1. Summary of Fit for Work Policies (England & Wales)
Fit for Work is delivered in England and Wales by Health Management Limited (HML) and its subcontractors, on behalf of the Department for Work and Pensions (DWP). In this policy, “we” and “our” refer to HML and its subcontractors; “you” and “your” refer to people using the Fit for Work service – employees, employers and GPs.
Fit for Work deals with both personal and sensitive data, as classified under the Data Protection Act (DPA). We have developed a specific set of protocols, procedures and policies to ensure the protection of the data we hold. We are also governed by or registered with a number of public bodies and councils, all of which have guidelines and ethical codes that are followed.
We can confirm that the following systems are currently in place to ensure data held by Fit for Work is protected and kept confidential at all times:
- Fit for Work adheres to a data protection policy which details the requirements of the legislation in relation to our own staff and the data/information held on the employees, GP and employers with whom we work
- We work to the standards outlined by the General Medical Council for which information security and data protection are reinforced by the Faculty of Occupational Medicine in their ethical guidelines (Guidance on Ethics for Occupational Physicians 2012 edition).
- Before any Return to Work Plan (RtWP) is released we gain explicit consent from all employees which allows us to store and process their data, and send Return to Work Plans (RtWP) to designated officers within their organisation or their GP. If employees choose not to give consent or withdraw their consent at any time during the process this is honored and appropriate action taken as necessary.
- Our ISO 9001accreditation and Quality Management System includes protocols around data management, corrective action (managing complaints) and clinical governance.
- Our ISO 27001 accreditation ensures that our security and protection protocols for all data, information and assets are audited both internally and externally.
- All new employees are given training on Confidentiality and Data Protection during their inductions.
- On a rolling programme, Fit for Work employees are trained in Confidentiality, Data Protection, Medical Ethics and Information security. This acts as a refresher for more experienced and senior staff, but no-one is exempt. Every year they must undertake an evaluation/quiz and achieve 80%; if they do not, then they are given further 1-2-1 training.
- The Health Professionals delivering Fit for Work are governed by their relevant professional bodies, for example the General Medical Council (GMC) for Physicians and the Nurse and Midwifery Council (NMC) for Nurses, all of which have strict codes regarding confidentiality and information security to which clinicians must adhere to remain registered.
- All employment contracts include a detailed section on medical confidentiality and data protection which employees must sign before joining Fit for Work.
- Our Employee Handbook, which is issued to all staff during induction, has sections on data protection and confidentiality, and a ‘live’ copy is available for all staff in the company shared folder to access at any time.
- All Fit for Work employees have a procedure manual for their role. This sets out step by step instructions on how to undertake all tasks associated with their role, plus all checks that are to be made at each stage. This ensures all staff are aware of how security and confidentiality of the information they are coordinating impacts on the business, and employers and their employees using Fit For Work.
- All suppliers have a contract which includes data protection and confidentiality clauses.
2. Fit for Work – How we handle information you provide
2a. The Formalities
Fit for Work deals with both personal and sensitive data, as classified under the Data Protection Act (DPA). Health Management Limited (HML) delivers Fit for Work on behalf of the Department for Work and Pensions (DWP). DWP and HML are joint Data Controllers under the Data Protection Act but in practice, Health Management Limited and its authorised subcontractors will process the personal and sensitive data you provide when we have an interaction with you as described in this privacy notice. Summaries and statistical analysis will be shared with the DWP for evaluation purposes. Fit for Work will be evaluated and may be audited by authorised independent organisations who will maintain the confidentiality of personally identifiable data during these tasks. DWP will undertake sample audits of individual cases to ensure the quality of the service, so an approved DWP representative will have sight of personal and sensitive data for these cases while completing the audit; no personally identifiable or sensitive data will be removed from the Fit for Work site. Other than for the completion of these audits, personally identifiable data will not be shared with or processed by the DWP.
This guide explains how Fit for Work will manage and process personal and sensitive (health related) data obtained by the Fit for Work Advice service and Assessment service. This information may be submitted to Fit for Work by any of the following:
- Telephone (advice service or assessment);
- “Ask a Question”;
- “Get involved”;
- By post/written;
- Referral by GP or Employer.
2b. Advice Service
As an advice service we take a very limited amount of personal information from you, which is stored in our customer information system and on our call recording system. If you do not wish for your personal information to be stored, please say so and we will remove personal references. We also ask you to take care that you do not give us other people’s personal details (such as names or addresses) when discussing your health and your work.
2c. Assessment Service
Fit for Work has a data protection policy which details the requirements of the legislation in relation to our own staff and the data/information held on the employees, GP and employers with whom we work We work to the standards outlined by the General Medical Council for which information security and data protection are reinforced by the Faculty of Occupational Medicine in their ethical guidelines (Guidance on Ethics for Occupational Physicians 2012 edition).
Before any Return to Work Plan (RtWP) is released we gain explicit consent from all employees which allows us to store and process their data, and send Return to Work Plans (RtWP) to designated officers within their organisation or their GP. If employees choose not to give consent or withdraw their consent at any time during the process this is honoured and appropriate action taken as necessary.
This service is evaluated and may be audited by authorised independent organisations, who are contractually bound to protect the data they review.
2d Telephone recording
As part of the assessment service, all calls are recorded for training and quality purposes, informed consent is gained before the assessment commences and employees can choose to not have the call recorded.
Personal and health data collected in the course of recording activities will be processed fairly and lawfully in accordance with the Data Protection Act 1998.
2e How we handle and use information
Access to all information we acquire is strictly controlled – all our employees have to pass security vetting before having access to information systems.
Fit for Work keep information for the following reasons:
- To maintain a record of the service we have provided and enable us to manage and deliver the service. We keep records for the necessary and appropriate amount of time.
- To contact you if your query was not resolved the first time you contacted us.
- To ask you about your customer satisfaction in order to enable us to maintain the quality of the service provided, and see where we can improve.
- To provide an auditable record of the service (Fit for Work is publicly funded) and to enable independent evaluation.
- To look back at a series of events and establish whether staff need additional training.
- To promote the Fit for Work programme further with Employers and GPs who have used the service before, however you may opt out of this at any time.
We review the information when we monitor our own quality, and we will also use the information for statistical analysis and evaluation, for example, to find out what the main reasons are for people using the service or where we could improve.
Fit for Work is also evaluated and may be audited independently to ensure the quality of the service. Authorised auditors and evaluators may require access to personal and sensitive information, but their reports will only contain anonymised information. All are vetted appropriately before access is granted and are contractually bound to protect the information.
If you want to see any of your own personal data held by us, you can make a “Subject Access Request”. We ask you to put your request in writing to: Customer Contact Manager, Fit for Work, 1 North Bank, Blonk Street, Sheffield, S3 8JY. We will take steps to verify your identity and then we will provide you with the data.
2f Putting data beyond use
As joint data controller, Fit for Work, can put data ‘beyond use’, if requested by an individual to do so.
If we are asked to put data ‘beyond use’ then we will ensure;
- There are technical and secure systems in place to meet this request.
- It cannot be accessed by employees of FFW.
- It cannot be reviewed if the individual is referred to the service in the future.
- It is not included in any anonymized management information.
- We commit to permanent deletion of the information if, or when, this becomes possible.
Please however note that if we are issued with a Court Order to disclose the information we do have to meet this request.
3. Website Policy
The policy sets out the different areas where user privacy is concerned and outlines the obligations & requirements of the users, the website and website owners. Furthermore the way this website processes, stores and protects user data and information will also be detailed within this policy.
3a. The Website
This website and its owners take a proactive approach to user privacy and ensure the necessary steps are taken to protect the privacy of its users throughout their visiting experience. This website complies with all UK national laws and requirements for user privacy and is regularly updated in line with technological advancements.
Users are advised that if they wish to deny the use and saving of cookies from this website on to their computers hard drive they should take necessary steps within their web browsers security settings to block all cookies from this website.
Other cookies may be stored to your computer’s hard drive by external third parties when this website uses referral programmes or sponsored links. Such cookies are used for conversion and referral tracking and typically expire after 30 days, though some may take longer. No personal information is stored, saved or collected.
3c. Contact & Communication
Users contacting this website and/or FFW/HML do so at their own discretion and provide any such personal details requested at their own risk. Your personal information is kept private and stored securely until a time it is no longer required or has no use, as detailed in the Data Protection Act 1998. Every effort has been made to ensure a safe and secure process but we advise users that they do so at their own risk.
This website and FFW/HML use information submitted to provide you with:
- Information about the services they offer.
- To assist you in answering any questions or queries you may have submitted.
- To evaluate the service and your experience of it.
- To further promote the FFW service to Employers and GPs.
- To subscribe you to the email newsletter programme the website operates, but only if this was made clear to you and your express permission was granted on submission.
This is not an exhaustive list of your user rights in regard to receiving email marketing material. Your details are not passed on to any third parties except those authorised to evaluate and audit the service.
3d. Email Newsletter
This website operates an email newsletter programme, used to inform subscribers about services supplied by this website. Users can subscribe through an online automated process should they wish to do so but do so at their own discretion. Some subscriptions may be manually processed through prior written agreement with the user.
Subscriptions are taken in compliance with UK Spam Laws detailed in the Privacy and Electronic Communications Regulations 2003. All personal details relating to subscriptions are held securely and in accordance with the Data Protection Act 1998. No personal details are passed on to third parties outside Fit for Work.
Email marketing campaigns published by this website may contain tracking facilities within the actual email. Subscriber activity is tracked and stored in a database for future analysis and evaluation. Such tracked activity may include; the opening of emails, forwarding of emails, the clicking of links within the email content, times, dates and frequency of activity.
This information is used to refine future email campaigns and supply the user with more relevant content based around their activity.
In compliance with UK Spam Laws and the Privacy and Electronic Communications Regulations 2003 subscribers are given the opportunity to un-subscribe at any time through an automated system. This process is detailed at the footer of each email campaign. If an automated un-subscription system is unavailable clear instructions on how to un-subscribe will by detailed instead.
3e. External Links
Although this website only looks to include quality, safe and relevant external links, users are advised adopt a policy of caution before clicking any external web links mentioned throughout this website. (External links are clickable text / banner / image links to other websites).
The owners of this website cannot guarantee or verify the contents of any externally linked website despite their best efforts. Users should therefore note they click on external links at their own risk and this website and its owners cannot be held liable for any damages or implications caused by visiting any external links mentioned.
3f. Social Media Platforms
Communication, engagement and actions taken through external social media platforms that this website and its owners participate on are custom to the terms and conditions as well as the privacy policies held with each social media platform respectively.
Users are advised to use social media platforms wisely and communicate / engage upon them with due care and caution in regard to their own privacy and personal details. Neither this website nor its owners will ever ask for personal or sensitive information through social media platforms and encourage users wishing to discuss sensitive details to contact them through primary communication channels such as by telephone or email.
This website may use social sharing buttons which help share web content directly from web pages to the social media platform in question. Users are advised before using such social sharing buttons that they do so at their own discretion and note that the social media platform may track and save your request to share a web page respectively through your social media platform account.
3g. Shortened Links in Social Media
This website and its owners through their social media platform accounts may share web links to relevant web pages. By default some social media platforms shorten lengthy urls (web addresses), this is an example: http://bit.ly/zyVUBo.
Users are advised to take caution and good judgment before clicking any shortened urls published on social media platforms by this website and its owners. Despite the best efforts to ensure only genuine urls are published many social media platforms are prone to spam and hacking and therefore this website and its owners cannot be held liable for any damages or implications caused by visiting any shortened links.