Privacy Statement

Rosebank Private Medical Services are an Occupational Health provider and we are responsible for safeguarding the privacy of your information. We fully comply with the provisions of the General Data Protection Regulation (GDPR) with regard to ‘personal data’ within our control.

We are committed to protecting your privacy and will only use information collected lawfully in accordance with: 

  • General Data Protection Regulation (GDPR)
  • Human Rights Act 1998
  • The Common Law Duty of Confidentiality
  • Health and Social Care (Safety and Quality) Act 2015

This Privacy Statement provides information about the type of data we collect and how it is managed.

Data Processor / Controller:

Rosebank Health

c/o Kingsway Health Centre

Rudloe Drive





Tel: 01452 782 272  

What is Occupational Health?

The Chartered Institute of Personnel and Development (CIPD) states that: “Occupational health seeks to promote and maintain the health and well-being of employees, with the goal being to ensure a positive relationship between an employee's work and health. There are many benefits to occupational health; managing the health and well-being of people at work and having access to specialist occupational health practitioners is key to unlocking these benefits.”

Occupational Health consultations are usually carried out by Occupational Health Physicians or Occupational Health Advisors. Rosebank Private Medical Services also have access to qualified nursing staff who are able to perform vaccinations, health surveillance and assessments. Without these clinicians, we would not be able to provide effective care to our clients.

What data do we process?

We collect and hold data for the sole purpose of providing Occupational Health services to individuals. In carrying out this role we may collect information about you which helps us respond to your queries or secure specialist services.

The records may include basic details about you, such as your name and address. They may also contain more sensitive information about your health and also information such as outcomes of needs assessments.

Health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure.  Your records are backed up securely; we ensure that the information we hold is kept in secure locations, is protected by appropriate security and access is restricted to authorised personnel.

We also make sure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.

What information do we receive from your employer?

In order to refer you for Occupational Health services, your employer will need to provide details about you which will usually include the following: 

  • Name
  • Date of Birth
  • Address
  • Telephone number
  • Email address
  • Job Title


 Your employer will also need to provide a reason for the referral, which may include information relating to recurrent or long-term illness and/or disabilities; concern for workplace fitness; suspected workplace illness or injury; or concern regarding hazards at work.

We recommend that employers make employees aware of any referral to Occupational Health, together with details of any information to be provided to us.

What information is obtained during your consultation?

In order to proceed with a consultation we need your permission, together with your consent to the collecting of personal, sometimes sensitive information. It would not be possible for us to provide an Occupational Health assessment without keeping a record, as this is a professional requirement for registered practitioners.

During an Occupational Health consultation, the clinician will ask about health issues and your work, they may also carry out tests with your permission and consent only. The results of any tests undertaken will be kept as part of your record, which is a confidential file and is not accessible by your employer. You can of course see any information we keep about you, at any time, upon request.

What information will we send to your employer?

Following your consultation, a comprehensive health report will be sent to your employer. During your appointment, we will seek your consent to the release of this report to your employer.

In accordance with General Medical Council (GMC) guidelines, you will be given the option of reviewing this report before it is sent to your employer. Any comments you may have will be considered by the clinician and may be used to correct factual inaccuracies in the report. Your comments may also be appended to the report for your employer to consider if the clinician does not believe a change to the report is required.

How information is sent to the employer

A comprehensive health report will be sent to your employer, which will provide details of the consultation, recommendations, and your prognosis, so that your employer can make the best decision for both you as the employee and also the business.

The report may include:

  • Your name, date of birth and occupation
  • What condition you have been assessed for
  • Whether there has been any evidence of work related deterioration
  • Whether you are fit for work
  • Whether you need a follow-up appointment

Data Sharing Agreement

Your confidential Occupational Health record is not accessible by your employer and is never shared.

It is a requirement for employers making use of Rosebank Private Medical Services to agree to our Data Sharing Agreement. This outlines the responsibilities of the referring employer and Rosebank Private Medical Services for managing your personal information. In particular, it covers data security and confidentiality responsibilities. It also ensures you are aware of what information is being sent to us by your employer and that suitable controls are in place once the employer receives Occupational Health reports.

Legal Basis for processing information

Consent is the most appropriate lawful basis for processing personal, sensitive information in accordance with the General Data Protection Regulations (GDPR), and for the purpose of the provision of Occupational Health services.

Categories of personal data

We process personal information such as name, address and date of birth. We also collect occupational information and medical information including symptoms, history and treatments you may be undergoing. This medical information is considered a ‘Special Category of Data, under the GDPR. Clinical staff are bound by their governing bodies i.e. General Medical Council (GMC) and The Nursing & Midwifery Council (NMC).

Recipients of personal data

The information which we receive from your employer is only available to administrative and clinical staff at Rosebank Private Medical Services. All staff are bound by the Practice Code of Confidentiality, which states that:“A patient, client or member of staff has the right to expect that information given in confidence will be used only for the purpose for which it is given and will not be released to others without their permission or for purposes that are exempt under the General Data Protection Regulation.”

We may also have to share your information, subject to agreement, with the following organisations:

  • Midland Pathology Services (pathology laboratory)
  • Sage Pay (for debit/credit card payments)
  • Rackspace (a managed cloud computing company, who host our email system)
  • Vision INPS (healthcare software used by the Practice)
  • My Surgery Website (website host)

 Third Country Processing

Your data is not transferred to other countries.

Retention periods for your data

The Health & Safety Executive (HSE) state that Occupational Health records “should be kept in a suitable form for at least 40 years from the date of last entry because often there is a long period between exposure and onset of ill health.”


The GDPR provides the following rights for individuals:

The right to be informed

This Privacy Notice is one of the ways we make sure you are informed about the sensitive personal information we collect.

The right of access

You have the right of access to personal data we hold about you. If you would like access, please contact Rosebank Health. We will ascertain your identity and then forward you the requested data as soon as possible. We do not normally make any charges for providing this information.

The right to rectification

If you feel that information we hold is inaccurate or incomplete, please contact Rosebank Health. We will review the area you would like rectified and if this is appropriate, we will make the change. If we do not agree to the change, you have the right to complain to the Information Commissioner.

The right to erasure, also known as the ‘right to be forgotten’

If you would like us to consider erasing the personal information we hold about you, please contact Rosebank Health. Your request will be passed to the Data Protection Officer who will want to discuss this with you.

There are circumstances, as specified under GDPR, where the right to erasure will not apply to special category data, i.e. 

  • if the processing is necessary for the purposes of preventative or occupational medicine (e.g. where the processing is necessary for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services). This only applies where the data is being processed by or under the responsibility of a professional and subject to a legal obligation of professional secrecy (e.g. a health professional).

 There is also a statutory requirement to retain Occupational Health records for 40 years, so in some instances, we may not legally be in a position to erase all of your personal information.

The right to restrict processing

Once your personal information has been obtained, you have the right to restrict further processing. This means that you can limit the way in which an organisation uses your data; it is an alternative to requesting the erasure of your data.

Restricted data cannot be processed in any way except to store it, unless you provide your consent; or it is for the establishment, exercise or defence of legal claims; or it is for the protection of the rights of another person (natural or legal); or it is for reasons of important public interest.

The right to data portability

If your employer changes their Occupational Health provider, Rosebank Private Medical Services will request evidence of your consent to transfer your Occupational Health records to this new provider.

Rosebank Private Medical Services would not be responsible for any subsequent processing carried out by the new provider; however we would be responsible for the transmission of the data and would take appropriate measures to ensure that it is transmitted securely and to the right destination.

The right to object

The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances.


Our website comes with a dedicated SSL certificate giving you and your employees confidence and trust in our online services.