Data Protection

Fair Processing Notice

This page explains our fair processing notice and how we will use and protect any information about you that you give us when you are referred to us as a patient.

Your consent to use your personal information

Healthshare (or the GP/Consultant referring you) is required to obtain your consent to use your personal data. This consent must be a ‘positive opt-in’ and in all circumstances before we proceed we need your permission to access your data.

We will record your consent to use your personal information in your patient record in our Patient Administration System.

At any time you can inform us that you no longer wish us to use your personal information. Whilst it is not a precondition of receiving your NHS service, the Healthshare clinicians and other staff have a duty to care for you safely. If they cannot ensure your care safety with the withdrawal of your information which they need, they may well discharge you from the Service and ask you to return to your GP.

This course of action is of course a last resort and Healthshare will endeavour in all circumstances to continue your care.

How we use your personal information

This fair processing notice explains why Healthshare collects information about you and how that information may be used.

The health care professionals who provide you with care maintain records about your health and any treatment or care you have received previously (e.g. NHS Trust, GP Surgery, Walk-in clinic, etc.). These records help to provide you with the best possible healthcare.

NHS health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. These records are a Special Category under the law and as such our responsiveness to handle and process your personal data are even more sensitive. Records which Healthshare hold about you may include the following information:

  • Details about you, such as your address and emergency contact details
  • Any contact the service has had with you, such as appointments and clinic visits
  • Notes and reports about your health
  • Details about your treatment and care
  • Results of investigations such as laboratory tests and x-rays
  • Relevant information from other health professionals, relatives or those who care for you

To ensure you receive the best possible care, your records are used to inform the care you receive. Information held about you may be used to help protect the health of the public. Information may be used within the service for clinical audit to monitor the quality of the service provided.

Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified. If you want to know more please click to view the leaflet “How information about you helps us to provide better care”.

How do we maintain the confidentiality of your records?

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

  • General Data Protection Regulation (GDPR) 2018
  • Data Protection Act 2018
  • Human Rights Act 1998
  • Common Law Duty of Confidentiality
  • Health and Social Care Act 2012
  • NHS Codes of Confidentiality and Information Security · Information: To Share or Not to Share Review (click here to read further information about this)

Accessing your records

Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential. Individual staff may only view your records with a legitimate reason for a legitimate purpose. This would of course include the clinician(s) directly involved in your care or other staff who might be ordering or receiving diagnostic results linked to your care.

Other administration or management staff may need to access and use your records to contact you regarding appointments or your care. Our Patient Administration System where your records are stored creates a record of who has accessed your record for control and audit purposes.

Accessing or allowing someone else to access, your record without a legitimate purpose by a Healthshare member of staff is a serious data breach and is dealt with under our disciplinary procedures.

We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any 3rd party without your explicit consent unless there are exceptional circumstances (i.e. life or death situations), where the law requires information to be passed on and / or in accordance with the new information sharing principle following Dame Fiona Caldicott’s information sharing review (Information to share or not to share) where “The duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the

confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles. They should be supported by the policies of their employers, regulators and professional bodies.

If we are recommending you choose to continue your care with another NHS Provider you will be asked to consent to send on your details to your choice of Provider.

Verifying your identity

We are required to verify your identity each time you contact us. You will be asked to provide identity information (for example full name, address, date of birth and NHS number) so your records can be located.

If you wish a spouse, relative or carer to communicate with us on your behalf we will need to obtain your explicit consent before doing so.

Where we use your personal data

Your personal data is stored securely within the United Kingdom in databases accessed with multiple levels of security. This ensures that only authorised Healthshare staff access your record.

The databases are held on IT systems using highly regulated and mandated NHS equipment, software and security.

Data is transmitted using the NHS mandated network that is appropriately encrypted to NHS Standards. If you request that we send your details to your personal e-mail address and possibly without NHS encryption we will only do tis at your request and with your consent.

Our Patient Administration Systems are not accessible outside of the United Kingdom. We do not send your data outside the United Kingdom.

Your right to have your records changed

You have a right to have inaccurate personal data rectified or completed if it is incomplete. Clinical notes and clinical opinions will not generally be altered but may of course be supplemented by additional personal data.

Who are our partner organisations?

We may also have to share your information, subject to strict agreements and your consent on how it will be used, with the following organisations:

  • NHS Trusts / Foundation Trusts
  • GPs
  • NHS Commissioning Support Units
  • Independent Contractors such as dentists, opticians, pharmacists
  • Private Sector Providers
  • Voluntary Sector Providers
  • Ambulance Trusts
  • Clinical Commissioning Groups
  • Social Care Services
  • Health and Social Care Information Centre (HSCIC)
  • Local Authorities
  • Education Services
  • Fire and Rescue Services
  • Police & Judicial Services
  • Voluntary Sector Providers
  • Private Sector Providers
  • Other ‘data processors’ which you will be informed of

You will be informed who your data will be shared with and you will be asked for explicit consent for this when this is required. In all circumstances we will transit your personal data securely. In almost all instances the transfer of your data will be electronic either through the encrypted NHS network, or using NHS.net secure encrypted email or through an NHS encrypted portal (e.g. enabling an x-ray result to be shared between NHS organisations).

How we will communicate with you

In order to communicate with you, we are likely to do this by telephone, SMS, email, and/or post. If we contact you using the telephone number(s) which you have provided (landline and/or mobile), and you are not available which results in the call being directed to a voicemail and/or answering service, we may leave a voice message on your voicemail and/or answering service as appropriate.

We may monitor and record communications with you for quality, training and staff compliance purposes.

Any message left will be discrete and will not contain confidential information. In almost all circumstances the message will simply ask you to contact us.

In your initial patient registration with us we will seek your consent to contact you and via which route. If your preference for how we communicate with us changes please contact us so that we may amend your preferences. Should you change your mind regarding how you wish to be contacted, please let us know and we will amend your preferences and contact you only in the manner you prefer.

Right of access to your personal information (Subject Access Request)

You have a right under the General Data Protection Regulation (GDPR) 2018 to request access to obtain copies of what information the service holds about you and to have it amended should it be inaccurate. Your data is provided without cost to you. In order to request this, you need to do the following:

Your request can be made to the Service in person in the clinic, on the telephone or in writing (letter or e-mail). We are required to respond to you within 30 days

Retaining your personal information

Unlike many other types of personal information, under GDPR there is no ‘Right to Erasure’ of records. Indeed the Health Act requires us to retain your records for a minimum of 8 years after we have finished your care (discharge). Where your care record is part of your GP record retention is for a minimum of 20 years or 8 years post death. We are of course still bound by the strict rules of GDPR on how we store, access and release your patient information.

Marketing and other promotional contact

Healthshare is commissioned to provide your NHS service. We will never contact you to promote either other Healthshare services or those of a third party. If you are contacted by someone purporting to represent Healthshare please report it immediately to our Data Protection Officer who will deal with the matter.

Anonymised Data for Research Purposes

We research our patient care and your clinical outcomes to improve our Services. We will only use data that cannot be identified to you. Occasionally we work with appropriate and recognised research bodies (including universities) to do this. In all circumstances your data is anonymised and is not identifiable to you.

Objections and Complaints

Should you have any concerns about how your information is managed, please contact the Service Manager or our Data Protection Officer. If you are still unhappy following interaction with Healthshare, you can then complain to the Information Commissioners Office (ICO) via their website (www.ico.gov.uk).

Data Protection Officer

You are able to contact our Data Protection Officer by e-mail on dpofficer@healthshare.org.uk or by calling 01732 525935.

If you do not get a satisfactory response from the Data protection Officer then you should contact the supervisory authority.
In UK this is the Information Commissioners Office (ICO), they can be contacted on 03031231113

Change of Details

It is important that you tell the person treating you if any of your details such as your name or address have changed or if any of your details such as date of birth is incorrect in order for this to be amended. You have a responsibility to inform us of any changes so our records are accurate and up to date for you.

The General Data Protection Regulation 2016 requires organisations to register a notification with the Information Commissioner to describe the purposes for which they process personal and sensitive information. Healthshare is registered with the Information Commissioners Office (ICO).

This information is publicly available on the Information Commissioners Office website www.ico.org.uk.

What you need to do now

If you are happy for your data to be extracted and used for the purposes described in this fair processing notice then you do not need to do anything.

If you do not want your personal data being extracted and leaving the service for any of the purposes described, you need to let us know as soon as possible.

We will then ensure your records are prevented from leaving the service and / or leaving the central information system at the Health and Social Care Information Centre (HSCIC) for use by secondary providers.

Talent Acquisition

Healthshare takes your privacy seriously. Information provided to Healthshare as part of the talent acquisition and the selection process will be processed and stored in line with the General Data Protection Regulation (GDPR) and associated legislation. If consent is given, data will be stored for 420 days after which it is securely and permanently deleted. At appointment, information provided by successful applicants during the recruitment and selection process will be used by HR to establish staff records. If you have any queries about this Please contact the Data Protection Officer by email for our a copy of our Privacy Notice or more information on how we process your personal information: dpofficer@healthshare.org.uk

 

PRIVACY NOTICE CCTV (Closed Circuit Television) DATA

This Privacy Notice explains the kind of personal data Healthshare collects from you when visiting any of our sites with CCTV in operation and how Healthshare uses this data.

  1. Why we collect personal data?

 

Healthshare collects data through the CCTV system for various reasons:

  • To control access to the building and to ensure the security of the building, the safety of Healthshare staff and visitors, as well as property and information located or stored on the premises
  • To prevent, deter, and if necessary, investigate unauthorised physical access, including unauthorised access to secure premises and protected rooms, IT infrastructure, or operational information
  • To prevent, detect and investigate theft of equipment or assets owned by Healthshare, visitors or staff or threats to the safety of personnel working at the office (e.g. fire, physical assault).

The CCTV system is not used for any other purpose, such as to monitor the work of employees or their attendance. It is important to notice that the location and positioning of the video-cameras are such that they are not intended to cover the surrounding public space; the cameras are aimed to give a general overview of what`s happening in certain places but not to recognize persons.

The system is also not used as an investigative tool or to obtain evidence in internal investigations or disciplinary procedures unless a security incident is involved. (In exceptional circumstances, the data may be transferred to investigatory bodies in the framework of a formal disciplinary or criminal investigation). The CCTV cameras are installed at the entrances, placed and focused in a way that only people who want to access the site or the annexed facilities including parking areas property are filmed.

The CCTV system covers the area of entry and exit points of the building, entry points inside the building, delivery, and outer area of the building.

  1. What kind of data does Healthshare collect?

Healthshare collects just images caught on camera, and no voice is recorded.

  1. Who is responsible for the processing of the data?

Healthshare is the legal entity who initiated the processing of personal data and who determines the objective of this processing activity. Moreover, the Head of Information Governance is responsible for this operation.

  1. Which is the legal basis for this processing operation?

Healthshare uses video-surveillance equipment for security and access control purposes, which is an action necessary for the management and functioning of Healthshare. Therefore, the processing is lawful under Article 5(a) of the Regulation (EC) No 45/2001.

Carrying out video-surveillance is necessary for compliance with a legal obligation of EU law to which Healthshare is subject. Therefore, the processing is lawful under Article 5(b) of the Regulation (EC) No 45/2001.

In addition, at the entrance there is one on-the-spot-notice about the video-surveillance activity, clearly visible so in this case using the specific sign-posted part of the facility may constitute the fact that the processing is lawful under Article 5(d) of the Regulation (EC) No 45/2001 because “the data subject has unambiguously given his or her consent”.

  1. Who can see my data?

The images can be accessed by the operation, IT and IG staff members of Healthshare and by the contracted security company. Access to the hard-disc recorder is highly limited, being protected by a password and recording any log or action from the staff members. The data cannot be accessed without the authorisation of the Head of Information Governance.

  1. How to control your data?

You can send an email request to IG@healthshare.org.uk

  1. Can I access my data?

You have the right to access your data at any time and free of charge, by sending an email request to IG@healthshare.org.uk.

  1. Can I modify my data?

Modifying the CCTV footage is not allowed. However, you can modify the report written by the operation staff in connection with a security incident, if applicable in your case.

  1. Can I block you from processing my data?

You have the right to block the processing of your personal data at any time by sending an email request to IG@healthshare.org.uk when you contest the accuracy of your personal data or when Healthshare no longer needs the data for completing its tasks. You can also block the processing activity when the operation is unlawful, and you oppose to the erasure of the data. However, blocking is not possible in case of an official investigation.

  1. Can I delete my data?

You have the right to delete your data at any time by sending an email request to IG@healthshare.org.uk when the processing activity is unlawful.

  1. Do you share my data with other organisations?

 

We keep your data inside Healthshare unless you ask us or give us your permission to share it. In case we share your data with third parties, you will be notified to whom your personal data has been disclosed.

  1. Do I have the right to object?

Yes, you have the right to object at any time by sending an email request to IG@healthshare.org.uk when you have legitimate reasons relating to your particular situation. Moreover, you will be informed before your information is disclosed for the first time to third parties, or before it is used on their behalf, for direct marketing purposes.

Healthshare will confirm your requests within 21 days from the receipt of the request.

  1. What can I do in the event of a problem?

The first step is to notify Healthshare by sending an email to IG@healthshare.org.uk and ask us to take action.

The second step, if you obtain no reply from us or if you are not satisfied with it, contact our data protection officer (DPO) at dpo@healthshare.org.uk.

At any time you can lodge a complaint with the Information Commissioners Office on 0303 123 1113, who will examine your request and adopt the necessary measures.

 

  1. When will we start the processing operation?

We will start the processing operation when you are visiting Healthshare`s premises.

 

  1. Security of personal data

Healthshare is committed to protecting the security of your personal data. Therefore, we use several security technologies and procedures to help us to protect your personal data from unauthorised access, use or disclosure. We keep your data on computer systems that are limited access and just in controlled facilities.

  1. How long do we keep your data?

Healthshare will keep your personal data for 28 calendar days after your visit to our premises. After that period any CCTV recorded footage is automatically deleted.