Occupational Health Service

Confidentiality and medical records

How we process, manage and protect medical information


The Occupational Health Service (OHS) is committed to maintaining the privacy, dignity and confidentiality of service users at all times. OHS adhere to the principles of data protection legislation, the General Medical Council and Nursing & Midwifery Codes of Confidentiality.

All OHS staff work to a strict code of ethics concerning the confidentiality of consultations, telephone contacts and medical records. All staff, both clinical and non-clinical, cannot and will not disclose medical information of employees in their charge to any third party, including the person's general practitioner (GP) without the person's informed consent.

OHS will provide advice to the University and its departments without breaching medical confidentiality. This advice should be treated by the recipients as sensitive personal data in respect of the UK General Data Protection Regulation (UK GDPR) and related UK data protection legislation.

Liaison with others

Personal information conveyed to OHS will not be disclosed to anyone without your explicit and informed consent (other than in exceptional circumstances as outlined below).  By law OHS need to give an outcome for any health surveillance assessment to the relevant manager; this will usually be limited to a recommendation relating to fitness to continue with the usual work. If there is evidence of a medical condition arising from work activities OHS will discuss this with you and seek your consent to provide information and advice to your manager about the next steps to protect your health at work. 

Limitations to confidentiality

OHS can only release information without your consent in very rare, exceptional circumstances - these are:

  • instruction to disclose by a Court Order
  • if disclosure is necessary to prevent the exposure of you or others to a risk of death or serious harm; in these cases we will continue to work with you and keep you informed - only the minimum information would be disclosed

How OHS manage the information you share with us

OHS keep electronic records of the information you provide to us, these are only accessible to OHS staff. All personal and sensitive data that we hold is processed according to the requirements of the Data Protection Act and UK GDPR legislation 2018.

The Occupational Health Service collects anonymised statistical information for audit, evaluation and freedom of information purposes only.

UK General Data Protection Regulation (UK GDPR)

Medical data the Occupational Health Service collects, stores and shares (with individual's consent ) is classed as special category data under UK GDPR and is subject to specific processing conditions. OHS uses your personal information to allow us to advise and support you in accordance with your requirements and the consent provided.

Accessing medical records held by Occupational Health

Individuals have the right to ask for and obtain confirmation as to whether or not the OHS holds any personal data which concerns them.

If personal data is held by OHS, individuals then have the additional rights to access that data and be provided with a copy of that data. To do this please contact occupational.health@ed.ac.uk.

Correcting incorrect data held by Occupational Health

OHS is obligated to ensure, as much as is reasonable, that the data it holds on individuals is accurate and up-to-date, this also relies on information held by HR being up to date If an individual’s personal details or medical conditions change, OHS asks that the individual informs them of any changes as soon as possible.

Individuals also have the right to ask OHS to correct their data if they believe it to be incorrect, incomplete or inaccurate. This can be done by emailing occupational.health@ed.ac.uk detailing any changes that you believe need to be made. Depending on the nature of the changes, OHS may have to contact you to discuss this further.

Right to erasure

Individuals have the right to request that the data held on them OHS is deleted - this is sometimes referred to as the ‘right to be forgotten’.

It is important to note that this is not an absolute right, meaning that other rights and legal duties must be safeguarded, e.g. fulfilling an employer’s legal obligation to protect the health and safety of its employees as set out in the Health & Safety at Work Act 1974 and where the individual has been subjected to Health Surveillance assessments under specific Health and Safety Executive legislation. The Information Commissioner’s Office website provides more details on when this right can be applied.

Medical record retention schedules

Your Occupational Health records will be stored by OHS for as long as you are a ‘worker’ with the University of Edinburgh plus 6 years or until your 75th birthday, whichever is the sooner.  Further information in regards to these schedules can be found on the NHS Information Governance Alliance (IGA) guidance. However where there is Health Surveillance assessments under 'Control of Substances Hazardous to Health' (COSHH) or any other Health and Safety Executive (HSE) legislations for health surveillance - such as noise or hand-arm vibration syndrome - the medical records specific to relevant legislation will be kept for a minimum of 40 years and in line with the retention schedules set out within the HSE regulations. Occupational Health notes and any results that accompany these tests should be kept for the same period.