This page explains our fair processing notice and how we will use and protect any information about you that you give us when you are referred to us as a patient.
Your consent to use your personal information
Healthshare (or the GP/Consultant referring you) is required to obtain your consent to use your personal data. This consent must be a ‘positive opt-in’ and in all circumstances before we proceed we need your permission to access your data.
We will record your consent to use your personal information in your patient record in our Patient Administration System.
At any time you can inform us that you no longer wish us to use your personal information. Whilst it is not a precondition of receiving your NHS service, the Healthshare clinicians and other staff have a duty to care for you safely. If they cannot ensure your care safety with the withdrawal of your information which they need, they may well discharge you from the Service and ask you to return to your GP.
This course of action is of course a last resort and Healthshare will endeavour in all circumstances to continue your care.
How we use your personal information
This fair processing notice explains why Healthshare collects information about you and how that information may be used.
The health care professionals who provide you with care maintain records about your health and any treatment or care you have received previously (e.g. NHS Trust, GP Surgery, Walk-in clinic, etc.). These records help to provide you with the best possible healthcare.
NHS health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. These records are a Special Category under the law and as such our responsiveness to handle and process your personal data are even more sensitive. Records which Healthshare hold about you may include the following information:
- Details about you, such as your address and emergency contact details
- Any contact the service has had with you, such as appointments and clinic visits
- Notes and reports about your health
- Details about your treatment and care
- Results of investigations such as laboratory tests and x-rays
- Relevant information from other health professionals, relatives or those who care for you
To ensure you receive the best possible care, your records are used to inform the care you receive. Information held about you may be used to help protect the health of the public. Information may be used within the service for clinical audit to monitor the quality of the service provided.
Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified. If you want to know more please click to view the leaflet “How information about you helps us to provide better care”.
How do we maintain the confidentiality of your records?
We are committed to protecting your privacy and will only use information collected lawfully in accordance with:
- General Data Protection Regulation (GDPR) 2018
- Data Protection Act 2018
- Human Rights Act 1998
- Common Law Duty of Confidentiality
- Health and Social Care Act 2012
- NHS Codes of Confidentiality and Information Security · Information: To Share or Not to Share Review (click here to read further information about this)
Accessing your records
Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential. Individual staff may only view your records with a legitimate reason for a legitimate purpose. This would of course include the clinician(s) directly involved in your care or other staff who might be ordering or receiving diagnostic results linked to your care.
Other administration or management staff may need to access and use your records to contact you regarding appointments or your care. Our Patient Administration System where your records are stored creates a record of who has accessed your record for control and audit purposes.
Accessing or allowing someone else to access, your record without a legitimate purpose by a Healthshare member of staff is a serious data breach and is dealt with under our disciplinary procedures.
We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any 3rd party without your explicit consent unless there are exceptional circumstances (i.e. life or death situations), where the law requires information to be passed on and / or in accordance with the new information sharing principle following Dame Fiona Caldicott’s information sharing review (Information to share or not to share) where “The duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the
confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles. They should be supported by the policies of their employers, regulators and professional bodies.
If we are recommending you choose to continue your care with another NHS Provider you will be asked to consent to send on your details to your choice of Provider.
Verifying your identity
We are required to verify your identity each time you contact us. You will be asked to provide identity information (for example full name, address, date of birth and NHS number) so your records can be located.
If you wish a spouse, relative or carer to communicate with us on your behalf we will need to obtain your explicit consent before doing so.
Where we use your personal data
Your personal data is stored securely within the United Kingdom in databases accessed with multiple levels of security. This ensures that only authorised Healthshare staff access your record.
The databases are held on IT systems using highly regulated and mandated NHS equipment, software and security.
Data is transmitted using the NHS mandated network that is appropriately encrypted to NHS Standards. If you request that we send your details to your personal e-mail address and possibly without NHS encryption we will only do tis at your request and with your consent.
Our Patient Administration Systems are not accessible outside of the United Kingdom. We do not send your data outside the United Kingdom.
Your right to have your records changed
You have a right to have inaccurate personal data rectified or completed if it is incomplete. Clinical notes and clinical opinions will not generally be altered but may of course be supplemented by additional personal data.
Who are our partner organisations?
We may also have to share your information, subject to strict agreements and your consent on how it will be used, with the following organisations:
- NHS Trusts / Foundation Trusts
- NHS Commissioning
- Support Units
- Independent Contractors
- such as dentists, opticians, pharmacists
- Private Sector Providers
- Voluntary Sector Providers
- Ambulance Trusts
- Clinical Commissioning Groups
- Social Care Services
- Health and Social Care
- Information Centre (HSCIC)
- Local Authorities
- Education Services
- Fire and Rescue Services
- Police & Judicial Services
- Voluntary Sector Providers
- Private Sector Providers
- Other ‘data processors’ which you will be informed of
You will be informed who your data will be shared with and you will be asked for explicit consent for this when this is required. In all circumstances we will transit your personal data securely. In almost all instances the transfer of your data will be electronic either through the encrypted NHS network, or using NHS.net secure encrypted email or through an NHS encrypted portal (e.g. enabling an x-ray result to be shared between NHS organisations).
How we will communicate with you
In order to communicate with you, we are likely to do this by telephone, SMS, email, and/or post. If we contact you using the telephone number(s) which you have provided (landline and/or mobile), and you are not available which results in the call being directed to a voicemail and/or answering service, we may leave a voice message on your voicemail and/or answering service as appropriate.
We may monitor and record communications with you for quality, training and staff compliance purposes.
Any message left will be discrete and will not contain confidential information. In almost all circumstances the message will simply ask you to contact us.
In your initial patient registration with us we will seek your consent to contact you and via which route. If your preference for how we communicate with us changes please contact us so that we may amend your preferences. Should you change your mind regarding how you wish to be contacted, please let us know and we will amend your preferences and contact you only in the manner you prefer.
Right of access to your personal information
(Subject Access Request)
You have a right under the General Data Protection Regulation (GDPR) 2018 to request access to obtain copies of what information the service holds about you and to have it amended should it be inaccurate. A Subject Access Request (SAR) is an important facet of GDPR and is likely a future privacy law. It is what allows you to request and receive a copy of your personal data. Healthshare must comply with an SAR without undue delay and at the latest within one month of receiving your request. Your data is provided without cost to you.
In order to request this, you need to do the following:
Your request can be made by completing our online form. We will request to see proof of your identity because the teams dealing with your request are not at the clinic you visit and they must be absolutely sure you are who you say you are. If you have further questions, please email firstname.lastname@example.org
Retaining your personal information
Unlike many other types of personal information, under GDPR there is no ‘Right to Erasure’ of records. Indeed the Health Act requires us to retain your records for a minimum of 8 years after we have finished your care (discharge). Where your care record is part of your GP record retention is for a minimum of 20 years or 8 years post death. We are of course still bound by the strict rules of GDPR on how we store, access and release your patient information.
Marketing and other promotional contact
Healthshare is commissioned to provide your NHS service. We will never contact you to promote either other Healthshare services or those of a third party. If you are contacted by someone purporting to represent Healthshare please report it immediately to our Data Protection Officer who will deal with the matter.
Anonymised data for research purposes
We research our patient care and your clinical outcomes to improve our Services. We will only use data that cannot be identified to you. Occasionally we work with appropriate and recognised research bodies (including universities) to do this. In all circumstances your data is anonymised and is not identifiable to you.
Objections and complaints
Should you have any concerns about how your information is managed, please contact the Service Manager or our Data Protection Officer. If you are still unhappy following interaction with Healthshare, you can then complain to the Information Commissioners Office (ICO) via their website (www.ico.gov.uk).
Data protection officer
You are able to contact our Data Protection Officer by e-mail on email@example.com or by calling 01732 525935.
If you do not get a satisfactory response from the Data protection Officer then you should contact the supervisory authority.
In UK this is the Information Commissioners Office (ICO), they can be contacted on 03031231113
Change of details
It is important that you tell the person treating you if any of your details such as your name or address have changed or if any of your details such as date of birth is incorrect in order for this to be amended. You have a responsibility to inform us of any changes so our records are accurate and up to date for you.
The General Data Protection Regulation 2016 requires organisations to register a notification with the Information Commissioner to describe the purposes for which they process personal and sensitive information. Healthshare is registered with the Information Commissioners Office (ICO).
This information is publicly available on the Information Commissioners Office website www.ico.org.uk.
What you need to do now
If you are happy for your data to be extracted and used for the purposes described in this fair processing notice then you do not need to do anything.
If you do not want your personal data being extracted and leaving the service for any of the purposes described, you need to let us know as soon as possible.
We will then ensure your records are prevented from leaving the service and / or leaving the central information system at the Health and Social Care Information Centre (HSCIC) for use by secondary providers.
Healthshare takes your privacy seriously. Information provided to Healthshare as part of the talent acquisition and the selection process will be processed and stored in line with the General Data Protection Regulation (GDPR) and associated legislation. If consent is given, data will be stored for 420 days after which it is securely and permanently deleted. At appointment, information provided by successful applicants during the recruitment and selection process will be used by HR to establish staff records. If you have any queries about this Please contact the Data Protection Officer by email for our a copy of our Privacy Notice or more information on how we process your personal information: firstname.lastname@example.org