Health 2 Employment (H2E) CIC – Privacy Policy

Version 1.5
Version Date: March 2026
Author: Stephanie Pearson

At‑a‑Glance Summary

This Privacy Policy explains:

  • What personal data we collect

  • How and why we use it

  • How long we keep it

  • Who we share it with

  • How you can exercise your rights

  • How we use AI (transcription only)

  • How we use cookies (if applicable)

  • How to contact us

We are committed to protecting your data and being open about how we use it.

1. Scope

This Privacy Policy and associated Privacy Notice explain how Health 2 Employment (H2E) CIC, including its trading division OH One, collects, uses and shares (or "processes") personal data belonging to:

  • Staff

  • Prospective staff / applicants

  • Contractors

  • Clients

  • Service users

We process personal data in accordance with UK GDPR and the Data Protection Act 2018.

2. Who Are We?

Health 2 Employment (H2E) CIC is the data controller for the processing of personal data carried out by H2E and its contractors. We determine the purpose and means of processing your information.

Data Protection Officer (DPO)

Stephanie Pearson
Governance and Data Compliance Manager
Health 2 Employment (H2E) CIC
Suite 1, Triangle Business Park,

Pentrebach,

Merthyr Tydfil

Wales

CF48 4TQ
Email: Stephanie.pearson@health2employment.com

3. Why Do We Process Information?

We process personal data in order to:

  • Provide and deliver occupational health, wellbeing, employment, and therapy services

  • Maintain service and financial records

  • Manage our workforce

  • Promote our services to relevant individuals and organisations

  • Ensure safe and effective service delivery

4. What Information Do We Collect?

We may collect:

Personal Information

  • Name, date of birth, address

  • Contact details

  • Safeguarding information

  • Employment information

  • Financial information

  • Lifestyle and social circumstances

  • Goods and services information

Special Category (Sensitive) Data

  • Health information (mental and physical)

  • Racial or ethnic origin

  • Religious or philosophical beliefs

We process data relating to:

  • Clients

  • Service users

  • Employers

  • Employees

  • Suppliers and contractors

  • Complainants and enquirers

We may receive data from:

  • Department for Work and Pensions (DWP)

  • Prime contractors

  • Employers

We do not knowingly collect data from children under 13.

5. Legal Basis for Processing

We rely on the following lawful bases under Articles 6 and 9 of UK GDPR:

  • Delivering occupational health services Art. 6(1)(b) – Contract; Art. 9(2)(h) – Health purposes

  • Delivering employment & wellbeing support Art. 6(1)(b) – Contract

  • Providing therapy/counselling Art. 9(2)(h) – Provision of care

  • Managing our business & records Art. 6(1)(f) – Legitimate interests

  • Direct marketing Art. 6(1)(a) – Consent OR Art. 6(1)(f) – Legitimate interest

  • Legal / regulatory compliance Art. 6(1)(c) – Legal obligation

  • Safeguarding / vital interests Art. 6(1)(d), Art. 9(2)(c) – Vital interests

Change of Purpose

If we wish to use your data for a new purpose, we will notify you or seek consent where required.

6. Marketing Activities

We may use limited personal information to communicate relevant:

  • Service updates

  • Programmes

  • Opportunities

  • News and resources related to our services

We will only send marketing where we have a lawful basis (consent or legitimate interests).

Your rights:

You may opt out at any time without affecting the services you receive.

7. Use of Artificial Intelligence (AI)

H2E uses AI tools only for:

✔ Speech‑to‑text transcription

(e.g., converting spoken words into written notes)

We do not use AI for:

  • Automated decision‑making

  • Profiling

  • Assessment of eligibility, suitability or performance

All decisions affecting you are made by trained human staff.

Safeguards:

  • Transcribed data is reviewed by a human

  • AI tools are used within secure systems

  • Transcripts are retained in accordance with our retention policy

  • AI outputs are not used to make any decisions about you

8. Sharing Data

We may share data with third parties that provide services on our behalf under strict contractual controls.

We may also share data with:

  • Employers

  • Professional advisers

  • Employment agencies

  • Government bodies

  • Subcontractors and suppliers

  • Family members (where appropriate)

Medical details are never shared without your explicit consent unless required for safeguarding, law enforcement, or vital interests.

9. International Data Transfers

We currently do not transfer your personal data outside the UK/EEA.

If this changes, we will ensure safeguards such as:

  • UK Addendum

  • International Data Transfer Agreements (IDTAs)

  • Adequacy decisions

10. Security

We use appropriate organisational and technical measures to protect personal data, including:

  • Access controls

  • Encryption

  • Audit logging

  • Secure deletion

  • Staff training

We have procedures to identify, investigate and report data breaches.

11. How Long Do We Keep Data?

Data is retained in line with our Document Retention Policy and statutory requirements.

Non‑mandatory information is kept only as long as necessary.

Anonymous survey/feedback data may be kept longer to support comparison over time.

12. Your Rights

You have the right to:

  • Be informed

  • Access your data

  • Rectification

  • Erasure

  • Restrict processing

  • Object to processing

  • Data portability (where applicable)

To exercise any of these rights, contact our DPO.

If concerns remain, you may contact the Information Commissioner’s Office (ICO).

13. Cookies and Website Tracking

If our website uses cookies, the following applies:

Essential cookies

Used to ensure site functionality. These do not require consent.

Analytics / performance cookies

Used to understand website usage. These require consent.

Marketing cookies

Used to measure engagement with campaigns. These require consent.

You can change your cookie preferences at any time.

14. Accessibility

This Privacy Policy can be provided in:

  • Large print

  • Alternative formats

  • Simplified English

  • Other languages on request

Please contact us to request an alternative version.

15. Changes to This Policy

We may update this Policy from time to time. Significant changes will be published on our website with an updated version number and date.

Appendix 1: DWP Participants

The Department for Work and Pensions (DWP) pays towards the costs of employment related programmes. Personal data is collected to deal with a variety of areas including:

· social security (including Housing Benefit, Council Tax Reduction Schemes and Local Welfare Provision)

· child support

· employment and training

‍ ‍
The information the DWP collects about you depends on the reason for your business, but they may use the information for any of these purposes. The DWP may also check information that they collect about you with other information they have.


The DWP may share your information for a number of reasons, including to:

· check the accuracy of information

· help people with particular difficulties, such as troubled families

· help people get or stay in work

· help people get education and training to improve their chances of getting work

· support people with independent living, including home help and respite care

· prevent or detect crime

· check payments for services

· protect public funds in other ways

· use for research or statistical purposes.

Further information can be found at:

https://www.gov.uk/government/organisations/department-for-work-pensions/about/personal-information-charter

‍ ‍