Maitland Medical Logo
what is occupational health

Privacy Notice

May 2018

Maitland Medical Service Ltd are engaged to deliver occupational health services and support.
Maitland confirms its commitment to compliance with the Data Protection Act 1998 (DPA) to be replaced by The General Data Protection Regulations on the 25th May 2018, Computer Misuse Act, the Human Rights Act 1998 (HRA), relevant health service legislation, the common law duty of confidentiality, Human Rights Act and the common law of confidence. Maitland is committed to the lawful, fair and transparent processing of data in relation to individuals (Article 5 GDPR).

The legal basis on which Maitland Medical processes information in respect of occupational health is based on: the legitimate interests of an employer, requiring advice on fitness for work, ensuring the efficient and safe running of the business, compliance with health and safety legislation, employment law, ie: the Equality Act and all legal duties with respect to tax and social security legislation ie: pay sick pay etc. Article 6 (1) (f)

Maitland confirms that information collected and processed will be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed and, with consent, reports, containing guidance on health at work will be provided to the employer. Information collected and processed will be only for specified, explicit and legitimate purposes. Any personal data held will be kept up to date and every reasonable step taken to ensure that inaccurate personal data processed is erased or rectified without delay.

Maitland are committed to the implementation and maintenance of technical and organizational measures to ensure the integration of data protection into all processing activities, promoting privacy and data protection compliance. This Privacy Notice outlines how Maitland collects, uses, retains and discloses personal information.

The information that Maitland collects and holds constitutes personal data. Due to the nature of the work undertaken, Maitland will act as joint ‘Data Controller’ for the purposes of the provision of occupational health services. Maitland recognises the importance of protecting personal and confidential information in all that we do, all we direct or commission, and takes care at all times to meet its legal duties.


In this Privacy Notice: “Data Protection Legislation”: means the Data Protection Act 1998 (as amended, superseded or replaced) and all applicable laws and regulations relating to processing of personal data and privacy, including the Data Protection Act 1998 and The General Data Protection Regulation (EU) 2016/679) (“GDPR”).

Data protection

Due to the nature of the services provided by occupational health, Maitland Medical will continue to act as data controller (where Data Controller and Data Processor have the meanings as defined in the Data Protection Legislation). This Privacy Notice sets out the scope, nature and purpose of processing, the duration of the processing and the types of Personal Data and categories of Data Subject (where Personal Data and Data Subject have the meanings as defined in the Data Protection Legislation).

The Client and Maitland Medical confirm that they will ensure that all necessary appropriate consents and notices are in place to enable lawful transfer of the personal data for the duration and purposes of this agreement.

Maitland will:

  • Manage Personal Data only on the written instructions of the Client
  • Ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures. Those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it.
  • Comply with any reasonable request made by the Client to ensure compliance with the measures in relation to security of data.
  • Ensure that all personnel who have access to and/or process Personal Data have appropriate training and are obliged to keep the Personal Data confidential.
  • Not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Client has been obtained.
  • Assist the Client in responding to any request from a Data Subject in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators.
  • Notify the Client without undue delay on becoming aware of a Personal Data breach, with such notice describing the nature of the breach, the circumstances, the data subjects concerned, the information concerned, and the measures to be taken, or proposed to be taken by Maitland to address the breach.
  • Notify the Client prior to undertaking any controlling or processing of information which is likely to result in a high risk to the rights and freedoms of persons. Where so required by the Client, the Supplier will assist the Client in carrying out a data protection impact assessment and in consulting with the Information Commissioner(ICO) in respect of the same.
  • At the written direction of the Client, delete or return Personal Data and thereof on termination of the Original Agreement unless required by Applicable Law to store the Personal Data; and maintain complete and accurate records and information to demonstrate its compliance with this agreement.


The client is required to consent to Maitland appointing third-party processors of Personal Data. Maitland confirms that it has entered or (as the case may be) will enter with the third-party processor into a written agreement incorporating terms which are substantially similar to those between the Client and Maitland. Maitland confirm they shall remain fully liable for all acts or omissions of any third-party processor appointed by it pursuant to this agreement.

Processing, Personal Data and Data Subjects

The controlling and processing of personal data held by Maitland in the course of providing occupational health support and advice. Maitland is a ‘data controller’ under the DPA. Maitland have registered with the Information Commissioner (ICO) confirming that we control and process personal data. Details are publicly available from the: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow SK9 5AF

Purposes of Processing

The basis on which Maitland processes information handled is: Article 9 (Special category data)(2)(h) Processing is necessary for the purposes of preventive or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis EU or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3.

Maitland’s legal justification for processing is: Article 6 (1)(f) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which required protection of personal data, in particular where the data subject is a child. Justification is based on the legitimate interests of the employer, requiring advice on fitness for work and the efficient and safe running of the business, to comply with health and safety legislation, employment law ie: The Equality Act, legal duties with respect to tax and social security legislation ie: pay sick pay: Occupational Health assist and advise on this.

Duration of Processing

Maitland will retain information only for as long as necessary. Records are maintained in line with the Faculty of Occupational Medicines retention schedule which determines the length of time records should be kept. This is throughout the duration of employment (if not transferred, destroyed within 7 years of leaving the company) and 40 years for health surveillance records. Information Governance Alliance/ Dept. of Health 2016 /Reg 11 COSHH Regs 2002 and ACOP 2013

Nature of Processing

Information will be managed electronically and occasionally in paper form.

Types of personal data

Information is processed to enable Clients to act lawfully in the management of health issues within the workplace.
Information is also gathered in order to support and monitor services provided and optimise the delivery of high quality healthcare. This type of information will usually be utilised in an anonymised form, so that any individual employee cannot be identified.

Maitland on account of the nature of their work deal with ‘special category’ data. This can include:

  • personal details such as names, addresses, emails, telephone numbers
  • date of birth to ensure correct identification
  • employment details
  • services, for example details of the services accessed or offered by providers
  • details contained within an employee’s health record
  • physical or mental health details and any known disabilities
  • an overview of absence data
  • responses to surveys
  • education, training (of our physicians/ clinicians/Specialists)
  • offences (including alleged offences), criminal proceedings and sentences
  • complaints, accidents, and incident details

Article 9 (2) (b) confirms that processing is necessary for the purposes of carrying out employer’s obligations and exercising specific rights of the controller or data subject in the field of employment, social security and social protection law.

The information Maitland will hold may include:

  • information provided from the Client employer
  • information gathered from an employee’s GP or Specialist or treatment provider
  • information gathered from information provided by the employee regarding their medical history

How Maitland will Use Information

Maitland will only collect and use information for the lawful purposes of administering.

  • Occupational Health Consultancy and Advisory services
  • Education
  • Health administration and services
  • To make contact to make appointments / arrange assessments
  • To ensure appropriate communication and exchange of information
  • Advice on the protection and promotion of health, safety and wellbeing
  • To advise Client’s (employers) regarding health issues in the context of employee working hours and activities
  • To review all assessments and advice and care given to ensure it is of the highest possible standard
  • To continually improve the efficiency and standards of occupational health services and support
  • Annonymised information ie: information held that does not contain identifiable data, will be used to look at trends in health and wellbeing and any work-related health issues

Sharing information

The information will only be shared with other organisations where there is a statutory obligation to do so. This can be due to:

  • Our obligations to comply with current legislation
  • Our duty to comply with a Court Order
  • We hold written consent to disclosure

Security of information

Maitland are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper. We ensure that the storage, handling and movement of health records does not in any circumstances compromise the confidentiality of patient/client information.

All clients have the right to expect that personal information given to occupational health in confidence will not be disclosed without their explicit consent except in the most exceptional of circumstances. All staff handling occupational health information receive training at appointment and throughout engagement regarding patient confidentiality, security and non-disclosure. They are also provided with written guidance advising them of their information governance responsibilities and follow best practice guidelines ensuring the necessary safeguards and appropriate use of person-identifiable and confidential information.

Under the Confidentiality Code of Conduct, all staff are also required to protect information, and inform as to how information will be used. This includes, in most circumstances, allowing personal decisions in respect of how information can be shared. All of Maitland’s employees both clinical and support teams are subject to the common law duty of confidentiality. Information provided in confidence will only be used for the purposes advised and consented to by the service user, unless it is required or permitted by the law.

All sensitive information exchanged electronically will be encrypted and/or password protected. Our occupational health web based system is ISO27001 compliant. Maitland security systems include Enterprise Mobility suite + Security which include Multi Factor Authentication, Encryption of mobile devices, USB ports locked, Mobile Application Management, Advanced Threat Protection, Firewall and Anti-virus protection. We have our systems scanned for vulnerabilities and periodic penetration tests undertaken. Maitland also hold Cyber Essentials.

How to contact us

Please contact us if you have any questions regarding this Privacy Notice: Julie Michalski, Managing Director or Sarah Paradine, Practice Manager, Maitland Medical Service, Milestones, Royal Parade, Chislehurst, Kent BR7 6NW.

Complaints about how we process personal information

Employees can ask for inaccuracies to be corrected or for additional information to be added. Data can be erased if the data is no longer necessary, consent is withdrawn consent (where the processing is based on consent and there is no other legal ground for processing), the data has been unlawfully processed. In the first instance, contact: Reeva Steadman, Lead Account Manager, Maitland Medical Service, Milestones, Royal Parade, Chislehurst, Kent BR7 6NW. If required a complaint can be made to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow SK9 5AF


Cookie Policy

When someone visits we collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. We collect this information in a way which does not identify anyone. We do not make any attempt to find out the identities of those visiting our website. We will not associate any data gathered from this site with any personally identifying information from any source. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.

If you have previously browsed to our website and no longer wish to accept cookies, please be aware that some cookies may have already been set. You may delete these cookies at any time via your browser by following these instructions:

You can control cookies via your browser settings by following the instructions at however if you choose to block cookies then your browsing experience may be affected.

Use of cookies by Maitland Medical

Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.

The text below explains the cookies we use and why.

Cookie: Allow Cookies
Name: civicAllowCookies
Purpose: These cookies are set in order to remember preferences in regards to cookies. 

Cookie: Google Analytics
Name: -utma/-utmb/-utmc/-utmz
Purpose: We use Google Analytics to monitor traffic levels, search queries and visits to this website.
Google Analytics stores IP address anonymously on its servers, and neither Maitland Medical, CIVIC or Google associate your IP address with any personally identifiable information.
These cookies enable Google to determine whether you are a return visitor to the site, and to track the pages that you visit during your session.


Find Out More: Google website

Name: ywadp10001467053656/ ywadp1000255860556/ fpc10001467053656/ fpc1000255860556
Purpose: Yahoo! WebPlayer plays audio and video on Web pages for users across the Internet. By adding Yahoo! WebPlayer to their sites, publishers can offer relevant audio, video, and other rich context to supplement their site. You do not need to be a registered Yahoo! user to add Yahoo! WebPlayer to your site or to use the product.

Information Collection and Use Practices

  • When Yahoo! WebPlayer is used on a Website, Yahoo! may track, collect and store anonymous information about usage of the player. This information may be transmitted back to Yahoo! for diagnostic purposes and to help Yahoo! improve its products and services.
  • The anonymous, non-personally identifiable information may include a unique identifier that allows us to distinguish between different browsers.
  • Information collected during the use of Yahoo! WebPlayer is not associated with personally identifiable information about you or your Yahoo ID even if you are signed into the Yahoo! Network.
  • Websites do not receive personally identifiable information from Yahoo! WebPlayer; however, Yahoo! may share aggregate response data pursuant to the Yahoo! Privacy Policy. This data is anonymous and not identifiable.

Purpose: The PHPSESSID cookie is native to PHP and allows our website to keep track of data in relation to our secure login areas. It allows a user session and to send state data via a session cookie. The PHPSESSID cookie disappears once the website and session is closed.