Definitions

 Data – information held by Express Medicals

Data controller/we/our – for the purposes of our operations, Express Medicals is the data controller

Data processor – any third party that is contracted to provide professional services to, or on behalf of, Express Medicals

Data subject / you – the individual undergoing testing with Express Medicals

Employer – the company who booked your testing and receives results.  This may be a direct employer, an employment agency, a sponsor or sub-sponsor.

Personal data – any data from which an individual can be identified e.g. name, date of birth, National Insurance number

Results – the outcome of any medical assessment, screening or testing undertaken on a data subject

Sensitive personal data – this will include data relating to the health of an individual

Sponsor – as per Employer, particular to Network Rail and London Underground.  A data subject working, or planning to work on, the Network Rail infrastructure will have one “primary sponsor” and may have up to two additional “sub-sponsors”.

 

Introduction

Employers have a duty of care – and with regard to some medical conditions, a legal obligation – to protect their workforce by ensuring that they are fit to carry out their duties safely.

Personal and sensitive data may only be collected, processed, stored and disclosed by Express Medicals with your explicit consent.  There are, however, extenuating circumstances which will override this requirement – for example, where disclosure is required by law or where there is immediate danger to your health.

If consent is not given, data collection must not take place.  You have the right to withdraw consent at any time up until the results are processed and released to your employer.

More information about data subject rights can be found at https://ico.org.uk/for-organisations/guide-to-data-protection/principle-6-rights/

 

All data is handled in accordance with relevant Data Protection legislation.

Express Medicals are registered with the Information Commissioner’s Office as a data controller.  Our registration number is Z5278800.

All reasonable efforts are made to protect the confidentiality, integrity and availability of your data at every stage from collection to archiving or destruction.

This includes any data obtained by Express Medicals from data subjects, employers and data processors – including intellectual property – for the purpose of providing or facilitating professional services.

 

Our Data Protection Officer can be contacted as below:

Data Protection Officer

Express Medicals Ltd

8 City Business Centre

Lower Road

London

SE16 2XB

 

dpo@expressmedicals.co.uk

Purposes for which personal data may be held

Personal data is collected primarily for the purposes of:

  • medical assessment
  • health surveillance
  • drugs and alcohol screening/testing

 

Sensitive personal data includes information relating to the following matters:

 

  • medical history
  • details of any prescribed or over the counter medication used
  • lifestyle information, including the use of alcohol, tobacco or illicit drugs

 

Processing of personal data

 

Some of our data collection is paper-based.  Details of assessments are recorded on forms which are processed and stored in a secure facility at our Head Office.

 

Express Medicals also uses a range of electronic products and platforms to process your data.  Some of these are required by specialised organisations responsible for recommending industry standards and maintaining industry-specific databases (e.g. CBH, Sentinel), and others are purchased by Express Medicals in order to optimise the efficiency and security of data processing.  Express Medicals will not transfer your data outside the European Economic Area (EEA) without appropriate protection.  We will never sell your data on, or use it for other purposes than that for which it was originally collected.

 

Third party data processors

 

In order to optimise the delivery of our services, Express Medicals has contracts with a network of approved suppliers.  In addition to those mentioned above, these suppliers deliver key services including:

 

  • Laboratory testing of biological samples for diagnostic purposes
  • Provision of occupational health and specialist services e.g. counselling
  • Scanning, indexing and secure destruction of paper clinical records

 

 

Disclosure of results

 

In all cases, results will be reported back to you and/or the person(s) who are formally designated to receive results e.g. your employer.

 

Results may be conveyed as follows:

 

  • Fax – if we are asked to send results via fax we will phone the designated results person prior to transmission to ensure that the fax number is correct and that they are present to receive the results
  • Post – all outgoing mail is sent in envelopes marked “Private & Confidential”
  • Email – appropriate measures are applied to ensure the security of results sent via email
  • Secure customer portal
  • Industry-specific database e.g. Sentinel

 

 

Retention and destruction of records

 

  • Medical records are retained by Express Medicals in line with our retention schedule. Records are not held for longer than is necessary, and the retention schedule takes into consideration the retention requirements of any applicable legislation or standards e.g. The Control of Asbestos at Work Regulations; Network Rail.
  • Express Medicals keeps electronic records of data subjects’ information on databases which can only be accessed by authorised Express Medicals personnel.
  • Express Medicals has a contract with an approved supplier for the collection, secure transport, scanning and secure destruction of all our paper records.
  • Any extraneous paper records containing sensitive personal data are disposed of securely.

 

Access to personal data (subject access requests)

 

  • Data subjects have the right to access data held about them. Express Medicals will arrange for the data subject to receive or review all data held about them. Alternatively a data subject may request specific information e.g. all medicals undertaken between 2008-2012.
  • Such requests must be made in writing (post, fax, email or delivered in person) and addressed for the attention of the Data Protection Officer.
  • A response will be issued within one month.