal data.
9.8 Fusion Occupational Health Limited acknowledges there are exceptions to retention periods. Here we can keep personal data for longer if we are only keeping it for public interest archiving, scientific, or historical research, or statistical purposes. We would always inform you if this was the case, along with our lawful basis for retention.
9.9 When Fusion Occupational Health Limited is provided with an instruction to destroy data it must be destroyed irretrievably either in paper or electronic formats. Paper records will be destroyed by an approved contractor who can provide evidence of destruction and a certificate of destruction. Fusion Occupational Health Limited will retain this certificate.
9.10 Fusion Occupational Health Limited also has secure destruction procedures and processes for any of the devices it has used for the storage of personal data. Fusion Occupational Health Limited will retain evidence of any equipment destruction and confirms that the destruction is beyond any prospect of retrieving data stored within the device.
10.0 Data Transfer and Confidentiality (Security)
10.1 Fusion Occupational Health Limited will undertake an analysis of the risks presented by our personal data processing and use this to assess the appropriate level of security we need to put in place. We review our Business Continuity Plan (BCP) annually.
10.2 We have an information security policy and take steps to make sure the policy is implemented. For example, we employ a Chief Information Security Officer (CISO), and undertake annual information security reviews. We make sure that we regularly review our information security policies and measures and, where necessary, improve them.
10.3 Fusion Occupational Health Limited make sure that we can restore access to personal data in the event of any data incidents or personal data breaches, by the implementation of a appropriate data backup procedure.
10.4 Fusion Occupational Health Limited conducts regular penetration testing and reviews of our measures to ensure they remain effective, and act upon the results of those tests where they highlight areas for improvement or heightened risk.
10.5 Where appropriate, we implement measures that adhere to an approved code of conduct or certification mechanism, such as Cyber Essentials certification, and additional quality standards such as ISO:27001.
10.6 We ensure that any data processor we engage implements appropriate technical safeguards for all data.
10.7 Fusion Occupational Health Limited does track website behaviour in order to offer data subjects an enhanced client experience and for organisational analytics. Fusion Occupational Health Limited has engaged ZoomInfo Technologies LLC via their ZoomInfo platform, which can record website page movements and associated IP locations potentially containing the personal data of data subjects. The data derived from the analytics is processed via our Zoho CRM, provided by Zoho Corporation Pvt Limited. The UK GDPR and PECR interprets data collected by cookies as personal. It prohibits the collection of personal data without consent, which means a website is only allowed to collect information that the user voluntarily inputs. This includes name, email address, phone number, or any other information that the user shares with the website. The cookie consent must be freely given, specific, informed, and unambiguous.
11.1 Accountability is one of the UK GDPR data processing principles. Fusion Occupational Health Limited takes our accountability commitments with the UK GDPR very seriously, as documented by this privacy notice.
11.2 Fusion Occupational Health Limited has put in place several measures that we can, and in some cases must take, including:
- adopting and implementing data protection policies and procedures;
- taking a ‘data protection by design and default’ approach;
- putting written contracts in place with those whose personal data we control and process;
- maintaining documentation of our processing activities;
- implementing appropriate security measures;
- recording and, where necessary, reporting personal data breaches;
- carrying out data protection impact assessments for uses of personal data that are likely to result in high risk to individual’s interests;
- ensuring all Fusion Occupational Health Limited employees receive annual UK GDPR and privacy legislation training;
- appointing a data protection officer; and
- adhering to relevant codes of conduct and signing up to certification schemes (where applicable).
11.3 Fusion Occupational Health Limited understand that accountability obligations are ongoing. We review and, where necessary, update the measures we have put in place. For example, we continually enhance our privacy management framework, as this can help embed our accountability measures and create a culture of privacy across our organisation.
11.4 Fusion Occupational Health Limited understand that being accountable can help build trust with individuals and may help mitigate any gaps in compliance, and thus any potential regulatory enforcement action.
11.5 If you have any questions or concerns about how we process and protect your personal data not covered in this privacy notice please contact Fusion Occupational Health Limited by telephone on 0333 241 3082 or via email at email@example.com.