Clinical Privacy Notice
Clinical Privacy Notice
Data – information held by Hybrid Medical
Data controller/we/our – for the purposes of our operations, Hybrid Medical is the data controller
Data processor – any third party that is contracted to provide professional services to, or on behalf of, Hybrid Medical
Data subject / you – the individual undergoing testing with Hybrid Medical
Employer – the company who booked your testing and receives results. This may be a direct employer, an employment agency, a sponsor or sub-sponsor.
Information Commissioner’s Office / ICO – the UK’s independent regulatory office in charge of upholding information rights
Personal data – any data from which an individual can be identified e.g. name, date of birth, National Insurance number
Results – the outcome of any medical assessment, screening or testing undertaken on a data subject
Sensitive personal data – this will include data relating to the health of an individual
Sponsor – as per Employer, particular to Network Rail and London Underground. A data subject working, or planning to work on, the Network Rail infrastructure will have one “primary sponsor” and may have up to two additional “sub-sponsors”.
Employers have a duty of care – and with regard to some medical conditions, a legal obligation – to protect their workforce by ensuring that they are fit to carry out their duties safely.
Personal and sensitive data may only be collected, processed, stored and disclosed by Hybrid Medical with your explicit consent. There are, however, extenuating circumstances that will override this requirement – for example, where disclosure is required by law or where there is immediate danger to your health.
If consent is not given, data collection must not take place. You have the right to withdraw consent at any time up until the results are processed and released to your employer.
All data is handled in accordance with relevant Data Protection legislation, and all reasonable efforts are made to protect the confidentiality, integrity and availability of your data at every stage from collection to archiving or destruction. This includes any data obtained by Hybrid Medical from data subjects, employers and data processors – including intellectual property – for the purpose of providing or facilitating professional services.
Purposes for which personal data may be held
Personal data is collected primarily for the purposes of:
- medical assessment
- health surveillance
- drugs and alcohol screening/testing
Sensitive personal data includes information relating to the following matters:
- medical history
- details of any prescribed or over the counter medication used
- lifestyle information, including the use of alcohol, tobacco or illicit drugs
Processing of personal data
Some of our data collection is paper-based. Details of assessments are recorded on forms which are processed and stored in a secure facility at our Head Office.
Hybrid Medical also uses a range of electronic products and platforms to process your data. Some of these are required by specialised organisations responsible for recommending industry standards and maintaining industry-specific databases (e.g. CBH, Sentinel), and others are purchased by Hybrid Medical in order to optimise the efficiency and security of data processing. Hybrid Medical will not transfer your data outside the European Economic Area (EEA) without appropriate protection. We will never sell your data on, or use it for other purposes than that for which it was originally collected.
Third-party data processors
In order to optimise the delivery of our services, Hybrid Medical has contracts with a network of approved suppliers. In addition to those mentioned above, these suppliers deliver key services including:
- Laboratory testing of biological samples for diagnostic purposes
- Provision of occupational health and specialist services e.g. counselling
- Scanning, indexing and secure destruction of paper clinical records
Disclosure of results
In all cases, results will be reported back to you and/or the person(s) who are formally designated to receive results e.g. your employer.
Results may be conveyed as follows:
- Fax – if we are asked to send results via fax we will phone the designated results person prior to transmission to ensure that the fax number is correct and that they are present to receive the results
- Post – all outgoing mail is sent in envelopes marked “Private & Confidential”
- Email – appropriate measures are applied to ensure the security of results sent via email
- Secure customer portal
- Industry-specific database e.g. Sentinel
Retention and destruction of records
- Medical records are retained by Hybrid Medical in line with our retention schedule. Records are not held for longer than is necessary, and the retention schedule takes into consideration the retention requirements of any applicable legislation or standards e.g. The Control of Asbestos at Work Regulations; Network Rail.
- Hybrid Medical keeps electronic records of data subjects’ information on databases which can only be accessed by authorised Hybrid Medical personnel.
- Hybrid Medical has a contract with an approved supplier for the collection, secure transport, scanning and secure destruction of all our paper records.
- Any extraneous paper records containing sensitive personal data are disposed of securely.
Your data protection rights
Under data protection law, you have rights including:
- Your right of access – You have the right to ask us for copies of your personal information.
- Your right to rectification – You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
- Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.
- Your right to restriction of processing – You have the right to ask us to restrict the processing of your information in certain circumstances.
- Your right to object to processing – You have the right to object to the processing of your personal data in certain circumstances.
- Your right to data portability – You have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
Please direct all such requests for the attention of our Data Protection Officer, who can be contacted as below:
Data Protection Officer
Hybrid Medicals are registered with the Information Commissioner’s Office (ICO) as a data controller. Our registration number is ZB044340.
How to complain
If you are unhappy with how we have used your data you can make a complaint to the ICO – contact details below.
Information Commissioner’s Office
Helpline number: 0303 123 1113