Policy name Privacy Notice
Author Andy Milne, Contract & Performance Director
Approved by Natalie Keating, Chief Executive Officer
Date of Last Review 25/11/2024
Scope
This Privacy Notice explains how The Better Health Generation Limited (TBHG) collects, uses and shares (or “processes”) personal data.
Who we are?
The Better Health Generation Limited (TBHG) is a registered company in the UK, registration number: 11696072
Head Office
Building 4,
Foundation Park,
Roxborough Way,
Maidenhead,
United Kingdom,
SL6 3UD
Telephone: 44(0)2081 671824
Email: [email protected]
For the purposes of the Data Protection Act 2018 and as defined by Article 4 (7) of the UK General Data Protection Regulations (UK GDPR), are registered as a ‘data controller’ for personal data processed by The Better Health Generation Limited (TBHG). This means that we determine the purposes for which, and the manner in which, your personal data is processed. We have a responsibility to you and your personal data and will only collect and use this in ways which are compliant with data protection legislation. We are also a Data Processor as defined in Article 4 (8) of the UK GDPR.
The Better Health Generation Limited (TBHG) Data Protection registration can be viewed on the Information Commissioners Website. The Better Health Generation Limited (TBHG) has appointed a Data Protection Officer (DPO). The role of the DPO is to ensure that the organisation is compliant with UK GDPR and to oversee data protection procedures. The DPOs contact details are:
Ellie Robertson
Governance & Data Compliance Manager
Email: [email protected]
Why do we process information?
The Better Health Generation Limited (TBHG) process personal information to enable us to provide services to our customers and clients; to promote our services, to maintain our own accounts and records, and to support and manage our employees.
The Better Health Generation Limited (TBHG) generally collects data:
• To meet our contractual obligations
• To meet our legislative obligations
• Where you have provided your consent
• Where it is necessary to protect the vital interests of an individual
• Where we have a legitimate interest
• Where processing is necessary for the establishment, exercise or defence of
legal claims
• Where processing is necessary for reasons of public interest
What information do we collect?
To provide you with services, marketing, and communications suited to your needs, we require information about you. We may collect this information directly from you, or we may process personal information that has not been collected directly from you, but all personal information is obtained from verified sources and will only be processed if a suitable legal basis has been established.
Type of personal information we collect
The categories of information that we collect, hold and share include the following:
• personal information e.g. name, date of birth, address
• family members personal information
• Verified third parties acting on your behalf
• business activities of the person whose personal information we are processing
• lifestyle and social circumstances
• financial details
• education and employment details
• goods and services
Type of special category personal information we collect
We may also process sensitive classes of information including:
• racial or ethnic origin
• religious or other beliefs
• Trade Unions
• genetic & biometric details including photographs for marketing materials, videos and telephone/meeting recordings
• physical or mental health information
• data concerning a person’s sex life or sexual orientation
Classes of personal information we process
We process personal information about:
• customers
• clients/participants
• employees
• suppliers
• professional advisers, freelancers, and consultants
• complainants, enquirers
TBHG does not knowingly solicit personal information from children under the age of 13 or send them requests for personal information. If we have collected personal information on a child, please contact us immediately, so we can remove and/or assess review this information without any undue delay. Where data relating to criminal activities is concerned, we will only process this data in line with Article 10 of the UK GDPR and the Data Protection Act 2018.
We will also process information received from:
• Department of Work and Pensions (DWP)
• Prime Contractors
• Other Data Controllers & Data Processors
Legal basis for processing
We need the information listed above (see what information we collect) primarily to allow us to perform our contract or provide services to you. We will process your data to enable us to meet our commitment to you e.g., protecting and promoting your health at work, fulfilling our responsibility for the health assessment, advising on the management of work-related health problems and health problems which may be affected by work, helping you get into work and providing counselling and other therapy services.
We use the information we hold about you to:
• Ascertain your fitness to undertake work where there is an established fitness standard.
• Establish baseline health records where you may be working with substances and agents which have the potential to cause disease.
• Monitor your health if you continue to be exposed to workplace allergens or substances which may cause disease.
• Monitor your hearing if you are exposed to noise at work in line with the Noise at Work Regulations.
• Oversee the monitoring of your health if you are exposed to Ionising Radiation Sources
• Advise on the management of accidents and exposures in the course of your work.
• Provide advice and support to you in the management of a work-related health problem or health problem that affects you at work.
• Within the established practice of medical confidentiality provide advice to your line manager on the management of work-related health problems or health problems that may affect you at work.
• Deliver Counselling or other personalised therapy services.
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose and we have a legal basis for doing
If we need to use your personal information for an unrelated purpose, your explicit consent will be sought prior to processing, and this will be processed in accordance with the regulations that apply to:
9(2)(a) of The UK General Data Protection Regulation 2018 you have provided explicit consent
9(2)(b) of The UK General Data Protection Regulation 2018 as part of the official authority vested in us as Data Controller
9(2)(c) of The UK General Data Protection Regulation 2018 to protect the vital interest of an individual
9(2)(f) of The UK General Data Protection Regulation 2018 where processing is necessary for legal purposes
9(2)(g) of The UK General Data Protection Regulation 2018 where processing is necessary for reasons of substantial public interest
9(2)(h) of The UK General Data Protection Regulation 2018 for reasons of substantial public interest.
9(2)(i) of The UK General Data Protection Regulation 2018 where processing is necessary to protect threats to public health.
Whilst the majority of information you provide to us is mandatory, some of it is provided to us on a voluntary basis. When we do process this additional information, we will ensure that we ask for your consent to process this.
Sharing Data
Where The Better Health Generation Limited (TBHG) shares data with a third party who undertakes work for TBHG, TBHG requires that the sharing is undertaken under contract and is subject to a Service Level Agreement, specifying the secure management of the data.
Data might also be shared with other bodies, for the purposes of those organisations fulfilling their own statutory purposes. Such sharing is undertaken using a standard data sharing agreement for specified legitimate and restricted purposes.
Where necessary or required we may also share information with:
• business associates and other professional advisers
• current, past or prospective employers
• family, associates and representatives of the person whose personal data we are processing
• employment and recruitment agencies
• financial organisations
• credit reference agencies
• debt collection and tracing agencies
• suppliers and service providers
• persons making an enquiry or complaint
• other companies in the same group
• central government
We will not share any information about you outside the organisation without your consent unless we have a lawful basis for doing so.
In line with the principles of medical confidentiality no medical information (diagnosis, results of tests etc.) is shared without your informed consent (permission). This is a professional requirement separate to any requirements of data protection legislation. Where specific health assessment processes are undertaken, information on the outcome of such assessments is shared internally to nominated individuals who have a business need to know.
We may in exceptional circumstances process your personal data because it is necessary to protect your or another person’s vital interests, for example, where you have a life-threatening accident or illness in the workplace, or where you disclose during treatment information giving rise to safeguarding concerns and we have to share your personal data in order to ensure you receive appropriate medical attention.
Security
The security of The Better Health Generation Limited’s (TBHG) systems which process and store data are regularly reviewed in accordance with legislative and funding requirements, and assessments and checks promoted by the Information Commissioner’s Office.
Data is securely deleted when it is no longer required for the purposes collected. For further details please see our Data Protection & UK GDPR Policy and our Data Retention & Disposal Policy.
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
In addition, we limit access to your personal information to those employees, who have a business need to know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
How long do we keep your data for?
The Better Health Generation Limited (TBHG) will keep your data in line with our Data Retention Schedules.
Most of the information we process about you will be retained as determined by statutory obligations. Any personal information which we are not required by law to retain will only be kept for as long as is necessary to fulfil our organisational needs.
Anonymous data from surveys and feedback exercises may be retained for a longer period to aid year on year comparisons.
What rights do data subjects have over their data?
Under UK GDPR you have the following rights in relation to the processing of your personal data:
• to be informed about how we process personal data.
• to request access to the personal data that we hold,
• to request that your personal data is rectified if inaccurate or incomplete.
• to request that your personal data is erased where there is no reason for its continued processing.
• to request that the processing of your personal data is restricted.
• to object to your personal data being processed.
• The Right to request we port your personal data.
• The Right to request we do not solely automate, our decision making, and automate your profiling.
If a data subject has any concerns about the way we have handled their personal data or would like any further information, they should be advised to contact our DPO via the Email address provided above.
If we cannot resolve their concerns, they may also complain to the Information Commissioner’s Office (ICO) (the Data Protection Regulator) about the way in which the organisation has handled their personal data.
The ICO however will only usually investigate a complaint once the organisation being complained to has had an opportunity to respond. If you are unhappy with the handling of your Data Subject Rights Request, you can request a review within 40 working days of receiving your initial response. If you wish to do this, you must do so in writing, identifying the decision that you wish to be reviewed or the aspect of the handling of your request that you are unhappy with.
If you are dissatisfied with the outcome of any review carried out by us in relation to information that we hold about you, you may wish to appeal to the UK Information Commissioner (ICO) who oversees the UK General Data Protection Regulations. If you wish to do this, please write to the Information Commissioner’s Office as soon as possible after receiving the outcome of your review.
The Information Commissioner’s Office can also give you general information and advice about your rights to access information that is about you, and they can be contacted at:
Information Commissioner’s Office Wycliffe House Water Lane
Wilmslow Cheshire SK9 5AF
Telephone Number: 0303 123 1113
Cookies
Cookies are small pieces of information that are issued to your computer or mobile device when you interact with our website, and which store and sometimes track information about your use of our website, further details of the cookies can be found in our Cookies Policy.
Changes to our Policy and Privacy Notice
This policy was last updated on 25th November 2024. The Better Health Generation Limited (TBHG) may amend this Privacy Notice from time to time. If we make any substantial changes in the way we use your personal information we will make that information available by amending this Privacy Notice.
