This privacy statement related to https:/www.heales.com and https:/www.heales.com/msys/, Heales’ Occupational Health Management System.

Introduction

The right to privacy is an important and intrinsic aspect of every policy, process and activity undertaken by all members of the Heales Innovation Group. We are committed to ensuring the privacy rights of our staff, customers, suppliers and all those who interact with the Organisation, no matter how this is undertaken. This Privacy Statement sets out the key components in the methods we use to protect privacy together with guidelines for letting us know if you feel that your privacy rights have been breached.

Data Protection Act

All individual companies within the Heales Innovation Limited Group, including, Heales Innovation Ltd, Heales Business Services Ltd, Heales Enterprises Ltd, Heales Health Services Ltd (Heales Medical), Alpha Health Services Ltd and H M Partnership LLP are individually registered with the Information Commissioner’s Office (ICO).

Information held by us

This website

Comments

When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.

Visitor comments may be checked through an automated spam detection service.

An anonymised string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service Privacy Policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.

Media

If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

Cookies

If you leave a comment on our site you may opt in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.

If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.

When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.

If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction with the embedded content if you have an account and are logged in to that website.

Management System

We will hold and process sensitive personal and health information relating to an individual which may be:

  • provided by the individual themselves
  • provided by their employer
  • provided by their GP, Consultant or other medical practitioner (with appropriate consent)

All sensitive data held within the management system is encrypted. All data transferred to/from the management system by a web browser is encrypted. Data is held/processed within the UK/EU.

Use of Collected Information

This website

Any data collected through this website is used only to improve this website and our services.

Management System

We process information held on an individual in accordance with the service we are providing to a client and our contractual commitment.

We retain information in accordance with our Data Retention policy and our legal obligations. We are not obliged to retain data for individuals or organisations who are no longer clients, unless there is a specific contract in place or legal obligation to do so.

We anonymise data for reporting purposes and separately update a central pool of data to enable us to conduct research and development into improving our services. Anonymised data is no longer within the GDPR. Data is anonymised in accordance with the ICO and best industry practice which means that no data can be related to an individual person. Anonymised data is also stored in encrypted format. We do not share anonymised data with any external organisation nor do we sell it. An individual may contact us if they do not wish their data to be anonymised and used for research and development purposes.

Data Breach Procedures

If we become aware of any alleged data breach we will record the alleged breach, acknowledge the alleged breach to the relevant party/parties and record the risk assessment, investigations and actions taken in respect of the breach. Relevant parties will be provided with a report on the investigation and actions taken (if any). The breach will be reported to the ICO if the risk assessment indicates this is necessary.

Sharing information

We do not share personal information with any external parties other than with members of the Heales Innovation Group or direct contractors/agents, for the purposes of lawfully processing your data in accordance with our contractual commitments.

Data Subject Rights

Access to information we hold on an individual

An individual or legal body may request, in writing, to know what information we hold on someone or for access to all or part of the information we hold. We will only provide this information after verifying that the person requesting the information is authorised to do so. Information may be provided via a secure e-mail link based on information from an authorised request or by post or encrypted media. A request for information must be made to the member of the Heales Limited group supplying the service to you/your employer.

Information will normally be provided at no cost as per GDPR, however we reserve the right to charge a fee to cover administration expenses if we receive multiple requests or if the requests result in manifestly unfair administration workload to provide the data e.g. transferring data to a CD/DVD/USB stick or printing and posting because the recipient is unable to use the provided link.

Removing and Correcting information

We process information lawfully on behalf of our clients. If a client or a client employee requests us to remove personal information from our database or wishes us to amend or change the information we hold about on our database; we will consider doing so within our contractual commitments and legal obligations.

Complaints

If you feel your rights have been compromised or your data breached you may make a complaint/allege a breach to Heales, in the first instance, using the contact details below, or you may make a complaint to the Information Commissioner’s Office.

Data Retention

This website

If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognise and approve any follow-up comments automatically instead of holding them in a moderation queue.

Management System

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

For Occupational Health data processing we will hold data in accordance with the Faculty of Occupational Medicine guidelines before securely deleting it. We will hold health surveillance information in accordance with HSE requirements for the benefit of the individual. Following a contract end, data is held in a restricted read-only access encrypted database until deleted.

Contact us

If you have any questions about this privacy statement, how we run the website or your interactions with our website, please send an e-mail to us at support@heales.com

or the Data Protection Officer paul.gibbons@heales.com

Who we are

This website and the management system is owned and controlled by Heales Enterprises Ltd on behalf of the Heales Innovation group of companies.

Heales Innovation Limited registered office registered office 29 Bridge Street, Hitchin, Hertfordshire SG5 2DF

Heales Enterprises Ltd. registered Office 29 Bridge St. Hitchin Hertfordshire SG5 2DF

Heales Business Services Ltd. registered office 29 Bridge Street, Hitchin, Hertfordshire SG5 2DF

Heales Health Services Ltd registered Office 29 Bridge St. Hitchin Hertfordshire SG5 2DF

Alpha Health Services Ltd. registered office Provender House, Waterloo Quay, Aberdeen, Scotland, AB11 5BS

References

Faculty of Occupational Medicine GDPR guidelines

General Data Protection Regulations (GDPR)

Access to Medical Reports Act 1998

Information Commissioners Office (ICO)