Your privacy is important to you and us at Atrium. We understand that you care about how your personal data is used and stored. Atrium, as both the Data Controller1 and the Data processor 2 of your data are committed to protecting your individual rights to privacy. The term “processing” covers virtually everything that can be done with data, including collection, recording, storage, disclosure by transmission, erasure and destruction. Your data will be processed in accordance with the Data Protection Act (DPA) 2018 and the new General Data Protection Regulations (GDPR) 2018.
If you have any questions about this Privacy Notice, please contact us by emailing [email protected] or by telephone on 01978 660 000
What Data may be collected?
The following data may be collected, held and shared by Atrium
- Information about you that may include name, address, e-mail, contact details, bank details, photographs and sensitive (or special category) information.
- Health related information
Who will it be collected from?
- You (The data subject)
- Your employer, e.g. Human Resources, Management
- A third party3 course organiser or facilitator
- Medical professionals
How will it be collected?
- Websites- online form
- Paper forms
- Face to face
Who will have access?
- Atrium’s core admin staff4 and your employers/course organisers/facilitators
Who will have access to Special Category data?
- Angela Tennant (Occupational Health Technician), Claire Jardine (Occupational Health Practitioner) and other relevant health professionasl where required, including nurses, doctors and counsellors, so as to perform assessments and provide advice on fitness for work
Why is it collected? I.e. what is the “lawful basis” for processing the data?
- We may process your personal information to comply with our legal requirements (for example, to contact you if there is an urgent safety or product recall notice and we need to tell you about it).
- If we are under a duty to disclose or share your personal data in order to comply with any legal obligation to our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
- We may process your data to send direct marketing of similar products including prompt letters. We will not do this without your prior consent. You are able to opt out at any point by informing us of your preferences via email or phone (information stated on the Contact Us section of Website) or by replying to any of our emails.
Other grounds for processing
- Sometimes we will need to process your personal information if, for example, there is an urgent safety or product recall notice and we or the manufacturer of the product needs to tell you about it, or for life saving medical diagnosis and treatment purposes.
Change of purpose
- We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose for example a change in the law. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Sharing Your Data
Your data will not be shared with any third party without your prior consent.
The information will be used to:
- Give you the services, information or products you have requested or required.
- Keep you in touch with our work, for example by sending you updates of when your certificate is due to expire. You will have an option to opt in to this communication when you attend your course.
How long will data be held for?
We retain personal data relating to payments, VAT, tax and accounts for the minimum statutory periods required by UK law.
We retain personal data relating to training records and consultancy work for the minimum required to fulfil our legal requirements and those of awarding bodies (e.g. British Safety Council, First Aid Industry Body).
We retain historic information relating to bookings, consultancy, events and purchases to enable us to analyse the performance of the business over time and plan for the future success of the company.
We only keep this information for as long as is necessary to perform this task.
How will the data be stored?
Our data and the data we collect are stored on a secure server based in the United Kingdom. Although transmission of information over the Internet cannot be guaranteed as one hundred per cent safe, once we have received your data we will use strict security procedures, data protection tools and anti-virus/hacking technology to prevent data loss or unauthorised access.
Hard copies of personal data are retained for legal purposes. These are stored in suitable locked cabinets for fire and theft. Our unit is always staffed when open and locked at all other times. The building that consists of Atrium’s unit (Redwither Tower) is staffed 24 hours.
Special Category Data
Article 9 of GDPR specifically authorises processing of data as Occupational Medicine is a special category thus “processing is necessary for the purposes of Occupational Medicine, for the assessment of working capacity of the employee, medical diagnosis, the provision of health and social care or treatment, or the management of health and social care systems.” Article 9(3) states that processing is permitted “When these data are processed by a regulated health professional”5
As your OH records are also classed as a “Clinical record”, Atrium Occupational Health Staff also have a legal and ethical duty (under relevant health professional codes of conduct) not to disclose confidential medical information to third parties, including your Employer without your informed written consent, unless there is a grave risk of serious harm to others or as a result of a court order.
- Our lawful basis for processing your data is:
- Legal obligation: the processing is necessary for us to comply with the law, namely relevant health and safety legislation and employment legislation and to support your Employer in complying with the same law as we are acting as their agent;
- For the assessment of the working capacity of the employee;
- To ensure the health and safety of the employees at work and to allow consideration of any adjustments that may be required to support their ability to work;
Vital interests: “the processing is necessary to protect someone’s life.” Part of our work will be to help protect your health from harm that may potentially arise from work processes or activities e.g. exposure to chemicals.
- We need to process your special category data for the purposes of preventive or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social car or treatment or management of health. This processing is also subject to conditions and safeguards specified by relevant nursing and medical professional bodies.
The following categories of cookie are currently set on atrium-uk.com:
Strictly necessary cookies are essential for the use of the features and services on atrium-uk.com. Accepting these cookies is a condition of using atrium-uk.com. If you block these cookies we cannot guarantee access to the services provided through atrium-uk.com or be sure how the website will perform during your visit.
Erasure and Destruction of data
Personal data will be destroyed by secure electronic file deletion and/or cross shredding at prescribed intervals.
You are guaranteed certain rights under UK and EU data protection law which Atrium will make every effort to meet. Not all of these rights are absolute – for example where there is a statutory obligation to retain data. The rights conferred to you are as follows:
- Request a copy of the personal information held about you
- Rectify information that is not correct
- Delete information held about you that is no longer necessary for another legitimate purpose
- Restrict your personal data from being processed by in some way by Atrium
- Have a copy of your personal data supplied in a portable format
- Object to your information being processed in any way by Atrium
In the event of a data breach or serious complaint you can contact the ICO (Information Commissioner’s Office) directly via their website: www.ico.org.uk
We are registered with the ICO. Our registration number is Z2259934
- Data Controller – means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed
- Data Processor – in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
- Third Party – a person or group besides the two primarily involved in a situation. For example an organisation who co-ordinates courses for carers. In this contract, “Third Parties” are also Atrium non-employees.
- Core Admin Staff – Atrium staff who work in the office day-to-day. Currently, Atrium has 6 core admin staff.
- Occupational Health
- Cookies – a small amount of data generated by a website and saved by your web browser. Its purpose is to remember information about you, similar to a preference file created by a software application. Cookies are also used to store user preferences for a specific site.
This policy will be reviewed and/or revised as necessary in order to meet any changes in statutory duty or best practice.