top of page

Data Protection & GDPR Policy

Policy Statement

 

This is the statement of the General Data Protection Regulations Policy (GDPR) adopted by Peak Occupational Health. The policy is subject to regular review annual to reflect any changes to legislation, structure and policies within the business.

 

Peak Occupational Health is required to collect personal data information in order to operate as a business. Personal details can include that of individuals referred to the business, staff members, and third-party professionals. Data must be processed, and held in line with the Data Protection Act 1998 and GDPR.

 

Peak Occupational Health regard the lawful management of personal data as important to the achievement of the business’s objectives and to maintain confidence between those we deal with and the business.

 

Peak Occupational Health fully endorses the principles that are laid down in law and will ensure compliance with the British standard for Data Protection: BS 10012.

 

GDPR Policy

 

Personal data will be obtained, maintained, stored, used and passed to third-party individuals in strict accordance with the Data Protection Act 1998. This includes the following processes;

  • The business will limit the collection of data to that which is only necessary for valid business purposes, in a way which complies with the law and is obtained by lawful and fair means.

  • The business will strive to maintain only accurate personal data.

  • The business will not release personal data to a third-party unless the individual to which the data relates has given their written consent for this, or the law requires disclosure.

  • The business will take all appropriate steps to ensure that personal data is protected from unauthorised access and disclosure, including limiting access to such data to professional staff on a need-to-know only basis.

 

The Principles of GDPR

 

The Data Protection Act 1998/GDPR stipulates that anyone processing personal data must comply with eight principles of good practice. It is essential that Peak Occupational Health fully complies with these principles in order to avoid prosecution, bad publicity and resultant lack of company confidence in the business. A breach of the Act can lead to fines and claims for compensation. The following eight principles apply;

​

Personal Information must;

 

  1. Be processed fairly and lawfully and in particular shall not be processed unless specific conditions are met.

  2. Be obtained only for one or more specified and lawful purposes and must not be further processed in any manner incompatible with that purpose, or those purposes.

  3. Be adequate, relevant and not excessive in relation to the purpose to the purpose or purposes for which it is processed.

  4. Be accurate and where necessary and possible, kept up-to-date.

  5. Not be kept for longer that is necessary for that purpose, or purposes.

  6. Be processed in accordance with the rights of the data subjects under the Act.

  7. Be kept secure and protected by a degree of reasonable security.

  8. Not transferred to any country, or territory outside the United Kingdom unless the country or territory ensures an adequate level of data protection security.

 

The eight principles of GDPR are legally enforceable.

The Act provides conditions for the processing of personal data and makes a distinction between personal data and sensitive personal data.

 

Definitions

 

Personal Data is defined as data relating to a living individual who can be identified from;

  • The data and other information which is in the possession of, or is likely to come into the possession of the data controller and includes an expression of opinion about the individual and any indications of the intentions of the data controller, or any other person in respect of that individual.

  • A data controller is a person who determines the purpose(s) for which the manner in which any personal data are, or are to be processed.

  • The Data Protection Act 1998 covers both electronic and paper-based information.

  • Sensitive data information relating to; racial or ethnic origin, religious or similar beliefs, trade union membership, physical or mental health or sexual orientation, political beliefs and opinions, or criminal offenses can only be held in strictly defined situations, or where explicit consent has been obtained.

 

Collecting Personal Data

 

When collecting personal data at Peak Occupational Health, individuals must know the following;

  • Who we are.

  • What the business is.

  • What any personal data will be used for.

  • To whom personal data will be disclosed.

 

Initial personal data will be collected by the Referral Form and then the Registration Form.

 

Handling Personal Information

 

When handling, collecting, processing personal data, Peak Occupational Health personnel must ensure;

 

  • All personal data is accurate and up-to-date.

  • Errors are corrected effectively and promptly.

  • The data is deleted and destroyed confidentially when it is no longer required.

  • All personal data is kept secure in a lockable cabinet and locked away at the end of the working day.

  • The Data Protection Act is considered when setting up new systems, or personal data is required for new purposes.

  • Written consent is always obtained if third-party referral is required.

  • Personal data information is sent securely and password protected.

  • Ensure all company contracts and referrals are accompanied by an explicit specification that all data must be handled securely by the company under the Act.

 

It is recognised that;

 

  • Peak Occupational Health staff will not access personal data not required strictly for work purposes.

  • Staff will not use data for any other purpose, but that for which it was explicitly obtained.

  • Staff will not store, process or handle sensitive personal data unless they are confirmed as entitled to do so and have had written consent from the individual it relates to.

 

Sensitive Data

 

Sensitive data is personal data that contains information relating to;

  • Racial or ethnic origin.

  • Political views and opinion.

  • Religious or other beliefs.

  • Trade Union Membership.

  • Physical or Mental Health conditions (incl Medical Records).

  • Sexual Orientation.

  • Criminal Proceedings, or convictions.

 

When handling personal sensitive data, Peak Occupational Health staff will manage the information using strict criteria and controls including;

 

  • Observe conditions regarding the fair collection and use of such sensitive data.

  • Meet the legal obligations specifying the purpose for which the information is required.

  • Collect and process only information that is required to fulfil the operational requirements of the company.

  • Ensure the accuracy of information used.

  • Apply 7year rule for retaining personal data, and ensure the information is destroyed in a timely and confidential manner.

  • Take appropriate organisational security measures to ensure that personal data is kept securely on site.

  • Ensure that any personal information is never transferred abroad without suitable safeguarding.

  • Ensure that the rights of individuals to whom the information relates are respected and fully adhered to under the Act.

 

The rights of individuals include;

 

  • The right to be informed.

  • The right of access.

  • The right to rectification.

  • The right to erasure.

  • The right to restrict processing.

  • The right to data portability.

  • The right to object.

  • The right to deny consent.

  • The right not to be subject to automated decision-making including profiling.

 

In addition, Peak Occupational Health staff will ensure that;

 

  • There is a senior staff member responsible for data protection.

  • All staff managing and handling personal information understands that they are contractually responsible for following good data protection protocols.

  • Queries about handling of personal information are promptly, efficiently and courteously dealt with.

  • Methods of handling personal information at Peak Occupational Health are regularly assessed and evaluated for good practice.

  • Everyone managing and handling personal information is appropriately informed, trained and supervised.

  • Data sharing is only carried out under written consent, setting out the scope and limits of the data sharing. Verbal consent must be documented by the staff member.

  • All sharing of personal data is compliant with approved procedure.

  • All staff at Peak Occupational Health are made aware of the policy content and understand their duties and responsibilities under the Act.

 

Protecting Data

 

All staff at Peak Occupational Health will take steps to ensure that personal data is kept secure at all times, to protect it from unauthorised, or unlawful loss or disclosure;

 

  • Personal Data files are stored and locked in filing cabinets designated for that function.

  • Personal data held electronically is password protected.

  • Computer passwords are not easily compromised.

 

All contractors and other agents visiting Peak Occupational Health;

 

  • Must be made aware of their duties and responsibilities under the Act.

  • Allow data protection audit to be undertaken without objection or interference.

  • Any breach of data will be viewed as a breach of contract between Peak Occupational Health and the contractor.

  • Indemnify Peak Occupational Health against any prosecutions, claims, proceedings, actions or payments of compensation where they have breached confidentiality of data.

  • Not transfer personal data outside the UK, unless by special measures.

 

Subject Access and Subject Rights

 

Individuals whose personal data is held by Peak Occupational Health have the right to;

 

  • Receive on request, details of the processing of data related to themselves.

  • Have any inaccuracies in personal data removed, or corrected.

  • Deny consent to processing where this is likely to cause substantial damage or substantial distress.

  • Prevent data from being used for marketing or advertising.

 

Other Relevant Legislation

 

  • General Data Protection Regulations.

  • Data Protection Act 1998.

  • Access to Medical records 1990.

  • Access to Medical reports 1988.

  • Crime and Disorder Act 1998.

 

Notification to the Information Commissioner (ICO)

 

The ICO maintains a public register of data controllers. Peak Occupational Health is registered with the ICO.

 

The GDPR requires every data controller who is processing personal data to notify and renew their notification on an annual basis. Failure to do so is a criminal offence. Designated officer in Peak Occupational Health is responsible for notifying and updating the ICO. Any changes to the register must notified within 28days.

 

Retention of Data

 

Personal data relating to clients at Peak Occupational Health must be kept securely and maintained for a minimum of 7 years. This coincides with legal requirements and professional standards. For clients under the age of 18yrs, personal data must be kept until the client reaches the age of 25yrs.

 

Research Purpose Exemption

  

Data collection collected fairly and lawfully can be used for research, providing the research does not identify the individual(s) concerned. Such data must not be processed to support measure of decisions with direct consequences for any individual concerned, or in any way that is likely to cause substantial damage or distress to the data subject. This exemption is only applicable to academic research.

​

Breach of Personal Data Protection

 

Any breach in personal data protection will be investigated in line with the Department of Health’s checklist for reporting; Managing and Investigating Information Governance Serious Untoward Incidents gateway ref; 13177.

 

The number and categories of the breach(es) will be brough to the attention of the proprietors of Peak Occupational Health. Disciplinary procedures may be appropriate for the member of staff responsible for the breach.

 

The ICO must be contacted where feasible, within 72 hours where the beach is likely to result in a risk to rights and freedom of individuals, for example discrimination, damage to reputation, financial loss, loss of confidentiality or significant economic or social disadvantage.

 

Contact

 

Under GDPR any individual can contact the proprietor of Peak Occupational Health by email contact@peakoccupationalhealth.com , or in writing at the address 7 Market Street, Whaley Bridge High Peak SK23 7AA.

 

Peak Occupational Health has 30 days from receipt of the contact to respond.

Peak Occupational health will be responsible for being aware of prevention of any third-party disclosure related to the contact. Legal advice may be sought for any complex data confidentiality situation.

 

 

 

Peak Occupational Health 2025/2026.

bottom of page