Skip to main content

Occupational Health Unit Privacy Notice

Privacy notice relating to the processing of personal data by Rhondda Cynon Taf County Borough Council for the purpose of Occupational Health & Wellebing Unit purposes


This privacy notice is intended to provide information about how Rhondda Cynon Taf County Borough Council (referred to as ‘RCTCBC’, ‘Council’, ‘Local Authority’, ‘we’) will use (or ‘process’) personal data about individuals for the purpose of supporting employees and workers in the workplace.

This notice should be read in conjunction with;

  • The Council’s corporate privacy notice

The Data Controller

The Council is the data controller for the personal data processed for the purposes of occupational health and wellbeing.

The Council is registered with the Information Commissioner’s Office (ICO) as a controller under reference Z4870100.

Queries relating to this privacy notice

If you have any questions or queries relating to this privacy notice please contact the Occupational Health

By email :

By telephone : 01443 494003

In writing : Occupational Health & Wellbeing Unit, Municipal Building, Gelliwasted Road, Pontypridd, CF37 2DP

Who we are what we do

The Occupational Health & Wellbeing Unit focuses on the wellbeing of staff including their physical and mental wellbeing of Rhondda Cynon Taf Council employees and workers in the workplace. We support employees and workers that are absent due to illness and help facilitate a return to work along with supporting those in work that need supportive interventions.

As part of our assessments, in order to support employees in their return to work or to stay in work, we may offer a referral to an external specialist such as consultants, support organisations and diagnostic assessments. This is done as a clinical business case and is to aid diagnosis and support employees.

Each year if approval is gained from Senior Leadership Team (SLT) we offer an influenza vaccination programme for:

  • RCT Council staff and our private commissioned partners staff in Health and Social Care
  • RCT staff that would like the flu vaccination

We also carry out Health Surveillance checks required by law for some employees and workers who are exposed to noise, vibration, fumes, and other substances hazardous to health.

To support the wellbeing of our staff we provide several wellbeing support initiatives such as Wellbeing with Cari and an Employee Assistance Programme (EAP). Both services are Fully confidential and accessed by employees or workers. These services are accessed by the following:

  • EAP staff can telephone or access services via their website
  • Wellbeing with Cari-Staff create an account with an email address or mobile number and individual password

The Occupational Health & Wellbeing Unit is committed to being open and honest with you about the way we use your personal information and who we share your information with. In addition to the information that is contained within this privacy notice we will also communicate such information to you verbally when we meet with you.

It is important to note that there may be exceptional circumstances (such as safeguarding concners) where the law permits us not to inform you about our use of your personal information. Typically this included information that is being used to prevent, detect and/or investigate a crime of fraud. More information about this can be found here

Whose personal data we process

The Occupational Health & Wellbeing Unit hold personal and medical information for;

  • Employees
  • Workers who are referred to the unit

The categories of personal data we process

We may process the following categories of personal data;

  • Personal Information and Contact Details
  • Date of Birth, National Insurance Number, Gender and  Age
  • Employment Information (past and present)
  • Medical / Health Information

Why we process the personal data

We process the personal data to carry out the following activities;

  • Support and manage an employee or worker through any physical or mental health issues while they are either at work or off ill.
  • Conduct Health Surveillance
  • Comply with relevant legislation, for example health and safety law

Our lawful basis for processing the personal data

Under the General Data Protection Regulation (GDPR), our lawful basis for processing the personal data to support employees/workers is;

  • Legal Obligation (c) – processing is necessary for compliance with a legal obligation to which the controller is subject. 
  • Public Task - Article 6 (e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • Employment, Social Security and Social Protection (if authorised by law) - Article 9(2)(b) – DPA 18, Part 1 Conditions realting to the employment, health and research. Employment, social security and social protection - the processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security

The primary legislation, regulations and guidance that supports this includes, but is not limited to;

  • Medical Records Act 1988
  • Clinical bodies guidance, such as GMC (General Medical Council), NMC (Nuring & Midwifery Council ), CSP (Chartered Society of Physiotherapy), HCPC (Health & Care professions Council), BACP (British Association for Counselling & Psychotherapy)

There are some circumstances where we may be required to discuss your case with your manager or to contact your GP, this requires your explicit consent to do so.  This is not GDPR consent (as we have already established a lawful basis to process your data as your employer) but these circumstances are seeking your authorisation for us to process your data under medical/health legislation

Who or where we get the personal data from

We may receive the personal data from the following categories of individuals or organisations;

Information is supplied to the Occupational Health & Wellbeing Unit from:

  • The employee/worker
  • Manager
  • Human Resources
    • Occupational Clinician’s, for example Nurse, Doctor, Physiotherapist, Counsellor, Technician
    • GP, Consultant (or other medical professionals)
    • Trade Union
    • Pension Department.

This information is collected through:

  • Management / HR Referrals for assessment and support
  • Fit for Work Assessments
  • Sickness absence referrals
  • Wellbeing interventions
  • Medical Reports (OHU Clinicians, GP’s, Consultants etc)
    • Self-Referrals (Counselling and physiotherapy requests only)employees may contact Occupational Health directly or through the wellbeing helpline contact details
    • Pension documentation

Who we share personal data with

There are some circumstances where we may be required to discuss your case with your manager or to contact your GP, this requires your explicit consent to do so.  This is not GDPR consent (as we have already established a lawful basis to process your data as your employer) but these circumstances are seeking your authorisation for us to process your data under medical/health legislation

We may share the personal data with the following GP, Consultant, NHS to facilitate a referral or gain more information to enable Occupational Health to manage your case. Again we would discuss this with you and only share if we have your consent

When sharing the personal data, we only share the minimum amount necessary in relation to the purpose.



If the purpose is explained and consent is gained Internal Council departments such as;

HR / Pension Dept / Health & Safety Team / Managers

in order that HR, Pensions, Managers etc can manage your case and provide the recommended adjustments and support interventions.

GP / Consultants / Specialists (for example MRI/Podiarty)

for diagnosis of a condition and/or in order to better support the employee and manager e.g. Podiatry Wales, Workforce Wellbeing, Performance Physiotherapy, Baseline Physiotherapy, Independent Physiotherapy Services

Independent Registered Medical Practitioners (IRMP)

Pension Doctors

Police / Solicitors / Legal Reprenstative

for example, for court proceedings such as insurance and prosecution claims on behalf of the employee or organisation.

Health & Safety Executive

for example to comply with Reportable Injuries Diseases and Dangerous Occurrences Regulations 2013 (RIDDOR)

Trade Union

 If consent is gained then information may be passed to Trade Union to enable them to provide advice and support to the employee. or Trade Unions may attend certain appointments with employees if the employee consents for example at case conferences.

Trusted Partner Organisatons

for employees to access additional support / treatment e.g. external counselling services such as MIND, Cardiff Therapy Ltd and private counsellors, also National Exercise Referral Scheme (NERS), Joint Care Programme, Spire, Cobalt, Immunisations (e.g. Hep B etc)


Data Processors

A data processor is a company or organisation that processes personal data on our behalf. Our data processors act only upon our instruction. They cannot do anything with the personal data unless we instruct them to do so. They will not share the personal data with any organisation apart from us or use it for their own purposes. They will hold it securely and retain it for the period we instruct.

The categories of data processors we use are;

-       IT system suppliers etc

How long we retain the personal data

We retain the personal data contained within employee records for:

Length of time


There is a legal requirement for medical information to be kept from anything from 8 to 75 years dependant of what type of medical information is held.


The latest advice (information Governance Alliance/Dept of Health 2016) is that Occupational Health records should be kept until their 75th Birthday or 6 years after the employee leaves whichever is the sooner.

Although for Health Surveillance information under Reg 11 COSHH Regs 2002 and ACOP 2013 states ‘The employer shall ensure a health record... is made and maintained and that the record or copy thereof is kept available and in a suitable form for at least 40 years from the date of last entry’ for retention as required by the Health & Safety Executive (HSE).

Clinical Psychology and counselling records – must be held for 20 years in accordance with interpretation of Mental Health Act 1983 or for 8 years after the death of the employee.

In keeping with the General Data Protection Regulation storage limitation principle, records are periodically reviewed. Not all personal data is retained. Only personal data that is relevant to the record is retained for the entire retention period. Information that has no long term or evidential value is routinely destroyed in the normal course of business.  

Your data protection rights

The General Data Protection Regulation (GDPR) gives individuals important rights, including the right of access to the personal data that the Council holds about you.

Click here  for further information on your information rights and how to exercise them. 

Your right to make a data protection complaint to the Council

You have the right to complain to the Council if you believe we have not handled your personal data responsibly and in line with good practice.

You can do this by contacting the Occupational Health Unit directly via one of the following communication methods. Most concerns can be resolved relatively quickly through a simple phone call or email;

  • Email :
  • Telephone : 01443 494003
  • In writing : Occupational Health Unit, Municipal Buildings, Gelliwasted Road, Pontypridd Cf37 2DP

Alternatively, you can raise a formal complaint via the Council’s Customer Feedback Scheme using the following link (Make a comment, compliment or complaint online) or you can contact the Council’s Data Protection Officer at

Your right to make a data protection complaint to the ICO

You also have the right to complain to the ICO if you are unhappy with how we have used your data. However, we encourage you to contact us first and provide us with an opportunity to look into your concern and put things right.

The ICO can be contacted:           

  • Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
  • Helpline number: 0303 123 1113
  • Website: