Page 4 of 27 DRAFT V2 Code of Conduct for Occupational Health Services
2.3. Data is processed by an employer who requires occupational health services to be
provided by qualified and authorised healthcare professionals. In order to protect the
health and wellbeing of the Data Subject and to allow the Client to organise and meet
its legal and morale requirements, it engages an OHS to provide:
2.3.1. Professional management advice
2.3.2. Carry out health assessments and monitoring
2.3.3. Deliver treatments to Data Subjects for the purposes of keeping the Data
Subject fit for their contracted duties.
2.4. Clinicians’ owe a duty of confidentiality to every Data Subject that they process data
for, the obligation is personal and organisational and the Code of Conduct supports
and compliments this duty. The Code of Conduct accepts that it professionally and
clinically appropriate for clinicians to discuss specific cases that may extend to clinical
information with colleagues within the occupational health service. This disclosure
may be written or verbal and it is the responsibility of the disclosing clinician only to
disclose information on a “need to know basis” and that they are responsible for the
method of any communication and the storage of any data that is being processed.
Clinical and professional discussions involving personal and special (health)
data should be managed carefully. They are necessary for the best and most
appropriate advice to the employer. The Occupational Health Service should
ensure that it has put in placed adequate training for its staff on how and when
to have these discussions.
Example
Sending an email to a professional colleague maybe high risk if the email
contains personal identifying and special health data. The risk is not the
transmission of the email but the ongoing processing of the email as it sits in
the Sender’s outbox and sits in the Receivers in box presenting risks around
data storage and management.
2.5. An OHS or it employees should not process personal or special data for any other
reason other than for the provision of occupational health and wellbeing services.
Data should not be shared with any other party other than the employer without the
prior informed consent of the Data Subject.
2.6. Where an OHS uses a Third Party (subcontractor) to provide some of its clinical
services (Occupational Medicine, Physiotherapy, Counselling Clinical Assessments),
the OHS will have in place:
2.6.1. A documented Agreement with the Third Party that they act as a Data
Processor and the OHS is the Data Controller.
2.6.2. That the OHS has carried out an appropriate assessment of the Third Party that
they can comply and work to the same levels and standards of data processing
and security that the OHS operates within.
2.6.3. That the Third Party has appropriate data protection policies in place and can
evidence these for its processing of data security, management and storage of
data, technical measures, training of its employees and their third parties and
that the Third Party can evidence its compliance through auditing, training and
assessment.
It would not be acceptable for an OHS to achieve accreditation and compliance
with the Code and then to use a supply chain of Third Parties that do not operate
to the same standards. The Code has the objective of raising standards by
everyone who processes data and an approved OHS should ensure their supply
chain can work within their OHS processes or they meet this Code standards.
The OHS should check its supply chain for compliance through audit and
encouragement. Within the first 2 years of the Code being approved the goal