Join us in delivering clinical excellence – Recruiting now!

If you deliver clinical excellence and are looking for a rewarding opportunity, we invite you to apply now as we are actively recruiting passionate professionals.

Dismiss

Privacy Policy

Last updated 13th December 2023

At Spire Occupational Health we are committed to protecting your personal data and respecting your privacy. This Privacy Notice is provided to set out the important details about the information (“personal data”) that Spire Occupational Health and the healthcare professionals responsible for your care will collect and hold about you, how we use your personal data, how we share it, and we protect it.

It also sets out our commitment to comply with your right to be informed, to access, to amend, or to remove your information (“personal data”) in accordance with the Data Protection Act 2018 (DPA) and the UK General Data Protection Regulation (GDPR) 2018.

Please take your time to read this Privacy Notice carefully.

About us:

Spire Occupational Health as both the Data Controller and Data Processor is committed to protecting the rights of the individual and acknowledges that any personal data we hold and handle will be processed in accordance with the Data Protection Act 2018 (DPA) and the UK General Data Protection Regulations (GDPR) 2018.

Spire Occupational Health is a subsidiary of Spire Healthcare Group. Spire Healthcare Group Plc. (“Spire”) is a company registered under company number 09084066, and whose registered address is 3 Dorset Rise, London, EC4Y 8EN.

What personal data will be collected:

The following personal data may be collected and shared by Spire Occupational Health:

  • Personal information (e.g. Name, Address, Date of Birth, Contact Details)
  • Financial information, such as credit card details used to pay for any services
  • Past and present job roles
  • Background referral details
  • Any images taken of you by the closed-circuit television (“CCTV”) systems we have installed at our clinics

Special categories of personal data

We also collect and use more sensitive personal data (known as “special category data”) about you, such as information relating to your physical and mental health. Special category data must be handled even more sensitively than “standard” personal data. For example, if you are a patient, we will need to use personal data about your health to provide your care. Your special category data will be managed in accordance with the law and this Privacy Notice, and all applicable professional standards including guidance from the General Medical Council and British Medical Association.

The special category personal data we hold about you includes the following:

  • details of your current or former physical or mental health. This may include personal data about any healthcare services you have received (both from us directly and other healthcare providers such as GPs, dentists, or hospitals (private and/or NHS)) or need, including about clinic and hospital visits and medicines administered. This may also include details of previous healthcare services you have received from other healthcare providers in circumstances where medical negligence is alleged, or being investigated, against that third-party provider. We provide further details below on the manner in which we handle such personal data
  • details of care you have received from us including any images taken in relation to your care
  • details of your nationality, race and/or ethnicity
  • details of your religion
  • details of any genetic data or biometric data relating to you
  • data concerning your sex life and/or sexual orientation

The confidentiality of your medical information is important to us. We make every effort to prevent unauthorised access to and use of information relating to your current or former physical and mental health. In doing so, Spire Occupational Health complies with UK data protection law, including the Data Protection Act 2018, and all applicable medical confidentiality guidelines issued by professional bodies including, but not limited to, the General Medical Council and the Nursing and Midwifery Council.

Aggregated Data

We gather, use, and share information called ‘Aggregated Data’ for our internal and marketing needs. This data is a mix of statistics or general information and doesn’t show who you are. But if we ever blend this info with your personal details and it helps identify you, we’ll handle it just like personal data, following this privacy policy.

How do we collect your personal data? 

Directly from you

We collect your personal data directly from you when: 

  • Complete an online enquiry form on the Spire Occupational Health website
  • Have remote consultations with a healthcare professional including virtual or by telephone
  • Send us a question via our website, by email or by social media
  • Correspond with us via letter, email, telephone (all incoming and outgoing calls from/to patients are recorded) or social media, including where you reference Spire in a public social media post
  • Take part in marketing activities
  • Attend a clinic and are recorded on the CCTV systems we have installed

From other Healthcare Providers

  • Occupational Health Physicians (OHPs) and Occupational Health Advisors (OHAs), who have been involved in your care.
  • GPs, dentists, or hospitals (private and/or NHS)) or need, including about clinic and hospital visits and medicines administered. This may also include details of previous healthcare services you have received from other healthcare providers in circumstances where medical negligence is alleged, or being investigated, against that third-party provider.

From other third parties

  • Your employer, human resources (if they have been involved in referring you to us)  
  • From other healthcare officers in the local authority/ social services department 
  • Solicitors or other third parties acting on your behalf in connection with medico-legal proceedings 
  • GDPR-compliant marketing acceleration solutions

How will your personal data be stored:

Your records will be stored in accordance with Spire Occupational Health’s medical records storage policy following GDPR regulations.

Who do we share your personal data shared with?

Personal information that we receive from an employer is only accessed by our own administrators, Occupational Health Physicians (OHPs), Occupational Health Advisors (OHAs), doctors, and nurses. All staff have contractual confidentiality agreements, and our processes are designed to maintain confidentiality.

Our Occupational Health reports are sent securely to the named recipient, usually a Human Resources Officer or Manager. You will know who the report is going to at the point that we request consent for dispatch.

We will not share information about ‘you’ with third parties without your consent unless the law allows us to.

Who will your personal data be shared with:

Personal information that we receive from an employer is only accessed by our own administrators, Occupational Health Physicians (OHPs), Occupational Health Advisors (OHAs), doctors, and nurses. All staff have contractual confidentiality agreements, and our processes are designed to maintain confidentiality.

Our Occupational Health reports are sent securely to the named recipient, usually a Human Resources Officer or Manager. You will know who the report is going to at the point that we request consent for dispatch.

We will not share information about ‘you’ with third parties without your consent unless the law allows us to.

If we share your personal data, we will make sure appropriate protection is in place to protect it in line with data protection laws.

Why do we process your personal data?

Spire Occupational Health will only use (“process”) your personal information for the purpose for which we collected it and in which we have a legal basis for doing so. When we use “special category of personal data” such as personal data relating to a person’s health, (see section on Special categories of personal data above) we must have a specific additional legal basis to do so. 

Generally, we will rely on the following legal bases: 

  • Contract: we need to use your personal data to take steps so that you can enter into a contract with us and/or a healthcare professional to provide your care 
  • we need to use your personal data to provide your care in accordance with a contract between you and Spire Occupational Health and/or healthcare professional. We will rely on this for activities such as supporting your care and other benefits, supporting your Occupational Health Physicians (OHPs) and Occupational Health Advisors (OHAs) or other healthcare professional and providing other services to you.  
  • Legitimate interests: we need to use your personal data for our legitimate business interest to process your personal data and such interest does not cause harm to you. We will rely on this for activities such as quality assurance, maintaining our business records, developing and improving our products and services and helping with research. 
  • Legal obligation: we need to use your personal data to comply with our legal or regulatory obligations. 
  • Legal claims: we need to use your special category personal data to establish, exercise or defend our legal claims. 
  • Consent: you have given us your consent to use your personal data for this purpose. 

Generally, we will only ask for your consent to use your personal data if there is no other legal basis to use it. If we ask for your consent, we will always aim to be clear and transparent about why we need your consent and what we are asking it for. Where we are relying on consent to use your personal data you have the right to withdraw your consent at any time by contacting us at info@spireoccupationalhealth.com and we will stop using your personal data for that purpose. 

Spire Occupational Health is a provider of occupational health services, designed to support businesses in the management of health and wellbeing issues in the workplace.   

You will find details of the legal bases for each of our purposes below. 

Purpose Legal bases for using your personal data  Additional legal bases for using your special category personal data 
Purpose 1: To provide your occupational health care  
Spire Occupational Health processes personal data and often sensitive medical information for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee. This is to ensure the health and safety of the employees at work and to allow consideration of any adjustments that may be required to support their ability to work.
Contract:  
– To provide your care and related services; and  
– To fulfil our contact with you and your employer relating to the delivery of your care.  
  
Health or social care: to provide your care 
Purpose 2: Contacting you and resolving queries or complaints 
From time to time, patients may raise queries, or even complaints, with us and we take those communications very seriously. We will need to use your personal data to resolve such matters fully and properly. 
  
Contract: to provide your care and other related services; and 
Legitimate interests: for our legitimate business interest to ensure our patients’ queries and complaints are answered, which does not overly prejudice you. 
  
Health or social care: to provide your care; and 
Legal claims: to establish, exercise or defend our legal claims. 
  
Purpose 3: Advising you of other services offered by Spire  Occupational Health and selected third-party partners (“Marketing”) 
To provide you with up-to-date information regarding our range of services which may be of interest to you.  
We may also seek your views and comments on the range of services we provide through surveys and questionnaires.  
 
We do not need to use your special categories of personal data for this. 
If you no longer wish to receive marketing emails sent by us, you can click on the “unsubscribe” link that appears in all of our emails, otherwise, you can always contact us at info@spireoccupationalhealth.com to update your contact preferences.  
Legitimate interests: We need to use your personal data for our legitimate business interest in marketing our services to our existing clients to increase sales, which does not overly prejudice you; and 
Consent: You have given us your consent to use your personal data for this purpose. 
  
Not applicable. 
Purpose 4: For research, audit, statistics, or product testing and improvement  
We may need to use your medical records to test the quality and effectiveness of new systems that we implement to improve the care and treatment we provide or assist in the management of our occupational health services.  
Any published data from these programmes will be in an anonymised, statistical format. 
Legitimate interest: for our legitimate business interest in making improvements in our systems and services which have been appropriately assessed and where we have put safeguards in place to protect your privacy so that this use does prejudice your privacy rights.  
 
OR 

Consent: You have given us or the organisation collecting your personal data your consent to use your personal data for this purpose. 
  
Substantial public interest:  for reasons of public interest for statistical and scientific research purposes. 

If we need to use your information for an unrelated purpose, we will contact you and we will explain the legal basis that allows us to do so. Please note that we may process your personal information without your knowledge or consent, in compliance with our obligations in the case of criminal investigation. 

Data Protection Policy

Your confidential Occupational Health record is not accessible by your employer and is never shared.

It is a requirement for employers making referrals to Spire Occupational Health to agree to our Data Protection Policy. This outlines the responsibilities of the referring employer and Integral Occupational Health staff for managing your personal information. In particular, it covers data security and confidentiality responsibilities. It also ensures you are aware of what information is being sent to us by your employer and that suitable controls are in place once the employer receives your Occupational Health report.

How long will data be held for:

We will only hold your personal data for as long as reasonably necessary to fulfil the relevant purposes set out in this Privacy Notice.

Management referral information 6 years after the employee has left their job or 75 years of age (whichever is soonest) as recommended by the British Medical Association (BMA). 
Pre-placement medicals/assessments 2 years if the employee doesn’t take up the offer of the job. 
 
Pre-placement medicals/assessments  3 years if the employee accepts the job offer.
 
Healthcare students & non-health student 6 years, from the date they commenced post the student leaving date of the University programme.
Medical retirement/Deceased employees Until any appeals have lapsed then plus 3 years. 
 
Health Surveillance (as required by the Health and Safety Executive (HSE)). 
 
40 years. 

Your rights

You have certain rights in relation to your personal data that we hold about you. These include rights to know what personal data we hold about you and how it is used. We will use and hold your personal data in accordance with our obligations and these rights.

You may ask to exercise these rights at any time by contacting our DPO (contact details can be found at the bottom of this page). You will not usually be charged for exercising your rights.

These rights do not always apply in all cases, and we will let you know how we will be able to meet your request. If we cannot meet your request, we will explain why.

If you make a large number of requests or it is not reasonable for us to meet a request then we do not have to respond. Alternatively, we can charge for responding.

The right to access your personal data:
You have the right to request details and a copy of the personal data we hold about you and details about how we use it. We must confirm whether we have personal data about you, and we also need to provide you with a copy of your personal data.

We will usually provide you with your personal data in writing, unless you request otherwise. If you have made the request electronically (eg by email) the personal data will be provided to you electronically where possible.

In some cases we may not be able to fully comply with your request, for example if your request involves another person’s personal data and it would not be fair to that person to provide it to you.

The right to rectification:
You have the right to have inaccurate personal data about you corrected or removed.

The right to erasure (“right to be forgotten”):
You have the right to request that we delete certain personal data we hold about you. However, there are exceptions to this right. For example, we can refuse to delete your personal data if we need to keep for tasks which are in the public interest, or for establishing, exercising or defending legal claims.

The right to restrict processing:
You have the right to ask us to restrict our use your personal data. We do not have to comply with all requests to restrict our use of your personal data. For example, if we need to use it for tasks which are in the public interest or for establishing, exercising or defending legal claims.

The right to data portability:
You have the right to ask us to transfer your personal data to you or to someone else in a format that can be read by computer.

The right to object to marketing:
You have the right to ask us to stop sending you marketing messages at any time and we must comply with your request.

The right not to be subject to automatic decisions:
You have the right to not be subject to automatic decisions (ie decisions that are made about you by computer without any human input) in relation to your care or other processes that have a legal or similarly significant effect on you.

Please see the section on Automated decision making for details about when we may make automatic decisions about you.

If you have been subject to an automated decision and do not agree with the outcome, you can challenge the decision by contacting our DPO (contact details can be found at the bottom of this page).

The right to withdraw consent:
You have the right to withdraw any consent you have given us to use your personal data.

The right to object to other uses of your personal data:
You have the right to object to us using your personal data in a particular way (such as sharing it with third parties), and we must stop using it in that way unless specific exceptions apply. This includes, for example, if it is necessary to defend a legal claim brought against us, or it is otherwise necessary for the purposes of your ongoing healthcare services.

The Information Commissioner’s Office (“ICO”):
You can complain to the ICO if you are unhappy with the way that we have dealt with a request from you to exercise any of these rights, or if you think we have not complied with our legal obligations.

More information can be found on the ICO website: https://ico.org.uk/

Making a complaint will not affect any other legal rights or remedies that you have.

How can you contact us about your data or your data rights?

If you wish to contact us about your data, or if you require any further information in addition to what is included in this privacy notice, please contact our Data Protection Officer at – Spire Occupational Health, 3 Dorset Rise, London EC4Y 8EN. Email – dataprotection@spirehealthcare.com, Telephone – 020 8295 8250

How do I make a complaint about the way my data is being processed?

Spire Occupational Health is committed to protecting your data. If you are not happy with the way in which we process your data, you may wish to make a complaint.

In the first instance, please reach out to Spire Occupational Health via email at info@spireoccupationalhealth.com stating your name, date of birth, contact details, and the nature of your complaint against Spire Occupational Health.

If you are not happy with the response you receive or if you think we have not complied with our legal obligations, you may also wish to contact the UK data protection regulator, the Information Commissioner’s Office (“ICO”), whose contact details are available at https://ico.org.uk

Making a complaint will not affect any other legal rights or remedies that you have.

Updates to this Privacy Policy

We may update this Privacy Notice from time to time to ensure that it remains accurate.

The Privacy Policy was last updated in February 2024.