0141 889 5522
support@hbcompliance.co.uk
Mon - Fri : 09:00 AM - 05:00 PM

General Privacy Policy

The new EU General Data Protection Regulation (GDPR) comes into force on 25th May 2018 and will impact every organisation which holds or processes personal data.

Healthier Business Group is committed to high standards of information security, privacy and transparency. This includes our ability to apply a high level of data protection and security in relation to personal data that our employees, customers and third parties entrust to us. The company will comply with the applicable GDPR when it takes effect in May 2018, including as our role as the data processor, whilst also working closely with our clients and partners to meet contractual obligations for our procedures, products and services. Healthier Business UK has a robust ISO-based Management System (ISMS) and in order to ensure compliance, will implement additional or augmented controls to meet GDPR requirements.

Our Legal Obligation

Healthier Business Group will endeavour to uphold its legal obligation to ensure the following principles are met:

  1. All processing of personal data will be conducted fairly and lawfully
  2. Data provided will be used for the purpose for which it was collected. Should a new purpose come to light, the Data Subject will be contacted where further consent will be sought and obtained.
  3. Annual notification to the Information Commissioner in regard to use of person-identifiable information.
  4. Consistency in the professionalism whereby all information is obtained, held and processed in accordance with the eight principles of the Data Protection Act 1998 and the six key principles of the GDPR.
  5. Data will be accurate and kept up to date
  6. To preserve security: all information is obtained, held, disclosed and disposed of in a secure manner.
  7. To ensure awareness: Provisions of appropriate training and promote awareness to inform all employees of their responsibilities.
  8. Data Subject Access Requests (SARs) will be responded to promptly and in any event within 40 calendar days of receiving it.
  9. Data collected will be stored no longer than necessary

Our Commitment

Healthier Business Group processes personal data in relation to a candidate’s health, immunity status and compliance in relation to mandatory training, with the objective of providing a candidate a fitness to work certificate and completed training certificate, at which stage the processing ends for the individual and the right to erasure is applied. (The right to erasure is also known as ‘the right to be forgotten’.)

  1. The business acts only on written instruction of the controller. The business does not carry out any work relating to personal data without the implicit consent to do so by the client/controller.
  2. All staff involved in the work carried out by the business in relation to personal data is suitably trained, covering annual training including certification.
  3. All personal data is security protected using a secure server backed up in three locations, using two factor authentications for remote access to data in the cloud. Access Controls are also in place. Restricted access to our system to users and sources we trust. Each user has their own username and password. Each user has an account that has permissions appropriate to the job they are carrying out at the time.
  4. The business would only engage with sub-processors in relation to escalating cases with the prior consent of the controller
  5. The business agrees to assist the controller in providing subject access and allowing data subjects to exercise their rights under the GDPR
  6. The business agrees to assist the controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments.
  7. The business agrees to delete or return all personal data to the controller as requested at the end of the contract; and submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.

Our responsibilities:

Healthier Business Group adheres to the following responsibilities and liabilities as a processor of the controller’s data

  1. Only act on the written instructions of the controller
  2. Ensure that people processing the data are subject to a duty of confidence
  3. Take appropriate measures to ensure the security of processing
  4. Only engage sub-processors with the prior consent of the controller and under a written contract
  5. Assist the controller in providing subject access and allowing data subjects to exercise their rights under the GDPR
  6. Assist the controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments
  7. Delete or return all personal data to the controller as requested at the end of the contract; and
  8. submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.
  9. To preserve security; information obtained, held, disclosed and disposed of in a secure manner.
  10. Annually notify the Information Commissioner about Healthier Business’s use of person-identifiable information.

Occupational Health – How do we use your data?

Any information obtained by the occupational health doctor or nurse is strictly confidential to OH. All OH staff adhere to a strict code of ethics in relation to the confidentiality of all consultations, telephone contact and the maintenance of medical records. No information is divulged to any third party without the person’s informed consent unless required by law or where there is a clear public duty.

All recommendations and advice on placement or return to work are based on the functional effects of medical conditions and their prognosis as well as those requirements of the NHS and other health providers as detailed in regulations and other compulsory fitness policies. Generally, there is no requirement for the manager to know the diagnosis or receive clinical details. Reports to management concerning an individual’s fitness for work will always be discussed and agreed with the individual concerned prior to sending the report. This advice should be treated by the recipient as sensitive (‘special category’) personal data in respect of data protection legislation and will be shared by the recipient only and with the individual’s consent with others who have a legitimate need to know (e.g. because they will be responsible for implementing adjustments in the workplace).

Healthier Business Group process these specific types of your candidates personal and sensitive data:

Healthier Business Group (and trusted partners acting on our behalf) uses your personal data:

Online Training – How do we use your data?

Any information entered into the system must be done so with consent of the candidate. No information is divulged to any third party without the person’s informed consent unless required by law or where there is a clear public duty.

Healthier Business Group process these specific types of your candidates personal data:

Healthier Business Group (and trusted partners acting on our behalf) uses the personal data:

Third Party – do we share your data?

The personal data will never be shared with third parties’ or marketing firms. The personal data may be cross referenced across Healthier Business UK Ltd and HB Compliance (part of the Healthier Business Group) through joint online training and occupational health screening services. We also cross reference the personal details on our own data base should the candidate have been through either service within the last year of entry.

Through our occupational health service, the candidate’s may be required to be referred to a Specialist Doctor or GP, however the personal data will never be shared without your explicit consent. If the candidates are required to purchase goods through our online portal their details will be required to be passed to a payment gateway (a payment gateway is a merchant service provided by an e-commerce application service provider that authorises credit card or direct payments processing for e-businesses, online retailers, bricks and clicks, or traditional brick and mortar.)

Cookies – Do we use them?

The site uses two types of cookies.

Session cookies are used by the system to enable visitors to log into the site and to manage their connection to the services while they are logged in. These are set automatically and are required in order to be able to access the system.

The site also uses cookies set by Google Analytics to monitor how visitors interact with the site. Information gathered by this service is anonymised and does not identify or track individual visitors in any way and cannot be linked with any other information to identify or track individual visitors.

Data Retention – How long do we keep your data?

We will not retain your data for longer than necessary for the purposes set out in this Policy. Different retention periods apply for different types of data, medical and otherwise, however the longest we will normally hold personal data is 2 years.

Access to Personal Information – Can the candidate’s get access to their data?

Under GDPR, the data subject has the right to access and amend any of their personal data that you hold. They are also entitled to view, amend, or delete the personal information that we hold.

Phone us on: 0141-889-5522
E-mail us at: info@healthierbusinessltd.co.uk
E-mail us at: info@hbcompliance.co.uk

Write to us at: Healthier Business UK Ltd, 12 Seedhill Road, Unit 3009, AbbeyMill Business Centre, Paisley, PA11JS

You have the right to lodge a complaint with the Information Commissioner’s Office. Further information, including contact details, is available at https://ico.org.uk.

Policy Review – When will you review this policy?

We will review this policy annually, when there is a legal obligation to do so and/or when legislation dictates a requirement to.

May 2018 – Healthier Business Group