Occupational Health and Wellbeing

TfL employees should read this page alongside the Employment privacy page.

Our services

The OH&W service consists of:

  • Mental health services
  • Physiotherapy services
  • Medical advisory services
  • Drugs and alcohol assessment and treatment services

It helps people with health issues get into work, stay in work, and return to work quickly and safely after illness and injury.

About your personal data

OH&W will collect your personal data in order to be able to provide information to the above services. All personal data held by OH&W will be processed in accordance with the relevant law, most particularly the UK's implementation of the General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This sets out the requirements that OH&W must abide by when processing your personal data.

Legal basis for processing your personal data

Under privacy and data protection legislation, OH&W (like the rest of TfL) is only allowed to use personal data if there is a proper reason or 'legal basis' to do so. You can read more about this on our Employment privacy page.

Most of the information collected by OH&W is classed as Special Category Data as it is more sensitive than other forms of personal data. Article 9(2)(h) of the UK.

GDPR permits OH&W to process special category data if: "Processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3."

A further legal basis is set out in the Data Protection Act (DPA) 2018, in Schedule 1 condition 2 which covers the following purposes:

  • Preventive or occupational medicine
  • The assessment of an employee's working capacity
  • Medical diagnosis
  • The provision of health care or treatment
  • The provision of social care (this is likely to include social work, personal care and social support services)
  • The management of health care systems or services or social care systems or services

Personal data collected by OH&W

Examples of the type of data collected:

  • Personal information, for example name, address, date of birth, National Insurance number
  • Personal characteristics, for example ethnicity, gender etc
  • Contact details, for example telephone and email
  • GP and/or specialist contact details
  • Past and present occupational job roles and occupational exposure
  • Health information that would be classed as 'special category data'

How we collect your personal data

  • From yourself, for example when you fill out health questionnaires
  • From OH&W medical/health assessments, screening and tests
  • OH&W referral forms
  • When you give your permission for OH&W to seek advice from your doctor, treating clinician or another health care provider

In some cases, we need to get more information so we can provide support and advice about whether your condition affects your fitness to work. This might include a medical report from your doctor or other health care provider. OH&W will always seek your informed consent before they request further information from another health practitioner.

How OH&W uses your personal data

  • For the purposes of preventive or occupational medicine
  • To assess employees' working capacity by, for example, providing advice and assistance to managers and HR regarding their fitness to work, medical diagnosis, and healthcare or treatment
  • To comply with legal obligations relating to employment or social protection law, particularly regarding health and safety in safety critical environments, such as The Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013(RIDDOR)

OH&W may also use aggregated or depersonalised data in order to plan the service and monitor health trends in the workplace.

Sharing your health information

OH&W will not share your personal data without your consent unless there is a legal or overriding public interest requirement that allows OH&W to do so. For example:

  • In an emergency where the health or personal security of an employee or the public is at risk
  • Where TfL is required to do so by law (for example in response to a court order)

OH&W will obtain your consent and give you an opportunity to review medical/health reports before they are disclosed, for example a report to your manager on fitness to work.

Third party service providers

OH&W uses external service providers for some specialist functions such as sample testing, medical assessments, counselling and treatment. Where a service provider is working with you directly, they will provide you with details about confidentiality and how your personal data is processed.

How we keep your health data secure

Your personal data will be held securely and only accessed and processed by authorised OH&W personnel. Access to systems that hold OH&W personal data is restricted to authorised personnel though a combination of physical and electronic security measures. Electronic access is restricted to authorised personnel using, unique identifiers and passwords and the level of access is dependent on the role that individual performs. In addition, all OH&W staff must sign a confidentiality agreement that also protects your health information.

How long OH&W keeps your health data

Due to the different types of health data collected by OH&W there may be a requirement to retain some of your information for up to 50 years. This includes for example data relating to exposure to hazards such as asbestos or those listed under the Control of Substances Hazardous to Health Regulations 2002 (COSHH regulations).

Your information rights

Under data protection legislation you are entitled to ask to see any personal data that we hold about you. For more information about how to access your personal data please see the section on subject access requests on our Access your data page.

You also have a number of other information rights which include:

  • The right to question any information we have about you that you think is wrong or incomplete
  • The right to object to how we use your information or to ask us to delete or restrict how we use it
  • The right to complain to the regulator - the Information Commissioner's Office

The TfL Privacy and Data Protection team considers and coordinate responses to requests and complaints from people whose personal data is processed by TfL and its subsidiary companies. You can contact the Data Protection Officer by email at dpo@tfl.gov.uk

Further information

We may need to update this statement from time to time, so check back here regularly to find out more. Your continued use of the site will mean that you accept those revisions.

This page was last updated in June 2021.

If you require any further information regarding the contents of this page please contact OH&W at Luohme@tube.tfl.gov.uk