Occua Ltd acts as both the Data Controller and Data Processor under the General Data Protection Regulation (GDPR) 2018 and is committed to protecting data of client organisations as well as their employees and acknowledges that any personal and sensitive data will be processed in accordance with the (GDPR) Regulation.

  1. Occua Ltd keeps data, including medical data, relating to our client organisations and their employees in order to provide appropriate advice relating to Occupational Health. The legal basis for processing data is Article 6(1)(f) and Article 9(2)(h).
  2. Data processed includes relevant information to support the provision of a quality occupational health service to the client.
  3. This Data Privacy notice applies to all types of data mentioned above (including paper and electronic formats).
  4. Occua Ltd does not contract any processing to other agencies and does not send data out of the UK.
  5. Occua has invested in security features to protect the data it holds against accidental or unauthorised loss, change or disclosure. This applies to data held on the secure client Portal as well as its in-house electronic and paper storage systems. Data is backed up regularly and backups are stored securely.
  6. Data about employees of client organisations is kept only for as long as is necessary for proper provision of a professional occupational health service.
  7. Occua will not disclose data to an individual if to do so would breach legislation.
  8. In the event of a client organisation moving their occupational health provision away from Occua, Occua will provide the data it holds to the new occupational health provider in a secure manner as discussed with that provider and when written permission to do so is provided by the client organisation. Occua will also require evidence from the new provider that it is qualified to hold such data. Occua will then securely destroy all copies it holds of that data.
  9. Occua will disclose limited personal or medical data to another medical professional with the consent of the individual in order to obtain medical history or advice. The data so disclosed will be the minimum required to obtain the information and advice required.
  10. Occua is registered with the ICO in respect of its usage of personal data. The Director of Occua Ltd is responsible for reporting any data breaches to the ICO.
  11. This statement will be reviewed periodically to ensure that it reflects the practices of Occua Ltd and should be read in association with the full policy documents as follows (available to clients)
    • Data Protection Policy (GDPR)
    • Electronic data Security Policy
    • Record Keeping Policy
    • Confidentiality and Consent Policy
  12. This statement is dated May 2020. Reviewed without amendment January 2020, May 2020.