Candidate/you – the individual undergoing testing with Express Medicals

Data controller – for the purposes of our operations, Express Medicals is the data controller

Data processor – any third party that is contracted to provide professional services to, or on behalf of, Express Medicals

Employer – the company who booked your testing and receives results. This may be a direct employer, an employment agency, a sponsor or sub-sponsor.

Personal data – any data from which an individual can be identified e.g. name, date of birth, National Insurance number

Results – the outcome of any medical assessment, screening or testing undertaken on a candidate

Sensitive personal data – this will include data relating to the health of an individual

Sponsor – as per Employer, particular to Network Rail and London Underground. A candidate working, or planning to work on, the Network Rail infrastructure will have one “primary sponsor” and may have up to two additional “sub-sponsors”.



Employers have a duty of care – and with regard to some medical conditions, a legal obligation – to protect their workforce by ensuring that they are fit to carry out their duties safely.

Personal and sensitive data may only be collected, processed, stored and disclosed by Express Medicals with the candidate’s explicit consent. There are, however, extenuating circumstances which will override this requirement – for example, where disclosure is required by law or where there is immediate danger to the candidate’s health.

If consent is not given, data collection must not take place. A candidate may also withdraw consent at any time up until the results are processed and released to the employer.

All data is handled in accordance with the Data Protection Act 1998.

Express Medicals are registered with the Information Commissioner’s Office as a data controller. Our registration number is Z5278800.

All reasonable efforts are made to protect the confidentiality, integrity and availability of your data at every stage from collection to archiving or destruction.


Our Data Protection Officer can be contacted as below:


Data Protection Officer

Express Medicals Ltd

8 City Business Centre

Lower Road


SE16 2XB


Purposes for which personal data may be held

Personal data relating to candidates is collected primarily for the purposes of:

  • medical assessment
  • health surveillance
  • drugs and alcohol screening/testingSensitive personal data includes information relating to the following matters:
  • medical history
  • details of any prescribed or over the counter medication used
  • lifestyle information, including the use of alcohol, tobacco or illicit drugs

Processing of personal data

Some of our data collection is paper-based. Details of assessments are recorded on forms which are processed and stored in a secure facility at our Head Office. Express Medicals also uses a range of electronic products and platforms to process your data. Some of these are required by specialised organisations responsible for recommending industry standards and maintaining industry-specific databases (e.g. CBH, Sentinel), and others are purchased by Express Medicals in order to optimise the efficiency and security of data processing.

Third party data processors

In order to optimise the delivery of our services, Express Medicals has contracts with a network of approved suppliers. In addition to those mentioned above, these suppliers deliver key services including:

  • Laboratory testing of biological samples for diagnostic purposes
  • Provision of occupational health and specialist services e.g. counselling
  • Scanning, indexing and secure destruction of paper clinical records In all cases, results will be reported back to the candidate and/or the person(s) who are formally designated to receive results e.g. employer. Results may be conveyed as follows:

Disclosure of results

  • Fax – if we are asked to send results via fax we will phone the designated results person prior to transmission to ensure that the fax number is correct and that they are present to receive the results
  • Post – all outgoing mail is sent in envelopes marked “Private & Confidential”
  • Email – appropriate measures are applied to ensure the security of results sent via email
  • Secure customer portal
  • Industry-specific database e.g. Sentinel

Retention and destruction of records

  • Medical records are retained by Express Medicals for up to 50 years, in accordance with employment legislation which states that certain occupational health medical history records must be available throughout the duration of one’s working life.
  • Express Medicals keeps electronic records of candidates’ information on databases which can only be accessed by authorised Express Medicals personnel.
  • Express Medicals has a contract with an approved supplier for the collection, secure transport, scanning and secure destruction of all our paper records.
  • Any extraneous paper records containing sensitive personal data are disposed of securely.  

Access to personal data

  • Candidates have the right to access data held about them. Express Medicals will arrange for the candidate to receive or review all data held about them. Alternatively a candidate may request specific information e.g. all medicals undertaken between 2008-2012.
  • Such requests must be made in writing (post, fax, email or delivered in person) and addressed for the attention of the Data Protection Officer.
  • Requests will incur a £25 + VAT administration fee. Once the fee is received, a response will be issued within 40 days with details of the information held / requested.