This policy covers how we at IOM collect, use, disclose, and store your data.

The Institute of Occupational Medicine (IOM) is one of the world’s leading providers of workplace health research and consultancy services. Our expertise extends across a very wide range of scientific disciplines.

From our UK base and headquarters in Edinburgh Scotland, we have 2 regional offices (Stafford and Chesterfield), serving our clients across 6 continents of the world.

This privacy policy also covers data handling for our websites including:

What personal data we collect and how we use it?

IOM is what’s known as the ‘controller’ of the personal data you provide to us. We will usually collect basic personal data about you like your name, postal address, telephone number and email address. 

We collect your personal data in connection with specific activities, such as campaign updates, newsletter requests, feedback, competition entries, via meetings at trade shows and events.

The information is either needed to fulfil your request or to enable us to provide you with a more personalised service. You don't have to disclose any of this information to browse our sites. However, if you choose to withhold requested information, we may not be able to provide you with certain services.

Sometimes, with your consent, we will process your personal data to provide you with information about our work or our activities that you have requested or are expecting.

On other occasions, we may process personal data when we need to do this to fulfil a contract (for example, if you have purchased a training course from our website) or where we are required to do this by law or other regulations.  We also may need to process personal data for research projects, including epidemiological studies.

IOM also processes your data when it is in our legitimate interests to do this and when these interests do not override your rights. Those legitimate interests include providing you with information on our research that is within the public benefit, services, products, newsletter requests, feedback, competitions and events. Please see the section on 'Legitimate Interest' for more information, including information on research projects we may undertake.

IOM processes all personal data in accordance with the key GDPR principles unless there is a relevant exemption (see GDPR exemptions). Personal data is:

  1. processed lawfully, fairly and in a transparent manner;
  2. collected only for specified, explicit and legitimate purposes, and is not further processed in any manner incompatible with those;
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
  4. accurate and, where necessary, kept up-to-date;
  5. not kept as identifiable data for longer than necessary for the purposes concerned; and
  6. processed securely.

Legitimate interests

We have a number of lawful reasons that mean we can use (or 'process') your personal information. One lawful reason is something called 'legitimate interests'. Broadly speaking legitimate Interests means we can process your personal information if:

We have a genuine and legitimate reason.


We are not harming any of your rights and interests.

Please read the Legitimate Interest statement for more information.

If you enter into a contract with us, there may be times when we need to share the information you have provided with a third party to enable us to continue fulfilling the contracted work. If this is the case you would be informed and notified of what information was being shared and why. We would only share the essential information needed to complete the service.

How we obtain your details

We will also hold information about your details so that we can respect your preferences for being contacted by us.

We collect your personal information in a number of ways:

  • When you provide it to us directly.
  • When you provide permission to other organisations to share it with us
  • When we collect it as you use our websites (more details below).

From time to time we may pay for the contact details of people who might be interested in hearing from us in future. Before we purchase contact information, we always check the wording used when your information was originally collected, to make sure that we only contact people who have actively expressed an interest in receiving information from third parties.

When providing permission for 3rd party organisations to share your data you should check their Privacy Policies carefully to understand fully how they will process your data.

When you use our digital services

We use website log files, cookies, digital analytics (Google), to gather information about how people use our sites.

We do not collect or store your personal information (e.g. your name or address) in our website analytics.  However, we can recognise that behaviours belong to a single person.  The information collected helps us investigate whether each website meets its users' needs as well as to evaluate how each website can be improved. We store information about what pages you visit, how long you are on the site, how you got here and what you clicked on.

Website log files collect your IP address when you visited the site and the pages you visited. An IP address is a numeric code assigned to a device based on your geographical location

Cookies are small text files which are delivered onto your computer by websites that you visit. Our use of cookies is integral to both the current visitor experience and how we shape and grow our web-based services in the future.  You can read more about how we use cookies on our cookies page.

Digital Analytics and Doubleclick

Digital analytics tools such as Google Analytics and DoubleClick may be used to record anonymous users’ interaction with our websites.

We have no live retargeting activity but in the future, we may use these data to retarget users through advertising on other websites, therefore an individual's behaviour on one of our websites may result in them being retargeted with advertising related to the pages they visited or actions they took on the site.

You may opt out of the DoubleClick cookie by visiting the Google advertising opt-out page or you may opt out of our use of Analytics by visiting the Google Analytics opt-out page.

Ways for you to provide us with your personal data


Occasionally you can request a brochure or e-guide by downloading it from our sites. In order to do this, we need your name and email address and the brochure requested.

You will also be asked to provide consent, if you consent to future marketing we will continue to process your data on that basis. We store this in a secure database for five years after your last communication with us, unless you withdraw consent.


When you make a complaint to us, you can do so via an online form, email, telephone or a letter. The complaint is logged on an internal database and account management system. 

A complaint can be made anonymously. However if you do provide personal data, we request your full name and address. We will only use the personal information we collect to process the complaint and to check on the level of service we provide.

By giving us your personal data you consent to us processing it. We retain personal data obtained from complaints for five years and then confidentially destroy it.


From time to time we send newsletters to update readers about all aspects of our business.

To provide these newsletters, we request contact details including but not limited to - your email address, country, company name, industry and postcode.

We only collect this data when we have your consent and retain it on a secure database.  We store this data for five years after your last communication with us, unless you withdraw consent. If you withdraw consent it will be deleted within a month.

You can unsubscribe from these newsletters from a unsubscribe link within the email. This will suppress your email address only. If you want us to delete your data then you need to send a withdraw consent request and your data will be deleted within a month.


You do not need to include your name or contact details in order to provide us with general feedback or information about any technical problems on this site. You will however need to include an email address if you want us to reply to you. For some enquiries, contact details will be required.

We will only use any personal information provided to deal with your request and will not share it with other organisations.  This data is stored for six months after we respond to your feedback, in case you ask for more detail or have other feedback you'd like to make.

We reserve, however the right to use non-personal information for business, marketing research and marketing purposes. Uses include:

An internal report listing technical problems on the website and services

Marketing literature using quotes drawn from feedback about the site and services


We may ask you for feedback whilst on the website. You only need to include an email address if you want us to reply to you or you would like to be included in future market research.

By giving us your personal data, you consent to us processing it. We will store it securely for a maximum of six months.

When you use other services to interact with us

When you use a social media platform, details about how your personal information is held, is described within the relevant social media policy, such as LinkedIn or Twitter. 


We use a third party provider, to manage our social media interactions.

If you send us a private or direct message via social media the message will be stored by our provider for 3 months and then confidentially destroyed. It will not be shared with any other organisations.

When you contact us directly


We do not collect caller line identification information when you call us. We will only collect personal information that you consent to provide to us in order to deliver a service.


When you contact us via email, we will retain your email and our response to it for as long as the business issue remains. After this, the information will be confidentially destroyed.


When you contact us via post, we will retain your letter/postal address/personal information and our response to it for as long as the business issue remains. After this, the information will be confidentially destroyed.

When we meet in person

IOM exhibit at several industry and scientific conferences each year. We will collect your business information from you to help us deliver a service that you are enquiring about. We may also ask you to subscribe to our e-newsletters and we will collect name, email, company name, industry and postcode. You choose not to subscribe when you meet us.

When we contact you

Email communications

We may email you regarding a contract or service or in response to a request, you have made. Your data will be stored for the purpose and time required to fulfil this.

We send emails marketing to promote IOM and our services. The legal basis for this is a legitimate interest, the services we offer would be a benefit to you or your company’s needs, there is limited privacy impacts and by sharing your data with us we can reasonable expect IOM to use your data to promote our services. For more information on this please read section the legitimate interests statement.

If you subscribed to regular information via email before May 2018, you have not asked us to stop and you have engaged with the content recently we will continue to contact you.

We store this in a secure database for five years after your last communication with us, unless you withdraw consent. If you withdraw consent, we will delete your data within a month.

Your rights

Under the General Data Protection Regulation, you have rights as an individual which you can exercise in relation to the information we hold about you.

Read more about your individual rights, which apply to our commercial and research work, on the Information Commissioner's Office website.

Access to personal information

IOM tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a 'right of access' request under the General Data Protection Regulations. If we do hold information about you we will:

Give you a description of it;

Tell you why we are holding it;

Let you have a copy of the information in an intelligible form.

Changes to this privacy policy

We keep this privacy policy under regular review. This privacy policy was last updated on September 2020.

Since this policy is under regular review, you may wish to check it each time you submit personal information. If you do not agree to any changes, please do not continue to use IOM websites to submit personal information. If material changes are made to the Privacy Policy, for instance affecting how we would like to use your personal information, we will provide a more prominent notice.

You can access this policy at any time through the link at the bottom of our websites and from any e-newsletters you are subscribed to.

How to contact us

IOM tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.

This privacy policy was drafted with brevity and clarity in mind. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address below.

IOM Edinburgh

Research Avenue North



Midlothian   EH14 4AP


Tel: +44 (0)131 449 8000

Email: [email protected]