Who are we?
Latus as a Data Controller
LATUS GROUP is committed to protecting your privacy and maintaining the security of any personal information received from you. We strictly adhere to the requirements of the UK General Data Protection Regulations (UK GDPR). For the purposes of this notice LATUS GROUP is the Data Controller unless it has been specifically noted otherwise. In addition, we operate within guidelines and ethical codes relating to confidentiality, as provided by the Faculty of Occupational Medicine, the Nursing and Midwifery Council and other health professions regulators.
This notice relates to the collection and processing of personal data for LATUS GROUP. In many instances LATUS GROUP is a Data Processor acting on the instruction of our clients via contract. In other instances, we are a Data Controller in our own right due to the nature of the specialist services we provide and we are also a joint Data Controller in limited circumstances. We offer effective advice on managing health and work-related health issues, robust health surveillance programs (including key surveillance risk areas, audiology, respiratory and HAVS), biological services (including assessing chemical exposure, blood testing and vaccinations), pre and post placement employment checks, wellbeing services and digital health and wellbeing support.
Processing activities that are covered
This notice applies to the processing of personal data collected by us when you:
- Have an assessment
- Are assessed for ill health retirement or fitness to work
- Are assessed under statutory health surveillance (such as audio, HAVS, skin, spirometry, respiratory, drug & alcohol, musculoskeletal, NFDC etc)
- Are assessed for pre-placement or annual employment health checks
- Are assessed as part of your employers responsibility in respect of biological monitoring (such as blood testing and vaccination/immunisation)
- Receive specialist services such as counselling, physiotherapy or psychiatric services as a result of an occupation health assessment
- Visit our websites
- Visit our social media pages
- Visit our offices or clinic locations
- Receive communications such as emails and phone calls from us
- Register for and/or attend events where we participate or host
- Are an applicant to join LATUS GROUP as an employee or an associate, including, where appropriate, relevant DBS and qualification/registration/certification checks
- Are a client where our services are of a data controller
- Respond to sales and/or marketing communications
- Make a payment to us by any means
Please note this list is not exhaustive but gives an indication of the processing activities we undertake.
The personal data we collect
We collect personal data directly from you as follows:
- Where we are conducting activities on behalf of your employer under contract we may collect:
- Identification data – such as your full name, gender, date of birth, National Insurance number, NHS number, home address, email address and contact telephone numbers.
- Employment details – including job title, work address, employment contract, background checks.
- Sensitive information about your health – such as full medical history, including your physical and mental health, medication and clinical observations of any medicals or health assessments (including on-line assessments) that we carry out.
- General Practitioner details or details of other professionals (only collected to enable assessments to be made of your medical fitness or any appropriate adaptations to your employment).
- Biological samples from you to test chemical levels in your system to assess any chemical exposure in the workplace.
- Biological samples to test for drug and/or alcohol levels.
- Biological samples from you in respect of immunisation.
- Where you express an interest in our products and services either over the phone, via email, social media, webforms, webinar attendance, when signing up to newsletters and other communications, when downloading certain content from our websites, at events we attend or host, the information we may collect includes: contact information, name, phone number, email address, company name, company address, confirmation of security credentials.
- If we are providing training sessions we may collect your name, address, phone number, email address, company name and company address.
- When you make a purchase we may collect financial information for payment, billing and access to electronic materials and resources (which may be provided by third parties) and this may include bank details, credit card information, invoice name, address and point of contact.
- If you attend an event where we are participating, you may have given your consent to be contacted by us following the event. This information may include name, phone number, email address, company name and job title.
- If you connect with us through a social media channel, we will know your social media handle and any other information including photos you make available through our interactions and your profile.
- If you use our live chat function we may collect your name and email address for the functionality to work.
- If you use our website we will have details about your usage of our sites through cookies, beacons, and similar technologies. This information may include IP address, web browser type and version, the operating system and information about your visit.
- If you complete surveys or enter competitions we may collect contact information such as name, phone number, email address, company name and job title.
- If you complete a registration form on our website when downloading content we may collect details such as name, address, email, company name, position and phone number.
- If you are an applicant for a role at LATUS GROUP we will require all relevant HR information such as name, address, phone number and email address along with information relating to your career history with the positions you held along with any qualifications and certificates, including medical registration information.
- If you visit one of our offices we have CCTV in certain locations which may capture your image for the prevention and detection of crime, security of our colleagues and to ensure compliance with our policies. You may be asked to provide your name, signature, company name when attending our offices. Signs will be prominently displayed to warn you of the operation of CCTV in that area.
- We may collect footage, both video and still, for promotional and educational purposes. If your image is captured in any of these you will have the right to ask that your image is not used in any material.
Please note this list is not exhaustive but gives an indication of the data we collect.
Personal data we collect from other sources
We receive referrals for our services from employers, from GPs and in some circumstances from the NHS.
Our website uses social media icons such as Facebook and Twitter logos and other social sharing widgets. By using these features, you will be connecting to and sharing information from your browsing session with these organisations. If you are logged into your social media account it is also possible that they will connect your activity on our site to your social media account. This is also the case if you access our social media pages on a social media platform. The respective social media company may add your interaction to any information they may already have about you or your interests. In these cases the social media provider is a data controller in their own right and are responsible for what they do with your personal data. Further information can be found in the social media providers’ privacy notices.
Data from your device, usage of our website and applications
Information remembered by Cookies may include IP address, application or system identification number, the browser you are using, the pages you have searched, files you have looked at and actions you have taken. There is also the time and date that these actions were taken or associated with your browsing. We use this information to help us improve our service or your experience, to improve how you and others view the site or locations within our applications, to improve functionality, to improve engagement and performance, to help us identify opportunities to develop our services further, to measure compliance with applicable usage terms and for the overall security of LATUS GROUP products, services and applications. The collection of this type of data may either on its own, or when combined with other data we have, become personal data. It will be used primarily to identify the uniqueness of each user for security and identification of user purposes. More information can be found in our Cookies policy.
Our website may contain links to other organisations websites for your ease and convenience, however please note we are not responsible for them, how they operate or their security provision. If you have any questions regarding privacy, you should review their privacy notices which will be available on their websites.
Purpose for processing and the legal bases for processing we rely on
We collect and process personal data for the following purposes and with the appropriate legal basis:
- For our health surveillance services we will always obtain your permission to proceed with the consultation, however our Data Protection condition for processing your information is under contract, and your legitimate interest. The information we collect is categorised as special category data and is processed in accordance with our obligations to assess your working capacity.
- Where we assess potential employees for pre-placement health checks, we may initially require an on-line questionnaire to be completed. The outcome is a technology only based decision and where no further information is required a certificate confirming fitness to work is issued. Our condition for processing is under contract with the employer and your legitimate interest. By completing the questionnaire you are providing your consent for the processing.
- Where we undertake biological testing as part of health surveillance screening, we will assess chemical exposures by measuring the level of a chemical or its breakdown products in a biological sample, usually urine. We do so with your full consent but also under contract with your employer.
- Where we undertake biological testing as part of health surveillance screening, we will assess drug and/or alcohol levels in a biological sample, usually urine. We do so with your full consent but also under contract with your employer.
- Where we deliver work-place vaccinations we do so with your full consent but also under contract with your employer.
- Where you visit or use any or our websites or applications our website we process personal data with consent if it is required we are processing based on the legitimate interest to operate and administer the site. Where site security is concerned and the activities through our cookies that enable a secure site, this is administered as a legitimate interest.
- The recording of phone calls by default on all calls is done as a legitimate interest in protecting both your interests and that of ours. Call recording is used for security, monitoring and training purposes.
- If an appointment is undertaken via video call we may record the meeting for our legitimate interests, for the purposes of training and monitoring and complaint handling.
- We may ask you for personal data when dealing with enquires or complaints; this data is processed as a legitimate interest in being able to effectively follow up on your enquiry. By submitting your personal information you are providing your consent for the processing. We also process data in accordance with contractual obligations, such as client communications.
- Where we manage our clients and suppliers this is in accordance with our performance of our contract. This is also the case when it comes to good administration of matters relating to your contract with LATUS GROUP.
- When managing event registration, administration of an event or providing training is done as a legitimate interest to ensure efficient administration. We also rely on legitimate interests for processing client contact data for service surveys. If you choose to complete a survey you are providing your consent to the data being processed.
- To managing your payments for the services we provide. This also includes the entirety of the payment process in line with the terms and conditions of our service. We may also from time to time have to escalate this process to a third-party debt collection service. This disclosure of such data would be as a legitimate interest and further processed as part of the contractual terms.
- Registering your information as a visitor to our office is as a legitimate interest to protect our building, business and colleagues.
- If you provided a testimonial of our service, you will be doing so of your own free will and therefore your consent.
- Where you have applied as a candidate for a role at LATUS GROUP we will process your information in part as a legitimate interest, in part with your consent and in part as a legal obligation. We may also use recruitment companies from time to time, where data is shared with these organisations we will both be Data Controllers and we will process your information in the same way. Further Data Protection information regarding their activities can be gained from the recruitment agency. We may also contact the DBS and also request information relating to any criminal convictions, we process this information as a legal obligation in respect of employment law and legitimate interest to protect our business, colleagues and customers.
- We send sales and marketing communications related to our services, in accordance with our legitimate interests.
- Where there are legal obligations that we must comply with, such as tax or dealing with local or national government, authorities, agencies and professional advisors we process under our legal obligations in accordance with statute.
- Where information is required by law, such as the Police, Courts or Local Authorities we will process under the legal obligation or it may be in our legitimate interest to protect our rights and if necessary, to disclose information for the protection of these rights.
- Running, managing and administration of our business are critical to the successful delivery of our service. It includes but is not limited to aspects such as account management (sales, service and financial), IT (support to clients, use of or migration to platforms, running and improving the business and its security), development of our applications, reporting and improvement. The legal bases for these activities will vary but is likely to be for the performance of contract, our legitimate interests or a legal obligation.
Please note this list is not exhaustive but gives an indication of the processing activities undertaken and our Data Protection basis for processing.
Who we share your data with
We only share your information where we are strictly able to and only in accordance with Data Protection legislation. We may share your personal data in the following circumstances:
- Where we have undertaken assessments we will share certain information with your employer or university.
- We may share information with other health professionals, e.g. physiotherapists, counsellors, clinicians in a speciality field who are working under contract with LATUS GROUP.
- We may share information with your General Practitioner or a specialist within the NHS.
- We may input your data onto the Sentinel System for the processing and reporting of health outcomes and restrictions to employers and sponsors.
- We will share your biological data with a laboratory for tests that you have consented to as part of your assessment. These will include blood tests or drugs testing procedures in both urine and saliva.
- Where we are using contracted service partners for services such as IT, web conferencing, hosting and system administration, email communications, analytics and research, data enrichment, survey providers and customer support.
- If you register for events where we are partnering with another organisation or if a third party is running the event on our behalf, we may be required to share your details for the purpose of registration, security and administration of the event. This will be done in accordance with the legal bases noted above.
- If we provide training we may share attendance information with your employer.
- In order to process credit and debit card transactions, the bank or card processing agency may require us to verify your personal details for authorisation. We do not store credit card information which is passed through directly to our payment service provider. Our payment processes are PCI DSS compliant.
- To any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person.
- To process your application for a Basic, Standard or Enhanced DBS Check. It will also be used as evidence to demonstrate that we have fulfilled the terms and conditions of our service to your employer to the requisite standard.
- To a potential buyer (and its agents and advisers) in connection with any proposed purchase, merger or acquisition of any part of our business, or to other interested third parties (and their agents and advisors) in the case of any reorganisation or other potential transfer of any part of our business, provided that we inform the buyer (or relevant third party) it must use your personal information only for the purposes disclosed in this notice.
- To enforce or apply our Terms of Service or other agreements or to protect LATUS GROUP and its customers (including with other companies and organisations for the purposes of fraud protection and credit risk reduction).
- To any other person with your consent to the disclosure.
Finally, we may share anonymised or aggregated data gathered in the normal course of the administration and good running of our business with third parties or service providers to enable greater analysis, improvements, industry or service-related trends to be identified and action taken accordingly.
How long we keep your data for
We retain your data for as long as necessary to fulfil the purpose of collection and processing. In some instances, this may be a short period of time, for instance, as an unsuccessful job applicant we may retain your records for only 6 months once the process has concluded. In other instances, and especially where there is a legal obligation to retain your information for a certain period of time, we will do so in order to comply with the legal requirement as follows:
- Health Surveillance records for the duration of your employment and a further six years or up to your 75th birthday, whichever is the earliest
- NHS records for the duration of the service for which we are commissioned or on your death once we are informed
- Statutory records:
- Control of Substances Hazardous to Health Regulations (COSHH) 40 years from the date of last entry
- Medical Records under the Ionising Radiations Regulations 2017, until the age of 75 or at least 50 years
- Employee records retention is set out in our employee privacy notice
- For occupational health, audiology and vaccination it is 8 years
- For health surveillance it is 40 years
- For industrial disease like silicosis (Xray results) it is 40 years
- We retain records for 6 months after data transfer to a new provider, then destroy them
Once your data is no longer required it shall be deleted or if it is technically not possible to delete, we shall ensure sufficient controls are in place to put it beyond future use.
In the event of a change to LATUS GROUP providing our services, your records may be transferred to another provider. Where this is required you will be fully informed in writing at the time and you will be given the opportunity to object to your record being transferred.
Our data is typically hosted in the UK and other parts of the EEA, there are however some of our contracted technical service providers that process from the USA, Pakistan and India. Where these transfers and any other transfer than may occur in the future are concerned, we ensure that there is a legal basis for the transfer and a lawful transfer mechanism in place prior to any transfers in place.
Any such transfers currently done are done using either a transfer to a country with an adequacy ruling, using European Commission Standard Contractual Terms.
Under Data Protection legislation, you have rights as an individual which you can exercise in relation to the information, we hold about you. These rights include:
- The Right of Subject Access– this is the right to have details of the information we hold about you and access to that data including an explanation of that data
- The Right to Rectification– this is the right to have inaccurate or incomplete data rectified
- The Right to Erasure– this is also known as the ‘right to be forgotten’ and means that in certain circumstances you have the right to ask us to delete data we hold on you
- The Right to Restrict Processing– this is where you can request that we restrict/block processing of your personal data (but still retain it)
- The Right to Data Portability– in certain circumstances this allows the transfer of personal data from one Data Controller to another in a useable format
- The Right to Object– this right allows you to object to us processing your personal data in certain circumstances
- The right not be subject to solely automated processing – this gives you the right not to be subject to a decision based solely on automated processing
We may undertake a technology only based approach to undertake pre-placement health checks on behalf of your employer under contract. This is classified as automated individual decision making but we do not undertake any form of profiling in this respect. You have the right to request human intervention, obtain an explanation of the decision and in certain circumstances you may be able to challenge the decision.
Any request to exercise the above rights can be submitted to our Data Protection Officer at email@example.com
Security of personal data
We take the security of your information very seriously and take every reasonable and commercially viable precaution to protect personal and commercial data. These are organisational, technical, and physical measures to protect against unlawful or accidental access, disclosure, loss or alteration. Whilst we take a robust stance to security no method of storage and transmission is 100% secure and, in some instances, out of our control.
Complaints and queries
LATUS GROUP takes our Data Protection obligations very seriously and we endeavour to meet the highest standards when collecting and using personal information. For this reason, we welcome any feedback and take any complaints we receive very seriously. We would also welcome any suggestions for improving our procedures.
If you no longer wish to be contacted by us or withdraw your consent, please contact us at firstname.lastname@example.org.
This privacy notice provides an indication of the processing undertaken by LATUS GROUP and how seriously we take our Data Protection obligations. However, it may not provide an exhaustive detail of all aspects of LATUS GROUP’s collection and use of personal information. We are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address below:
Group Data Protection Officer
Albert Street, Eccles
Or you can email us at email@example.com
If you want to make a complaint about the way we have processed your personal information, you can contact the Information Commissioner’s Office in their capacity as the statutory body which oversees data protection law – www.ico.org.uk
It is worth noting that the ICO expects an individual to address any complaints with the organisation before contacting the regulator.
Changes to this privacy notice
We keep our privacy notice under regular review and would encourage you to do also, by linking this web page to your review procedure. Our previous privacy policies can be provided on request.