Data Privacy Statement

  • This Privacy Statement explains how Work Wellness collects and processes personally identifiable data (PID) and sensitive personal data (SPD)
  • By continuing to interact with Work Wellness, you are consenting to the processing of your data in accordance with this Privacy Statement

 1. Definitions

1.1   Types of interaction between Work Wellness and data subjects

Type 1 Viewers of the workwellness.co.uk web site
Type 2 “Contact us” requests for further information about Work Wellness and its services
Type 3 Recipients of Work Wellness services (typically the employee)
Type 4 The client with whom Work Wellness is contracted to provide the services (typically the employer)
Type 5 Suppliers and sub-contractors to Work Wellness

1.2  Types of data

PID Personally Identifiable Data Data from which a living individual can be identified. Identification can take place using the information alone or in conjunction with any other information in the data controller’s possession or likely to come into the data controller’s possession
SPD Sensitive Personal Data Data about a person relating to:
  • racial or ethnic origin
  • health
  • genetics

2. Physical Data Security

Work Wellness:
  • Undertake proportionate and appropriate measures to ensure physical data security
  • Ensure that data is only processed by trained officers of Work Wellness and by 3rd parties whose data security policies are at least comparable to ours

2.1  Retained data

Digital / Computer Paper Access Control
At the registered Work Wellness Ltd address with:
  • Intruder alarm
  • Security Cameras
  • In a locked room with key access restricted to officers of Work Wellness Ltd
Level 1
  • Laptop computer hard disk and mass storage backup accessed by User ID and Password
  • Strong password protection: minimum of 8 characters; at least one capital letter and digit and special character (#, %, $, £, &, ^)
Locked filing cabinet with key access limited to officers of Work Wellness Ltd Level 2
Data encrypted to minimum of AES128 Level 3
United Kingdom Location
Permanently deleted Confidentially disposed of by burning Deletion upon expiry of retention period

2.2  Data in transit

Medium Access Control
Email
  • Password protected document emailed to requestor
  • Password to document e-mailed to authoriser
Post
  • Sent by registered delivery
Car
  • Computers and documents are stored out of sight and the vehicle locked when unattended

2.3  Data in use

Access Control
Laptops and workstations:
  • Locked with a password protected screen saver when left unattended
  • Are only used where personal information cannot be viewed on screen by unauthorised individuals
Officers of Work Wellness and 3rd parties use their own and passwords and under no circumstances request or offer to share these with anyone else.

3.   Privacy Policy

3.1  Type 1: Viewers of the workwellnessuk.co.uk web site

Process Details
Data type PID Cookies
SPD None
Retention Period 6 years
Medium Computer hard drive
Access controls Level: 1, 2, 3
Disclosure & Purpose Officers of Work Wellness Site usage statistics aggregated across many viewers, e.g., which pages were viewed and for how long, to identify potential web site design enhancements such as re-writing briefly viewed content to make it more interesting

3.2  Type 2: “Contact Us” requests

Process Details
Data type PID Name, company, address, email address, phone number
SPD None
Retention Period 6 years
Medium Computer hard drive
Access controls Level: 1, 2, 3
Disclosure & purpose Officers of Work Wellness Verify identity and ensure data is only disclosed with consent, fulfil requests for further information

3.3    Type 3: Recipients of Work Wellness services

3.3.1    Health Checks
Process Details
Data Type PID Name, Date of Birth, email address
SPD
  • Declared by subject.  Smoking habit, alcohol consumption, physical activity level, mental health indicators
  • Clinically measured.  Blood pressure, cholesterol, height, weight, waist
Retention Period Whichever occurs sooner:
  • 3 complete calendar years since last test which is the reasonable maximum time period between re-tests
  • Termination of contract with employer to provide the service to its employees
Medium Computer hard drive
Access controls Level: 1, 2, 3
Disclosure and purpose Officers of Work Wellness
  • Verify identity and ensure data is only disclosed with consent
  • Search for and retrieve previous health check results for comparison
  • Calculate risks to health
  • email recipient with invitation to annual health check re-assessment
  • email recipient with a link for them to provide feedback about their service experience
General Practitioner Identify data subject and reason for referral
Employer Statistical reports where PID and SPD is rendered non-personally identifiable and is completely lost within the averages, totals and trends calculated across a population of at least 150 data subjects
Other 3rd parties None (Work Wellness do not use PID or SPA to market to the data subject and does not share data with 3rd parties)
3.3.2    Fitness for Work Assessments
Process Details
Data Type PID Name, Date of Birth, Postal Address, Telephone Number
SPD Declared by subject
Retention Period Whichever occurs sooner:
  • 3 complete calendar years following assessment (in case employer requires a further copy)
  • Termination of contract with employer to provide the service
Medium
  • Questionnaire provided by subject: Paper
  • Fitness certification: Computer hard drive
Access controls Level: 1, 2
Disclosure & purpose Officers of Work Wellness
  • Identify and verify the data subject
  • Assess reasonable adjustments required in role
  • Assess fitness to return to work
Employer
  • Report fitness to return to work
  • Describe reasonable adjustments required in role
3rd parties
  • When Work Wellness commences the provision of occupational health services, the historical occupational health records held by the previous occupational health provider are transferred to us
  • During the time that Work Wellness provides an occupational health service we will add our records to your occupational health file maintained by Work Wellness
  • If Work Wellness ceases the provision of occupational health services, then your occupational health file will be transferred to your new occupational health provider with your consent.  Work Wellness will delete records in its possession
3.3.3    Workstation Assessments
Process Details
Data Type PID Name, Date of Birth
SPD Declared by subject
Retention Period Whichever occurs sooner:
  • 1 complete calendar year following assessment (in case employer requires a further copy)
  • Termination of contract with employer to provide the service
Medium
  • Clinical workstation observations: Paper and Computer Hard drive
  • Recommended adjustments: Computer Hard Drive
Access controls Level 1, 2
Disclosure & purpose Officers of Work Wellness
  • Identify and verify the data subject
  • Assess requirements for workstation adjustments to improve concentration spans and reduce risk of musculoskeletal injury
Employer Summary health assessment and advise reasonable adjustments
3.3.4    Training and workshops
Process Details
Data Type PID Name
SPD Assessment (pass / fail)
Retention Retention period Whichever occurs sooner:
  • 1 complete calendar year following assessment (in case employer requires a further copy)
  • Termination of contract with employer to provide the service
Medium
  • Scheduled attendance: Computer hard drive
  • Actual attendance: Paper
  • Certification: Computer Hard Drive
Access controls Levels: 1, 2
Disclosure & purpose Officers of Work Wellness
  • Register attendance
  • Issue certificates
  • email recipient with a link for them to provide feedback about their service experience
Employer Confirm attendance, advise certification

3.4  Type 4: Clients

Process Details
Data Type PID Name, Job Title, Company Name and Address
SPD None
Retention Retention period 6 years from the end of the last company financial year to which they relate
Medium Computer hard drive
Access controls Levels: 1, 2
Disclosure & purpose Officers of Work Wellness Contract for operation of services, operation of services, invoice for services
Government Agencies Where disclosure is required by law

3.5  Type 5: Suppliers and Sub-contractors to Work Wellness

Process Details
Data Type PID Name, Job Title, Company Name and Address, Bank Details
SPD None
Retention Retention period 6 years from the end of the last company financial year to which they relate
Medium Computer hard drive
Access controls Levels: 1, 2
Disclosure & purpose Officers of Work Wellness Contract for operation of services, operation of services, Payment for services, Issue of receipts
Government Agencies Where disclosure is required by law

4. Data Governance

4.1       Applicable legislation

Work Wellness processes data in compliance with the:
  • Data Protection Act 1998
  • General Data Protection Regulation (EU) 2016/679 (the “GDPR“)
  • Access to Medical Reports Act (1988)
  • Access to Health Records Act (1990)

4.2       Data Security Impact Assessments (DSIA)

Where Work Wellness develop a new product, employ a new 3rd party provider or gain a new client, we will carry out a formal DSIA to assess the risks of breach of this Data Protection Policy.  Any risks identified will be subject to mitigating actions which are proportionate to the degree of risk they will control

4.3       Data Breaches

Work Wellness records all breaches of this Policy, regardless of their effect, and conducts a DSIA to understand and address the root cause to prevent a re-occurrence. In the extremely unlikely event of a serious breach such as the disclosure of information to the wrong subject then:
  • We will report it to the Information Commissioner within 72 hours of discovery.
  • We will inform affected individuals where it is possible to do so, describing the breach, its possible consequences and mitigation actions taken

4.4       Officers of Work Wellness and 3rd party providers

Are required to comply with this Policy and furthermore:
  • to access only data that they have authority to access and only for authorised purposes
  • not to disclose data except to individuals (whether inside or outside the organisation) who have appropriate authorisation
  • Only process data on drives and devices that are used exclusively for work purposes
Where necessary, Work Wellness will provide training to Officers of Work Wellness and to 3rd party providers about their responsibilities for data protection in general and this Policy in particular

4.5  Data Subject Statutory Rights

Access To access a structured, commonly used and machine-readable copy of PID and SPD retained about you (a Subject Access Request or SAR)
  • Requests will normally be fulfilled within one calendar month of receipt
  • Requests which are manifestly excessive may be refused or fulfilled upon payment of a fee to cover reasonable expenses incurred.  An example of an excessive request might include a request for the details of every file, backup version and document where your name and address are recorded
  • The first access request is fulfilled free of charge.  Any subsequent requests will be fulfilled upon payment of a fee to cover reasonable expenses incurred.
Portability In certain circumstances, to request the transfer of PID and SPD to another data processor or controller without hindrance
Rectification To ensure that Work Wellness Ltd correct inaccuracies with any PID or SPD.  This right does not extend to amending accurate information to influence results of health assessments
Erasure To ensure that Work Wellness erase your PID and SPD (the right to be forgotten) where your interests override Work Wellness’ legitimate grounds for processing data such as a contractual requirement to provide an accurate report to your employer
Restrict processing The right to restrict the uses of retained PID and SPD in certain circumstances, e.g., during a period where the accuracy of data may be contested
To exercise your rights

 

Send a written request together with proof of your identity to:
    • The Data Controller
      Work Wellness Ltd
      18 Oakley Wood Drive
      B91 2PH