JISCMail - DATA-PROTECTION Archives

Hi Catherine,

We considered similar things for a commercial client of ours, and sought
legal advice.

In as much as we discovered (and we didn't take the legal advice to a
fine-grained level), the following applies:

   - The Occupational Heath Supplier is the data controller, and in that
   organisation, records should be held under supervision of someone with a
   title like Chief Medical Officer.

   - The records for a particular patient should only be transferred if
   consent has been given by that patient.

   - The consent needs to name the new data controller and any data
   processors, if they are different to the new data controller.

   - Transfer to the new service should be transfer to that service's Chief
   Medical Officer.

   - No records should be transferred to the patients' employer, there is a
   strict requirement for confidentiality.

   - I imagine the safest alternative for the existing supplier is to keep
   copies of all patient records for as long as the statutory requirement,
   even if they have been transferred.

   - The transfer mechanism should be designed carefully, my own standards
   would be for well encrypted electronic data transfer, or, if paper records,
   getting one CMO, possibly with helpers, to personally ferry solidly boxed
   records to another CMO. Others may say a courier service is sufficient for
   paper records. I would tend to avoid that. Receipts of delivery at all
   stages.

   But actually, I don't think your employer should be involved in this
   stage.

Regards
Mark


-- 
Dr Mark van Harmelen
Director, Hedtek Ltd

phone                  07830 212 464 (international +44 7830 212 464)
skype                   markvanharmelen
web                      http://hedtek.com
developer blog     http://devblog.hedtek.com

Hedtek is a limited company registered in England and Wales, Co Reg No
6300001
5th Floor, 10 Little Lever Street, Manchester M1 1HR



On Mon, Jan 19, 2015 at 9:24 AM, Catherine Hanley <
[log in to unmask]> wrote:

>  Hello all
>
> Does anyone have any experience of moving to a replacement occupational
> health contractor and knowledge of transfer of employee’s occ health
> records?
>
>
>
> I’m currently waiting on receiving a copy of our contract to see if
> anything has been identified in there re who is the data controller/ how
> files will be transferred and managed at the end of the contract but in the
> meantime would appreciate any advice.
>
>
>
> We’re in the middle of switching contractor and have discussed the
> transfer of current/ active files to the new supplier if the employee
> consents. But if the employee doesn’t consent to this transfer and/or they
> are no longer an active employee, then it wouldn’t be appropriate to share
> with the new contractor, but should the current contractor retain that file
> because it is their patient? Or should it be archived by the Council? My
> understanding is that it’s not appropriate for the employer to have access
> to the whole medical file and that we would already have had access to the
> relevant parts that were required at the time, e.g. outcome of an
> assessment? I seem to be finding information which suggests that the Occ
> Health service is the data controller and that they have a patient/ doctor
> relationship with an employee which suggests to me that they would keep
> their own patient files indefinitely? But I can’t find anything more
> specific?
>
>
>
> If anyone can help it would be greatly appreciated.
>
>
>
> Kind regards
>
> Catherine
>
> . . . . . . . . . . .
>
>
>
> *Catherine Hanley*
>
> *Data Protection Officer*
>
> *Town Hall*
>
> *Middlesbrough *
>
> *PO Box 503*
>
> *TS1 9FX*
>
> *01642 729686 <01642%20729686>*
>
>
>
>
>
> **********************************************************************************************
> Any opinions or statements expressed in this e-mail are those of the individual and not necessarily those of
> Middlesbrough Council. Internet communications are not secure and therefore Middlesbrough Council does
> not accept legal responsibility for the contents of this message as it has been transmitted over a public
> network. If you suspect the message may have been intercepted or amended, please call the sender.
>
> This e-mail and any files transmitted with it are confidential, may be legally privileged, and are solely for the
> use of the intended recipient. If you receive this in error, please do not disclose any information to anyone
> and notify the sender at the above address. Any disclosure, copying, distribution or any action taken or
> omitted, in reliance on the contents, is prohibited and may be unlawful.
>
> Middlesbrough Council's computer systems and communications may be monitored to ensure effective
> operation of the system and for other lawful purposes.
>
> Save energy, money and the environment - is it really necessary to print this message?
>
>  ** This email has been scanned for viruses, vandals and malicious content. **
> **********************************************************************************************
>
>
>
>  ------------------------------
>
> All archives of messages are stored permanently and are available to the
> world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
>
> Selected commands (the command has been filled in below in the body of the
> email if you are receiving emails in HTML format):
>
>    - Leaving this list: send *leave data-protection* to
>    [log in to unmask]
>    <[log in to unmask]&BODY=LEAVE+data-protection>
>    - Suspending emails from all JISCMail lists: send *SET * NOMAIL* to
>    [log in to unmask] <[log in to unmask]&BODY=SET+*+NOMAIL>
>    - To receive emails from this list in text format: send *SET
>    data-protection NOHTML* to [log in to unmask]
>    <[log in to unmask]&BODY=SET+data-protection+NOHTML>
>    - To receive emails from this list in HTML format: send *SET
>    data-protection HTML* to [log in to unmask]
>    <[log in to unmask]&BODY=SET+data-protection+HTML>
>
> All user commands can be found at
> http://www.jiscmail.ac.uk/help/commandref.htm and are sent in the *body*
> of an otherwise blank email to [log in to unmask]
>
> Any queries about sending or receiving messages please send to the list
> owner [log in to unmask]
> <[log in to unmask]>
>
> (Please send all commands to [log in to unmask]
> <[log in to unmask]> not the list or the moderators, and all
> requests for technical help to [log in to unmask], the general
> office helpline)
>  ------------------------------
>

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
     All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
     If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
 Any queries about sending or receiving messages please send to the list owner
              [log in to unmask]
  Full help Desk - please email [log in to unmask] describing your needs
        To receive these emails in HTML format send the command:
         SET data-protection HTML to [log in to unmask]
   (all commands go to [log in to unmask] not the list please)
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^