Ethics Guidance for Occupational Health Practice 9th Edition - Book - Page 38
3.10. For countries outside the EU, it is not always possible to secure the same level
of data protection, and the consent of the data subject is generally required.
Occupational health professionals should endeavour to ensure that equivalent
levels of data security are applied to information for which they have
responsibility, regardless of geography.
3.11. Personal data is defined as information relating to an identified or identifiable
natural person. Data which are completely anonymised are therefore excluded.
It applies to the processing of personal data wholly or partly by automated
means and to the processing other than by automated means of personal data
which form part of a structured filing system.
3.12. Data held manually is covered if internally structured and accessible according
to specific criteria. Medical records in manual form but filed alphabetically
according to the surname of the individual and organised chronologically within
the file, are covered by the Regulation. Neither the UK GDPR nor the Data
Protection Act 2018 22 applies to data relating to deceased persons. The Access
to Health Records Act 1990 23 gives the right of access to the health records of
a deceased person to the executor or administrator of the deceased’s estate
and to any person with a claim arising from their death.
3.13. Health data is defined as personal data relating to the physical or mental health
of a natural person, including the provision of health care services, which reveal
information about his or her health status (Article 4). A data controller, who
carries the main responsibilities under the Regulation, is defined as a natural or
legal person, public authority, agency or other body which, alone or jointly with
others, determines the purposes and means of the processing of personal data.
3.14. Independent occupational health providers are stated by the Information
Commissioner 24 to be likely to be data controllers, but there is no specific
advice about in-house occupational health departments. There is no longer an
obligation on data controllers to notify the Information Commissioner of the
holding of personal data, but there continues to be a legal obligation to pay
fees to the Information Commissioner according to a statutory scale.
3.15. The Regulation imposes legal obligations also on data processors, defined as a
person or body which processes data on behalf of the controller. The controller
must make a written agreement with the processor setting out the duties and
responsibilities of each.
Page | 37
