Privacy Policy

GOHS (Global OHS) is committed to protecting the privacy and security of your personal information.

This privacy notice describes how we collect and use personal information about you during and after your working relationship with us, in accordance with the General Data Protection Regulation (GDPR).

How do we manage and use your Personal Data?

GOHS (Global OHS Ltd) are an Occupational Health provider and we are responsible for safeguarding the privacy of your information.  We comply fully with the General Data Protection Regulations (GDPR) for information within our control.  This Privacy Statement provides information about the type of data we collect and how it is managed.  Having read this document, if you have any further questions, you can speak with a member of the GOHS Ltd clinical staff or contact our Data Protection Officer.  


GOHS (Global OHS) is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice. 

This notice does not form part of any contract to provide services. We may update this notice at any time. 

It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information. 


Data Controller: GOHS (Global OH Solutions Ltd), Suite B, NBK House, 64a Victoria Road, Burgess Hill, RH15 9LH 

Email:, Tel: 01273 359135  

Data Protection Officer: Steve Birchall; Managing Director;, 01273 359135 

What data do we process?

For us to provide Occupational Health services to patients, personal and often sensitive medical information needs to be obtained.

Information we receive from your employer:

To begin the process of offering an appointment for patients, the employer will need to provide details about you and the basis of the referral. This will usually include your name, date of birth, address, telephone number, job details and a description of the problem and any issues they would like advice on. This can include sensitive information that the employer is in possession of such as reasons for sickness absence or medical treatments being taken. We recommend that the employer discuss your referral and the information to be provided with you before it is sent to us. 

Information obtained during your consultation:

All our consultations are with an OHA or OHP, who all have well-established professional obligations to maintain confidentiality.  Without this, we would not be able to provide effective care to our patients.  Your consent to us collecting personal, sensitive information and to proceed with a consultation is necessary before we can perform a consultation with you. It would not be possible for us to provide an Occupational Health assessment without keeping a clinical record as this is a professional requirement for registered practitioners. Consent for us to process personal sensitive medical information is not consent for us to write to anyone else, including your employer – see section below.  During an OH consultation, the clinician will ask about health issues and your work and you will see them writing a clinical record. This is a confidential file and is not accessible by your employer.  You can of course see any information we keep about you at any time upon request.

Information we may send to your employer:

Your consent is required before we would send personal information to your employer, such as an outcome report from your consultation.  The clinician will discuss with you the information they would like to send to the employer. You can have a copy of this information. Usually this information is in the form of a report written during your consultation. Sometimes the report cannot be done at that time in which case it will be sent to you for review first.  Sometimes employers may need guidance or clarification on the report.  The clinician will consider if there is a need to notify you before sending such additional information. If the supplementary advice given does not contain more sensitive personal information than the original report and does not alter the opinion of the original report, then additional consent is not usually requested. However, if there is a material change to the report and the associated information and advice, you will be contacted, or a further consultation will be requested.  The receiving employer is expected to maintain appropriate data security for the Occupational Health reports and advice we provide to them and this is covered by our Data Sharing Agreement.

Data security

We have put in place measures to protect the security of your information. Details of these measures are available upon request.

Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality.   We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so. 

Data sharing agreement:

Your confidential Occupational Health record is not accessible by your employer and is never shared.  It is a requirement for employers making referrals to GOHS Ltd to agree to our Data Sharing Agreement. This outlines the responsibilities of the referring employer and Integral OH for managing your personal information. It covers data security and confidentiality responsibilities. It also ensures you are aware of what information is being sent to us by your employer and that suitable controls are in place once the employer receives your OH report.

Legal basis for processing information:

We process personal sensitive information in accordance with the General Data Protection Regulations (GDPR) on the lawful basis of with Consent and for the purpose of Occupational Medicine.

Categories of personal data:

We process personal information such as name, address and date of birth. We also collect occupational information and medical information including symptoms, history and treatments you may be undergoing. This medical information is regarded as Special Category Data.

Recipients of personal data:

Your information which we receive from an employer is only accessed by our own administration team and staff doctors and nurses. All staff have contractual confidentiality agreements and our processes are designed to maintain confidentiality. Our OH output reports are sent securely to the named recipient, usually a Human Resources officer or Manager. You will know who the report is going to at the point that we request consent for dispatch.

Third country processing:

Your data is not transferred to other countries.

Retention periods for your data:

Most OH records that involve OH consultation will be kept for 10 years from the date of the last entry. This is a generally accepted timescale.

Health Surveillance records (such as hearing and breathing tests) should be kept for 40 years. This is because sometimes industrial diseases can develop later in life so such records should be retained. This is a recommendation from the Health & Safety executive. Most of the records we hold are not Health Surveillance records.

Pre-employment health questionnaires will be retained for 3 years.

Rights of Individuals:

The GDPR has strengthened the rights of individuals regarding data about them. These rights are outlined below:

Right to be informed:

This Privacy Notice is one of the ways we make sure you are informed about the sensitive personal information we collect.

Right of access:

You have the right of access to personal data we hold about you. If you would like access, please contact the Data Controller (details above). We will ascertain your identity and then forward you the requested data as soon as possible. We do not normally make any charges for providing this information.

Right to rectification:

If you feel that information we hold, is inaccurate or incomplete, please contact the Data Controller (details above). We will review the area you would like rectified and if this is appropriate, we will make the change. If we do not agree to the change, you have the right to complain to the Information Commissioner.

Right to erasure:

If you would like us to consider erasing the personal information that we hold about you, please contact the Data Controller. Your request will be passed to the Data Protection Officer who will want to discuss this with you. Sometimes Occupational Health records form important medicolegal documents for the exercise or defence of legal claims, such as with Health Surveillance records where such assessment is a statutory requirement. In such cases, we may not be able to agree to the erasure of your personal information.

Right to restrict processing:

Once your personal information has been obtained, you have the right to restrict further processing. This means there will be no more activity involving your data other than it being still held by us. This might arise if you did not wish to have any further OH involvement as we require consent to provide OH advice.

Portability of information upon change of OH Provider:

If there is to be a change of Occupational Health provider by your employer, the existing OH provider would seek evidence of consent for the transfer of your OH records to the new provider. We would also need to be satisfied that the new OH provider had reasonable arrangements in place for the safe storage of that data before we would transfer it. If you did not want your information to be transferred to another OH provider, you should state this if a notification of change of provider occurs within your organisation.

What if you are not happy with how we are processing your information?

If you are not happy with any aspect of our information management, please consider contacting the Information Protection Officer for our Organisation and we will manage this as a complaint. You also have the right to complain to the Information Commissioner’s Office (ICO).

Contractual requirements.

It is not possible for doctors and nurses to provide Occupational Health services without personal sensitive information being processed by us. It is a contractual requirement between GOHS Ltd and any referring party, such as your employer, that without the consent of individuals, we cannot provide OH advice for individual cases. Clinicians need to be satisfied that the individual consents to our process of OH assessment and advice, including the processing of sensitive personal information, and without such consent, we cannot provide the clinical service. The consequence of not providing consent for the processing of personal sensitive data is that the individual and the employer will not have access to our Occupational Health advice. This in turn may mean health risks are not minimised and harm could arise to both parties.

If you have any further questions, we would be pleased to help. Contact us on 01273 359135 or speak to your OH Professional. You can also ask to speak to the Data Protection Officer.

Your rights in connection with personal information

Under certain circumstances, by law you have the right to:
  • Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
  • Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal information to another party.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact GOHS in writing.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Right to withdraw consent

Where you have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact us. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

Questions and complaints

If you have any questions about this privacy notice or how we handle your personal information, please contact GOHS. You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.

Changes to this privacy notice

We reserve the right to update this privacy notice at any time