Who we are?
We are ToHealth Limited a specialist health assessment and medical screening services company based in the UK. We are a subsidiary of PAM Group who are a specialist occupational health and wellbeing business. Our registered office is Holly House, 73-75 Sankey Street, Warrington, WA1 1SL Telephone 01925 227000. ToHealth Limited is registered with the ICO under the data protection act and our registration number is Z2191268.
For the purpose of delivering our services we act a s a Data Controller as we process special data (health records) and this is carried out by authorised healthcare professionals. Some instructions may be taken from other PAM Group companies where they will be the Data Controller.
The data we collect and why
ToHealth collects processes and holds data for the purpose of providing healthcare and screening services to our clients and consumers. We provide our services direct to consumers but we also provide services via corporate organisations such as employers and insurance companies who provide employee benefits.
ToHealth employs specialist clinicians who provide advice and medical treatment. These include doctors, specialist nurses, physiotherapists, counsellors, psychologists, psychiatrists, nutritionists, physiologists, wellbeing advisors. We have a clinical management team who decide how we process clinical data. Any clinical information that we process is treated as medically confidential.
ToHealth will only use qualified clinicians when we provide advice or services to you or your employer our clinicians are regulated and authorised by, Nursing Midwifery Council, General Medical Council, Health Care Protection Council, and British Association of Counselling and Psychotherapy
We collect personal information from you through your contact with us, including by phone, by email, through our websites and health portals, through our screening software, by post, by filling in application or other forms, through social media or direct contact through meeting with our healthcare staff. We also might collect information from other people and organisations such as your employer.
The information we collect about you can be categorised into two areas:
Standard Personal Data
• Contact information about you such as name, gender address, date of birth, email address, your NHS number and your current GP.
• Your employer if you are part of a corporate scheme
• Any contacts we have had with you such as appointments, telephone calls, written correspondence, complaints or incidents.
• Information about how you use our services such as our website, software, health portal and IP addresses.
• If you are a consumer and paying for our services directly we collect financial details such as bank details and credit card information are handled directly by our third party supplier, we do not record this information ourselves however we keep a record of your payment history.
Special Category Data
• Clinical notes and reports about your physical and mental health and wellbeing
• Details about your screenings, examinations, results and care
• Results of investigations such as blood tests
• Information about your ethnic origin so that we can tailor tests and calculations that require this information.
• Relevant information from other health professionals
Purpose of the processing and the legal basis for the processing
We process your personal information for a number of legitimate interests from managing our relationship with you through to helping us improve our services and products to you.
Legitimate interest is one of the legal reasons why we process your personal information. Taking into account your interests, rights and freedoms, legitimate interests which allow us to process your personal information include:
• To manage our relationship with you, our business and third parties who provide products or services for us.
• To provide healthcare services for you directly or on behalf of a third party (for example, your employer).
• To keep our records up to date
• If your service is being provided by your employer, to provide anonymised (information that cannot identify you as an individual) feedback to your employer so they can assess the health and wellbeing of their workforce
• For research and analysis so that we can monitor and improve our products, services, websites and software or develop new ones.
• To contact you for market research and for marketing purposes about the quality of our service that we have provided to you
• To monitor how well we are meeting our clinical and business performance expectations
• Additionally we process special category personal data under the provision Data Protection Act (2018) Schedule 1 Part 1 S(2)
“processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems “
We only disclose information about you for the following reasons:
• In reports to your employer where you have been referred by your employer for an assessment and you have consented to this report being provided to your employer.
• To our approved partners or suppliers for the purpose of delivering the services that we have been engaged to provide; such as sending your name and blood samples to contracted blood testing laboratories.
• With your consent which we will obtain before we make such a disclosure
• It is required by law
Your relevant data may be shared with third party providers that have contracts with ToHealth to provide relevant health care services.
Blood testing laboratories: We disclose name, gender, contact details and date of birth along with the blood sample so that your sample can be accurately processed and results returned directly to you or via ToHealth.
Your General Practitioner or doctor (with consent from you): We would disclose your clinical results so that they can act on any findings that our services obtain from screening or occupational health investigations.
Third party healthcare providers; if your package offers specialist tests or screenings that are not provided by ToHealth’s own clinical team we contract with carefully selected third party providers to offer these additional tests. We would disclose your contact details and relevant clinical measurements.
Third party lifestyle providers If your package offers lifestyle services such as coaching we contract with carefully selected third party providers to offer these additional services. We would disclose your contact details and relevant clinical measurements
If your employer pays for your screening then we will inform your employer of your name, screening location, services provided and attendance date so that ToHealth can correctly invoice for the screening carried out. We do not disclose to your employer any identifiable results or measurements from your own screening unless we are undertaking statutory tests such as fitness to work in an occupational health capacity.
Details of transfers and safeguards
Your data remains within the European Economic Area at all times and will be held in secure data centres. ToHealth undertake an annual information governance and security assessment with NHS Digital using the Data Security and Protection Toolkit to ensure we are following best practice guidelines for the management and security of your data.
Records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. All ToHealth staff have a legal and contractual responsibility to respect the confidentiality of information, and access to confidential information is restricted to only those who have a reasonable need to access it. ToHealth staff all undergo regular training in how to manage and keep data safe and secure.
Data will be held by to health in accordance with the following data retention terms:
1. Personal and Special Data processed for the purposes of delivering Assessment Services or Health Promotion Services will be held for as long as our Client instructs or until the end of any service agreement whichever is sooner.
2. Personal and Special Data processed for the purposes of delivering Medical Services will be held for up to 3 years after the service has been delivered.
3. A person has the right to be forgotten and ask us to delete the data we hold if we have provided Medical Services. If we hold data as part of Assessment Services or for Health promotion reasons the decision to delete the data is our client (usually your employer).
4. Any periods for keeping information which are set by law or by regulators.
Your rights under the Data Protection Act (2018) are as follows:
• right of access to a copy of the information comprised in your personal data
• a right to prevent processing for direct marketing;
• a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed
You have a right to make a Subject Access Request for a copy of your personal data which we hold .This will be supplied in permanent intelligible form. This information or any actions arising from the request will be carried out within one month of the request being made. To request a copy of your data you can email:
Should you have any concerns about how your information is managed by ToHealth, please contact:
ToHealth Data protection Officer Holly House, 73-75 Sankey Street, Warrington, Cheshire WA1 1SL
If you are still unhappy following our review, you can then complain to the ICO via their website www.ico.org.uk or write to Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.
Policy Review date 31.1.2021