Staff privacy notice

Your health records

Our staff privacy notice describes how the occupational health, safety and wellbeing service at Guy’s, St Thomas’, Evelina London Women’s and Children’s, Community, Royal Brompton and Harefield hospital sites (the Trust OHSWB) collects, uses, retains and discloses information about you.

It includes:

  • details of the types of data we collect
  • the reasons we collect this data
  • how it is stored
  • who has access to it
  • how long it is kept, and
  • your rights in respect to your data

We collect personal identification data (name, address, date of birth) and health information as you would usually provide for a health consultation, such as with your GP.

If we need to obtain information about you from a third party, for example your GP, other healthcare professionals or another occupational health (OH) service, we will do so with your written consent. The information received will be managed in the same way as the information we obtain from you directly.

We ask you to provide the information to enable us to deliver an occupational health service of the highest quality to you and your respective organisation (such as employer, university). The main objective of an occupational health assessment is to:

  • ensure that you are medically fit for your current or proposed role or placement for example whether your health condition (if any) poses a safety risk to you, your colleagues or members of the public
  • provide advice on adjustments to facilitate your employment, studies or other related activities whilst reducing the likelihood of your health condition (if any) becoming worse through work or study related activities
  • ascertain that you are not vulnerable to any work hazards and to suggest measures to minimise potential ill health caused by work hazards
  • identify health conditions associated with work exposures at an early stage, so that effective remedial action can be undertaken

The lawful basis allowing us to process your data is outlined in articles 6(1)e, 6(1)f and 9(2)h of the General Data Protection Regulations as follows:

  • 6(1)e: Public task - the processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law 
  • 6(1)f: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (this is applicable if you are employed by a non-public organisation)
  • 9(2)h: processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee or medical diagnosis

Notwithstanding the above, we obtain your consent, where relevant, such as when we examine you, offer treatment or write to a third party about you.

Any data provided by you or collected (such as obtained from your GP) or created (such as a vaccination record) by the Trust OHSWB will be stored electronically within the OHSWB record management system (COHORT).  

You have only 1 record in COHORT. Therefore, if you leave employment/education and then return in the future, all of your OHSWB records (including any past and current records) will automatically merge in COHORT. To opt out, email the OHSWB at [email protected] before submitting any further data. Your request will be considered by the data controller.

All paper records received or created as part of OHSWB interactions, will be transferred to COHORT and any paper notes will be safely destroyed in accordance with the retention period referred to in the ‘Protocol for Record Keeping in the Occupational Health Service’ (the Trust, OHSWB).

The OHSWB electronic data is stored safely and securely on a server within the European Union (EU). No information is stored or transferred outside the EU. Please refer to the Cority Cohort Software GDPR compliance, for more information about the safety, security and standard measures used to store the OH records within COHORT.

Your OHSWB records are kept in confidence and will not be shared or disclosed to anyone unless with your explicit consent or if there is an overriding legal requirement.

All the Trust OHSWB staff including temporary staff and trainees, are subject to Common Law Duty of Confidentiality and also follow the NHS Confidentiality Code of Practice. All regulated health professionals such as doctors, nurses and others working in the Trust OHSWB adhere to their professional code of conduct (for example the General Medical Council Nursing and Midwifery Council and Health and Care Professions Council respectively). Other Trust OHSWB staff sign and comply with a confidentiality agreement.

No one other than authorised OHSWB personnel has access to the OHSWB records. Some IT personnel may gain access to COHORT for maintenance or for other technical reasons.

After your data is processed by us, the outcome including fitness to work or study, advice on work adjustments/ restrictions will be communicated to the relevant people in your respective organisation. The communication will not contain any special category data such as the details of your health condition, unless you explicitly provide consent.

We will obtain your consent, where relevant, to communicate the outcome to the relevant people in your respective organisation.

There is a defined period of retention for each group of data, based on the relevant law, guidance or best practice. The clinical OHSWB records are kept during your employment or course of study and for a minimum of 6 years after you leave employment or the course, unless there is a legitimate reason to keep them longer such as ongoing legal proceedings, COSHH requirements.

For details of the retention period for each group of data, please see our managing your data page.

You have the following rights with respect to the information we collect.

You can:

  • request to obtain a copy of the information we hold about you. For details of how to make a request, please see subject access request or email the data controller at [email protected]. We shall provide the requested data within a month of receiving the request in the majority of cases, unless the request is complex or numerous
  • request to have your information rectified or erased by emailing the data controller at [email protected]. Your request will be considered carefully and you will be notified within 1 month whether it can be granted or, if not, we will explain the reasons for declining your request
  • object to your data being processed by us and request to stop the process by emailing the data controller at [email protected]. Your request will be considered carefully and you will be notified within 1 month whether it can be granted or, if not, we will explain the reasons for declining your request

You have the right to withdraw consent at any time before the outcome of data processing has been communicated to the relevant person by contacting the data controller at [email protected]. Please be advised that if you object to your data being processed, stop the processing or withdraw consent, it may cause delays to the outcome, affect decisions on your clearance to work, necessary workplace adjustments and ultimately may have an adverse impact on your job/placement offer or existing job/placement.

The clinical director of the OHSWB is the data controller lead relating to the processing of OHSWB records and can be contacted via email at [email protected]. The data controller for the Trust determines the purposes and means of processing personal data in line with current legislation and national guidance.

You have the right to lodge a complaint if you are unhappy with any aspect of the way your data is handled by us by emailing the Trust data protection officer at [email protected] or contacting the Information Commissioner’s Office.


Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Phone: 0303 123 1113

Information held in all Trust patient and employee records are confidential and should only be accessed by those with a legitimate reason to do so, such as providing direct care to the patient or management of the member of staff.

Unlawful access of records is a breach of confidentiality and of the data protection legislation (Section 170 of the DPA 2018) which can be defined as misconduct (including Gross Misconduct) or/and a criminal offence.

All such breaches must be reported as an incident immediately. The Trust will take all such incident reports very seriously.

Employees (including permanent, temporary and agency) are not allowed to:

  • access information about friends, family, colleagues, or their own record
  • ask another member of staff to unlawfully access records on their behalf
  • access a patient/employee record on the request of another person (where you are not providing care for them)

You can only access records of a patient or Trust employee if access is in line with your role and business need. That means the data you access must be relevant to the care/management you are providing to the individual.

If challenged by the Trust, you must be able to justify why you have accessed anyone’s personal information.

Accessing records unlawfully may lead to:

  • disciplinary action being taken against you
  • potentially losing your job
  • losing your professional registration
  • being reported to the Information Commissioner's Office (ICO) which could result in criminal prosecution and/or a fine

If you are a patient at Guy's and St Thomas' or King's and would like a copy of your medical record including a list of who has accessed your records, you can request a copy by submitting a subject access request from the Patient Records Team: [email protected]

If you would like a copy of your HR record this can be requested by submitting a subject access request to the Workforce team:

If you have any questions, please contact:

Is this page useful?