As well as our promise to protect your privacy, your privacy is protected by professional standards, confidence and data protection law.

Please read this privacy notice to understand how we use your information and protect your privacy. We value your privacy and want to be clear about the data we collect, how we use it and your rights to control that information, which is why we've updated this privacy notice.

Central and North West London (CNWL) is a Data Controller and Data Processor under the Data Protection Act 2018.

The General Data Protection Regulation requires us to manage all personal information in accordance with the some important principles. In particular, we are required to process your personal information fairly and lawfully. This means that you are entitled to know how we use your information.

Occupational Health works as the in-house service to CNWL and works alongside organisations in London and across the UK, helping them to promote and maintain the health and wellbeing of their staff. You can read more about us here.

We have appointed a Data Protection Officer (known as a ‘DPO’) and a dedicated team that looks after data privacy rights.

You can write to us:

Head of Information Governance/ Data Protection Officer Central and North West London NHS Foundation Trust 350 Euston Road Regent's Place London NW1 3AX

As your OH records are also classed as a 'clinical record' we also have a legal and ethical duty (under relevant health professional codes of conduct) not to disclose confidential medical information to third parties, including your manager or HR, without your informed written consent, unless there is a grave risk of serious harm to others or is the subject of a court order.

To enable us to provide an Occupational Health and Wellbeing Service to the Trust’s staff, partner organisations and their employees.

  • Personal Information, for example: Name, Address, Date of birth, National Insurance number
  • Personal Characteristics, for example: ethnicity, gender etc.
  • Contact details, for example: telephone and email
  • GP and/or specialist contact details
  • Past and present occupational job roles and occupational exposure
  • Health information that would be classed as ‘special category data’, for example:  your health questionnaire completed during the recruitment process
  • Details of medical investigations and biological testing.

  • You (the data subject)
  • Your manager and Human Resources
  • Health specialists/services that we may refer you to as part of our assessment process
  • With your consent, your GP or other specialists from whom you have received treatment.

  • Verbally by way of telephone calls or during face to face conversations
  • In writing or electronically via forms that you or your manager complete as part of the management referral process or for health surveillance, or via reports sent to us from other parties, for example, from your GP
  • Online communication platforms such as Skype.

We use this data to:

  • Identify you and ensure that your medical information is filed correctly
  • Assess and protect your health and your fitness to work
  • Identify a baseline of your health against which to measure any future changes
  • Provide advice to managers on the impact of your health on work and work on your health
  • Promote your abilities and help support any disabilities in the workplace, recording recommendations for necessary adjustments, restrictions or modifications
  • Identify any additional support that would help you to improve your health.

In order for OH to process your information, much of which is ‘special category’ data – that which is sensitive - we rely on a lawful basis for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.

OH also processes data in circumstances where it is necessary to:

  • Enable you to comply with your contract of employment the Trust, or a partner organisation on behalf of whom OH acts
  • Enable the Trust, or a partner organisation on behalf of whom OH acts, to comply with legal obligations under the Health and Safety at Work (etc.) Act 1974, to protect your health and safety at work as far as is reasonably practicable.

Your information is private and will only be shared when it is necessary and lawful to do so:

  • Information on your fitness to work is shared with your line manager, department safety officers and HR - with your consent.
  • Details of your medical conditions will be shared with others involved, or to be involved, in the provision of your healthcare – for medical purposes.**
  • Details of infectious diseases which present significant risk to human health and the wider public under the Public Health (Control of Disease) Act 1984 and the Health Protection (Notification) Regulations 2010 to relevant official – where we have a legal duty.
  • Where a court orders us to share your information – where we have a legal duty.
  • When it’s required by us or others to detect, investigate or prevent serious crime - where we have a legal duty.
  • Assisting third parties with regulatory responsibilities such as the Care Quality Commission and Information Commissioner’s Office - where we have a legal duty.

**  The relationship between a patient and a medical professional is a special one. Clinicians have a common law duty of confidence. And so the OH clinician will be satisfied that you consent to any sharing - even when this is for genuine medical purposes under the GDPR.

When determining how long we keep your information, we take into account any legal requirements, the expectations of the data protection regulator and the amount of time since your last engagement with OH. We do not keep records for longer than is necessary.

For CNWL staff all data will be retained for the duration of employment with the Trust and for three to ten years following your leaving date, with the exception of Health Surveillance information. This will be stored for 40 years to comply with Health and Safety Control of Hazardous Substances at Work (COSHH) 2012 legislation. Information on Radiation Medicals will be stored for 50 years to comply with the Ionising Radiation Regulations. Health Declarations for the assessment of fitness to work or study will be retained for 2 years following completion of study or termination of contract of employment. The above will be applied, unless there are other clinical grounds or legal reasons to keep them for a longer period.


You have a right to ask CNWL if we have your personal information. If we do, you have a right to know:

  • Why we have it
  • What type of information we hold
  • Whether we have or will send it to others, especially outside the European Economic Area
  • How long we will keep it
  • Where we got it from
  • Details of any automated decision-making.

If you want, you can ask for a copy of your occupational health record (in full or in part), too.


You do not have a “right to erasure” of your data as the processing is necessary for the purposes of preventative or occupational medicine (e.g. where the processing is necessary for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services). This applies as your data is being processed by and under the responsibility of a health professional under relevant codes of conduct and the common law duty of confidence.

You can, however, request that an amendment is attached to your OH record if you believe any of the information held by us is inaccurate or misleading.


Where the Trust has relied on your consent to process your data, you have a right to withdraw your consent at any time.

The Trust may look to another legal basis to undertake a processing activity.

The General Data Protection Regulation is important. It strengthens data protection rules and enhances your information rights - but rules are still grounded in some good common sense. CNWL will make changes to the Occupational Health privacy notice as part of our commitment to protecting your privacy and affording you even more transparency.

We hope you have found this privacy policy easy to understand. If you have any questions, contact our Data Protection Officer and the Information Governance team.

Quick links