Who are we?
Industrial Diagnostics Company (IDC) is a limited company registered in England and Wales whose registered office is Kings Court, Water Lane, Wilmslow, Cheshire, United Kingdom, SK9 5AR. We take our Data Protection obligations very seriously and this notice gives you information about our approach to Data Protection legislation and provides you with information about how we manage personal data.
Industrial Diagnostics Company as a Data Controller
IDC is committed to protecting your privacy and maintaining the security of any personal information received from you. We strictly adhere to the requirements of the UK General Data Protection Regulations (UK GDPR). For the purposes of this notice IDC is the Data Controller unless it has been specifically noted otherwise. In addition, we operate within guidelines and ethical codes relating to confidentiality, as provided by the Faculty of Occupational Medicine, the Nursing and Midwifery Council and other health professions regulators.
This notice relates to the collection and processing of personal data for IDC. In many instances IDC is a Data Processor acting on the instruction of our clients via contract. In other instances, we are a Data Controller in our own right due to the nature of the specialist occupational health services we provide and we are also a joint Data Controller in limited circumstances. We offer effective advice on managing health and work-related issues via occupational health services, robust health surveillance programs (including key surveillance risk areas, audiology, respiratory and HAVS), biological services (including assessing chemical exposure, blood testing and vaccinations) and pre and post placement employment checks and occupational health services to higher education.
Processing activities that are covered
This notice applies to the processing of personal data collected by us when you:
Have an Occupational Health assessment,
Are assessed for ill health retirement or fitness to work,
Are assessed under statutory health surveillance (such as audio, HAVS, skin, spirometry, respiratory, drug & alcohol, musculoskeletal, NFDC etc),
Are assessed to undertake specific university courses & associated immunity checks,
Are assessed as part of your employers or university’s responsibility in respect of biological monitoring (such as blood testing and vaccination/immunisation),
Are referred to us by the NHS to undertake diagnostic audiology services,
Receive specialist services such as counselling, physiotherapy or psychiatric services as a result of an occupation health assessment,
Visit our website,
Visit our social media pages,
Visit our office,
Receive communications such as emails and phone calls from us,
Register for and/or attend events where we participate or host,
Are an applicant to join IDC as an employee or an associate, including, where appropriate, relevant DBS and qualification/registration/certification checks,
Are a client where our services are of a data controller,
For sales and marketing,
For the understanding, development, growth, and administration of our business.
The personal data we collect
We collect personal data directly from you as follows:
Where we are conducting Occupational health activities on behalf of your employer under contract we require:
identification data - such as your full name, gender, date of birth, National Insurance number, NHS number, home address, email address and contact telephone numbers,
employment details - including job title, work address, employment contract, background checks,
Sensitive information about your health – such as your full medical history, including your physical and mental health, medication and clinical observations of any medicals or health assessments (including on-line assessments) that we carry out.
General Practitioner details or details of other professionals (only collected to enable assessments to be made of your medical fitness or any appropriate adaptations to your employment),
Biological samples from you in respect of immunisation,
You express an interest in our products and services either over the phone, via email, social media, webforms, webinar attendance, when signing up to newsletters and other communications, when downloading certain content from our websites, at events we attend or host. The information we may require is contact information, name, phone number, email address, company name, company address, confirmation of security credentials.
When you make a purchase, we will require financial information for payment, billing and access to e-learning materials (which may be provided by third parties) and this may include bank details, credit card information, invoice name, address and point of contact.
If you attend an event where we are participating, you may have given your consent to be contacted by us following the event. This information may include name, phone number, email address, company name and job title.
If you connect with us through a social media channel, we will know your social media handle and any other information including photos you make available through our interactions and your profile.
If you use our website we will have details about your usage of our sites through cookies, beacons, and similar technologies. This information may include IP address and information about your visit.
If you complete surveys or enter competitions we may require contact information such as name, phone number, email address, company name and job title.
If you complete a registration form on our website when downloading content, we will ask for details such as name, address, email, company name, position and phone number.
If you are an applicant for a role at IDC we will require information for HR purposes such as name, address, phone number and email address along with information relating to your career history with the positions you held along with any qualifications and certificates, including medical registration information.
If you visit one of our offices, we have CCTV in certain locations which may capture your image for the prevention and detection of crime and to ensure compliance with our policies. You may be asked to provide your name, signature, company name when attending our offices.
Please note this list is not exhaustive but gives an indication of the data we collect.
Personal data we collect from other sources
We receive referrals for our services from employers, from GP’s and from the NHS under contract.
We obtain information from other companies within the Citation Group in order to provide a greater level of service or to better understand clients and industries we operate in or where synergies apply to our business and to yours. We also obtain information from Citation Group services to help us comply with data protection laws.
Data from your device, usage of our website and applications
Our website may contain links to other organisations websites for your ease and convenience, however please note we are not responsible for them, how they operate or their security provision. If you have any questions regarding privacy, you should review their privacy notices which will be available on their websites.
Purpose for processing and the legal bases for processing we rely on
We collect and process personal data for the following purposes and with the appropriate legal basis:
For our occupational health services we will always obtain your permission to proceed with the consultation, however our Data Protection condition for processing your information is under contract, and our legitimate interest. The information we collect is categorised as special category data and is processed in accordance with our occupational health obligations to assess your working capacity.
Where we process children’s data on behalf of the NHS this is processed under contract. The GP making the referral will discuss consent prior to the appointment with the parent or guardian unless the young person has capacity to understand the referral. We will also discuss the process with the young person or the parent or guardian prior to the procedure.
Where we assess university students for fitness to undertake particular clinical courses we will initially require an on-line questionnaire to be completed. The outcome is a technology only based decision and where no further information is required a fitness certificate is issued. Our condition for processing is under contract with the university and our legitimate interest as well as occupational health purposes.
Where we assess potential employees for pre-placement health checks we will initially require an on-line questionnaire to be completed. The outcome is a technology only based decision and where no further information is required a certificate confirming fitness to work is issued. Our condition for processing is under contract with the employer and our legitimate interest as well as occupational health purposes.
Where we deliver work or university place vaccinations we do so with your full permission but also under contract with your employer/university and for occupational health purposes.
Where we undertake a chest x-ray as part of health surveillance screening for conditions such as silicosis, we do so with your full permission but also under contract with your employer and for occupational health purposes.
Where our website is concerned, we are processing your personal data with your consent if it is required and for other elements of our website we are processing based on the legitimate interest to operate and administer the site. Where site security is concerned and the activities through our cookies that enable a secure site, this is administered as a legitimate interest.
The recording of phone calls by default on all calls is done as a legitimate interest in protecting both your interests and that of ours. Call recording is used for security, monitoring and training purposes.
If the appointment is undertaken via video we may record the meeting for our legitimate interests for the purposes of training and monitoring and complaint handling.
We may ask you for personal data when dealing with enquires or complaints, this data is processed as a legitimate interest in being able to effectively follow up on your enquiry. We also process data in accordance with contractual obligations, such as client communications.
Setting up and managing our clients is in accordance with our performance of our contract. This is also the case when it comes to good administration of matters relating to your contract with IDC.
Managing event registration, administration of an event or providing training is done as a legitimate interest in ensuring efficient administration. We also rely on legitimate interests for processing client contact data for service surveys - if you choose to complete a survey this is done on the basis of consent.
Managing your payments relating to the service we provide. This also includes the entirety of the payment process in line with the terms and conditions of our service. We may also from time to time have to escalate this process to a third-party debt collection service. This disclosure of such data would be as a legitimate interest and further processed as part of the contractual terms.
The identification of opportunities both with prospects and opportunities within our existing client base is done in the furthering the legitimate interests of the business. Any sharing of data internally within Citation Group companies is also a legitimate interest when it is done for similar purposes. This data may also be used to improve user experience and our understanding of both the client journey and appropriateness of products and services at different points of client lifecycle either within IDC or across the Citation group.
Registering your information as a visitor to our office is as a legitimate interest to protect our building, business and colleagues.
If you provided a testimonial of our service, you will be doing so of your own free will and therefore your consent.
Where you have applied as a candidate for a role at IDC we will process your information in part as a legitimate interest, in part with your consent and in part as a legal obligation. We may also use recruitment companies from time to time, where data is shared with these organisations we will both be Data Controllers and we will process your information in the same way. Further Data Protection information regarding their activities can be gained from the recruitment agency. We may also contact the DBS and also request information relating to any criminal convictions, we process this information as a legal obligation in respect of employment law.
We may send sales and marketing communications related to our services and those services of other companies in the Citation Group in accordance with our legitimate interests.
Where there are legal obligations that we must comply with, such as tax or dealing with local or national government, authorities, agencies and professional advisors we process under our legal obligations in accordance with statute.
Where information is required by law, such as the Police, Courts or Local Authorities we will process under the legal obligation or it may be in our legitimate interest to protect our rights and if necessary, to disclose information for the protection of these rights.
Running, managing and administration of our business are critical to the successful delivery of our service. It includes but is not limited to aspects such as account management (sales, service and financial), IT (support to clients, use of or migration to platforms, running and improving the business and its security), development of our applications, reporting and improvement. The legal bases for these activities will vary but is likely to be for the performance of contract, our legitimate interests or a legal obligation.
Please note this list is not exhaustive but gives an indication of the processing activities undertaken and our Data Protection basis for processing.
Who we share your data with?
We only share your information where we are strictly able to and only in accordance with Data Protection legislation. We may share your personal data in the following circumstances:
Where we have undertaken occupational health assessments or surveillance, we will share certain information with your employer or university.
We may share information with other health professionals, e.g. physiotherapists, counsellors, clinicians in a specialty field who are working under contract with IDC.
We may share information with your General Practitioner or a specialist within the NHS.
Where we provide vaccinations we will share the information with your employer and university.
We will share your biological data with a laboratory for tests that you have consented to as part of your assessment. These will include blood tests or drugs testing procedures in both urine and saliva.
Where we are using contracted service partners for services such as IT, web conferencing, hosting and system administration, email communications, analytics and research, data enrichment, survey providers and customer support. All these purposes and legal basis for processing are done in accordance with the information provided above.
If you are a client we may share your details internally within the Citation Group in order to improve the service offering and range of services we provide, for the good administration and control of the business, marketing, reporting and account management purposes. Citation group companies are Data Controllers in their own right. A list of Group Companies can be found here
If you registering for events where we are partnering with another organisation or if a third party is running the event on our behalf, we may be required to share your details for the purpose of registration, security and administration of the event. This will be done in accordance with the legal bases noted above.
In order to process credit and debit card transactions, the bank or card processing agency may require us to verify your personal details for authorisation. We do not store credit card information which is passed through directly to our payment service provider. Our payment processes are PCI DSS compliant.
To any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person.
To a potential buyer (and its agents and advisers) in connection with any proposed purchase, merger or acquisition of any part of our business, or to other interested third parties (and their agents and advisors) in the case of any reorganisation or other potential transfer of any part of our business, provided that we inform the buyer (or relevant third party) it must use your personal information only for the purposes disclosed in this notice.
To enforce or apply our Terms of Service or other agreements or to protect IDC and its customers (including with other companies and organisations for the purposes of fraud protection and credit risk reduction)
To any other person with your consent to the disclosure.
Finally we may share anonymised or aggregated data gathered in the normal course of the administration and good running of our business with third parties or service providers to enable greater analysis, improvements, industry or service related trends to be identified and action taken accordingly.
How long do we keep your data for?
We retain your data for as long as necessary to fulfil the purpose for its collection and processing. In some instances, this may be a short period of time, for instance, as an unsuccessful job applicant we may retain your records for only 6 months once the process has concluded. In other instances, and especially where there is a legal obligation to retain your information for a certain period of time, we will do so in order to comply with the legal requirement as follows:
Occupational Health records for the duration of your employment and a further six years or up to your 75th birthday, whichever is the earliest.
NHS records for the duration of the service for which we are commissioned or on your death once we are informed.
- Control of Substances Hazardous to Health Regulations (COSHH) 40 years from the date of last entry,
- Medical Records under the Ionising Radiations Regulations 2017, until the age of 75 or at least 50 years.
Employee records retention is set out in our employee privacy notice.
Once your data is no longer required it shall be deleted or if it is technically not possible to delete, we shall ensure sufficient controls are in place to put it beyond future use.
In the event of a change to IDC providing our services, your records may be transferred to another provider. Where this is required you will be fully informed in writing at the time and you will be given the opportunity to object to your record being transferred.
Our data is typically hosted in the UK and other parts of the EEA, there are however some of our contracted technical service providers that process from the USA, Pakistan and India. Where these transfers and any other transfers that may occur in the future are concerned, we ensure that there is a legal basis for the transfer and a lawful transfer mechanism in place prior to any transfers in place.
Any such transfers currently done are done using either a transfer to a country with an adequacy ruling or using European Commission Standard Contractual Terms.
It is not envisaged that we will tender for occupational health services out of the UK or EEA.
Under Data Protection legislation, you have rights as an individual which you can exercise in relation to the information, we hold about you. These rights include:
The Right of Subject Access – this is the right to have details of the information we hold about you and access to that data including an explanation of that data.
The Right to Rectification – this is the right to have inaccurate or incomplete data rectified.
The Right to Erasure – this is also known as the ‘right to be forgotten’ and means that in certain circumstances you have the right to ask us to delete data we hold on you.
The Right to Restrict Processing – this is where you can request that we restrict/block processing of your personal data (but still retain it)
The Right to Data Portability – in certain circumstances this allows the transfer of personal data from one Data Controller to another in a useable format.
The Right to Object – this right allows you to object to us processing your personal data in certain circumstances.
The right not be subject to solely automated processing – this gives you the right not to be subject to a decision based solely on automated processing.
We undertake a technology only based approach to assess fitness to train for our universities and pre-placement health checks for employers under contract. You have the right to request human intervention, obtain an explanation of the decision and in certain circumstances you may be able to challenge the decision.
Any request to exercise the above rights can be submitted to our Data Protection Officer at [email protected]
Security of personal data
We take the security of your information very seriously and take every reasonable and commercially viable precaution to protect personal and commercial data. These are organisational, technical, and physical measures to protect against unlawful or accidental access, disclosure, loss or alteration. Whilst we taken a robust stance to security no method of storage and transmission is 100% secure and, in some instances, out of our control.
Complaints and queries
IDC takes our Data Protection obligations very seriously and we endeavour to meet the highest standards when collecting and using personal information. For this reason, we welcome any feedback and take any complaints we receive very seriously. We would also welcome any suggestions for improving our procedures.
If you no longer wish to be contacted by us or withdraw your consent, please contact us at [email protected]
This privacy notice provides an indication of the processing undertaken by IDC and how seriously we take our Data Protection obligations. However, it may not provide an exhaustive detail of all aspects of IDC’s collection and use of personal information. We are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address below:
Divisional Data Protection Officer
Or you can email us at [email protected]
If you want to make a complaint about the way we have processed your personal information, you can contact the Information Commissioner’s Office in their capacity as the statutory body which oversees data protection law – www.ico.org.uk
It is worth noting that the ICO expects an individual to address any complaints with the organisation before contacting the regulator.
Changes to this privacy notice