FAIR PROCESSING NOTICE
Your consent to use your personal information
Healthshare (or the GP referring you) is required to obtain your consent to use your personal data. This consent must be a ‘positive opt-in’ and in all circumstances before we proceed we need your permission to access your data.
We will record your consent to use your personal information in your patient record in our Patient Administration System.
At any time you can inform us that you no longer wish us to use your personal information. Whilst it is not a precondition of receiving your NHS service, the Healthshare clinicians and other staff have a duty to care for you safely. If they cannot ensure your care safety with the withdrawal of your information which they need, they may well discharge you from the Service and ask you to return to your GP.
This course of action is of course a last resort and Healthshare will endeavour in all circumstances to continue your care.
National Data Opt Out
We are committed to keeping patient information safe and always being clear about how it is used.
By 2020 all health and care organisations are required to be compliant with the National Data Opt-Out policy. This means you can choose to stop your confidential patient information being used for research and planning. You can also make a choice for someone in your care, such as your children under the age of 13.
Your choice will only apply to the health and care systems in England.
You can view and change your national data opt-out choice at any time by using the online service at www.nhs.uk/your-nhs-data-matters or by calling 0300 3035678.
To ensure that we are compliant with the national opt-out guidelines, we reviewed our processes and implemented systems to allow us to remove records of service users who wish to opt-out of sharing their confidential patient information for research and planning.
You can find out more information about national data opt-out on This Patient Leaflet
How we use your personal information
This fair processing notice explains why Healthshare collects information about you and how that information may be used.
The health care professionals who provide you with care maintain records about your health and any treatment or care you have received previously (e.g. NHS Trust, GP Surgery, Walk-in clinic, etc.). These records help to provide you with the best possible healthcare.
NHS health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. These records are a Special Category under the law and as such our responsiveness to handle and process your personal data are even more sensitive. Records which Healthshare hold about you may include the following information:
- Details about you, such as your address and emergency contact details
- Any contact the service has had with you, such as appointments and clinic visits
- Notes and reports about your health
- Details about your treatment and care
- Results of investigations such as laboratory tests and x-rays
- Relevant information from other health professionals, relatives or those who care for you
To ensure you receive the best possible care, your records are used to inform the care you receive. Information held about you may be used to help protect the health of the public. Information may be used within the service for clinical audit to monitor the quality of the service provided.
Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified.
If you want to know more please click here to view the leaflet ‘How information about you helps us to provide better care‘
How do we maintain the confidentiality of your records?
We are committed to protecting your privacy and will only use information collected lawfully in accordance with:
- General Data Protection Regulation (GDPR) 2018
- Human Rights Act 1998
- Common Law Duty of Confidentiality
- Health and Social Care Act 2012
- NHS Codes of Confidentiality and Information Security
- Information: To Share or Not to Share Review
Accessing your records
Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential. Individual staff may only view your records with a legitimate reason for a legitimate purpose. This would of course include the clinician(s) directly involved in your care or other staff who might be ordering or receiving diagnostic results linked to your care.
Other administration or management staff may need to access and use your records to contact you regarding appointments or your care. Our Patient Administration System where your records are stored creates a record of who has accessed your record for control and audit purposes.
Accessing or allowing someone else to access, your record without a legitimate purpose by a Healthshare member of staff is a serious data breach and is dealt with under our disciplinary procedures.
We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any 3rd party without your explicit consent unless there are exceptional circumstances (i.e. life or death situations), where the law requires information to be passed on and / or in accordance with the new information sharing principle following Dame Fiona Caldicott’s information sharing review (Information to share or not to share) where ‘The duty to share information can be as important as the duty to protect patient confidentiality.’ This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles. They should be supported by the policies of their employers, regulators and professional bodies.
Subject Access Request
Under the General Data Protection Regulation, you are entitled as a patient to obtain from Healthshare Diagnostics, confirmation as to whether we are processing personal data concerning you, as well as to request details about the purposes, categories and disclosure of such data.
Verifying your identity
We are required to verify your identity each time you contact us. You will be asked to provide identity information (for example full name, address, date of birth and NHS number) so your records can be located.
If you wish a spouse, relative or carer to communicate with us on your behalf we will need to obtain your explicit consent before doing so.
Where we use your personal data
Your personal data is stored securely within the United Kingdom in databases accessed with multiple levels of security. This ensures that only authorised Healthshare staff access your record.
The databases are held on IT systems using highly regulated and mandated NHS equipment, software and security.
Data is transmitted using the NHS mandated network that is appropriately encrypted to NHS Standards.
Our Patient Administration Systems are not accessible outside of the United Kingdom. We do not send your data outside the United Kingdom.
Your right to have your records changed
You have a right to have inaccurate personal data rectified or completed if it is incomplete. Clinical notes and clinical opinions will not generally be altered but may of course be supplemented by additional personal data.
Who are our partner organisations?
We may also have to share your information, subject to strict agreements and your consent on how it will be used, with the following organisations:
- NHS Trusts / Foundation Trusts
- NHS Commissioning Support Units
- Independent Contractors such as dentists, opticians, pharmacists
- Private Sector Providers
- Voluntary Sector Providers
- Ambulance Trusts
- Clinical Commissioning Groups
- Social Care Services
- Health and Social Care Information Centre (HSCIC)
- Local Authorities
- Education Services
- Fire and Rescue Services
- Police & Judicial Services
- Voluntary Sector Providers
- Private Sector Providers
- Other ‘data processors’ which you will be informed of
You will be informed who your data will be shared with and you will be asked for explicit consent for this when this is required. In all circumstances we will transit your personal data securely. In almost all instances the transfer of your data will be electronic either through the encrypted NHS network, or using NHS.net secure encrypted email or through an NHS encrypted portal (e.g. enabling an x-ray result to be shared between NHS organisations).
How we will communicate with you
In order to communicate with you, we are likely to do this by telephone, SMS, email, and/or post. If we contact you using the telephone number(s) which you have provided (landline and/or mobile), and you are not available which results in the call being directed to a voicemail and/or answering service, we may leave a voice message on your voicemail and/or answering service as appropriate.
Any message left will be discrete and will not contain confidential information. In almost all circumstances the message will simply ask you to contact us.
In your initial patient registration with us we will seek your consent to contact you and via which route. If your preference for how we communicate with us changes please contact us so that we may amend your preferences.
Right of access to personal information
You have a right under the General Data Protection Regulation (GDPR) 2018 to request access to obtain copies of what information the service holds about you and to have it amended should it be inaccurate. Your data is provided without cost to you. In order to request this, you need to do the following:
Your request can be made to the Service in person in the clinic, on the telephone or in writing (letter or e-mail)We are required to respond to you within 30 days.
Retaining your personal information
Unlike many other types of personal information, under GDPR there is no ‘Right to Erasure’ of records. Indeed the Health Act requires us to retain your records for a minimum of 7 years after we have finished your care (discharge). Where your care record is part of your GP record retention is for a minimum of 20 years or 8 years post death. We are of course still bound by the strict rules of GDPR on how we store, access and release your patient information.
Marketing and other promotional contact
Healthshare is commissioned to provide your NHS service. We will never contact you to promote either other Healthshare services or those of a third party. If you are contacted by someone purporting to represent Healthshare please report it immediately to our Data Protection Officer who will deal with the matter.
Objections and complaints
Should you have any concerns about how your information is managed, please contact the Service Manager or our Data Protection Officer. If you are still unhappy following interaction with Healthshare, you can then complain to the Information Commissioners Office (ICO) via their website (www.ico.gov.uk).
Data Protection Officer
Change of details
It is important that you tell the person treating you if any of your details such as your name or address have changed or if any of your details such as date of birth is incorrect in order for this to be amended. You have a responsibility to inform us of any changes so our records are accurate and up to date for you.
The General Data Protection Regulation 2018 requires organisations to register a notification with the Information Commissioner to describe the purposes for which they process personal and sensitive information. Healthshare is registered with the Information Commissioners Office (ICO).
This information is publicly available on the Information Commissioners Office website www.ico.org.uk.
What you need to do now
If you are happy for your data to be extracted and used for the purposes described in this fair processing notice then you do not need to do anything.
If you do not want your personal data being extracted and leaving the service for any of the purposes described, you need to let us know as soon as possible.
We will then ensure your records are prevented from leaving the service and / or leaving the central information system at the Health and Social Care Information Centre (HSCIC) for use by secondary providers.
PRIVACY NOTICE CCTV (Closed Circuit Television) DATA
This Privacy Notice explains the kind of personal data Healthshare collects from you when visiting any of our sites with CCTV in operation and how Healthshare uses this data.
- Why we collect personal data?
Healthshare collects data through the CCTV system for various reasons:
- To control access to the building and to ensure the security of the building, the safety of Healthshare staff and visitors, as well as property and information located or stored on the premises
- To prevent, deter, and if necessary, investigate unauthorised physical access, including unauthorised access to secure premises and protected rooms, IT infrastructure, or operational information
- To prevent, detect and investigate theft of equipment or assets owned by Healthshare, visitors or staff or threats to the safety of personnel working at the office (e.g. fire, physical assault).
The CCTV system is not used for any other purpose, such as to monitor the work of employees or their attendance. It is important to notice that the location and positioning of the video-cameras are such that they are not intended to cover the surrounding public space; the cameras are aimed to give a general overview of what`s happening in certain places but not to recognize persons.
The system is also not used as an investigative tool or to obtain evidence in internal investigations or disciplinary procedures unless a security incident is involved. (In exceptional circumstances, the data may be transferred to investigatory bodies in the framework of a formal disciplinary or criminal investigation). The CCTV cameras are installed at the entrances, placed and focused in a way that only people who want to access the site or the annexed facilities including parking areas property are filmed.
The CCTV system covers the area of entry and exit points of the building, entry points inside the building, delivery, and outer area of the building.
- What kind of data does Healthshare collect?
Healthshare collects just images caught on camera, and no voice is recorded.
- Who is responsible for the processing of the data?
Healthshare is the legal entity who initiated the processing of personal data and who determines the objective of this processing activity. Moreover, the Head of Information Governance is responsible for this operation.
- Which is the legal basis for this processing operation?
Healthshare uses video-surveillance equipment for security and access control purposes, which is an action necessary for the management and functioning of Healthshare. Therefore, the processing is lawful under Article 5(a) of the Regulation (EC) No 45/2001.
Carrying out video-surveillance is necessary for compliance with a legal obligation of EU law to which Healthshare is subject. Therefore, the processing is lawful under Article 5(b) of the Regulation (EC) No 45/2001.
In addition, at the entrance there is one on-the-spot-notice about the video-surveillance activity, clearly visible so in this case using the specific sign-posted part of the facility may constitute the fact that the processing is lawful under Article 5(d) of the Regulation (EC) No 45/2001 because “the data subject has unambiguously given his or her consent”.
- Who can see my data?
The images can be accessed by the operation, IT and IG staff members of Healthshare and by the contracted security company. Access to the hard-disc recorder is highly limited, being protected by a password and recording any log or action from the staff members. The data cannot be accessed without the authorisation of the Head of Information Governance.
- How to control your data?
- Can I access my data?
- Can I modify my data?
Modifying the CCTV footage is not allowed. However, you can modify the report written by the operation staff in connection with a security incident, if applicable in your case.
- Can I block you from processing my data?
- Can I delete my data?
- Do you share my data with other organisations?
We keep your data inside Healthshare unless you ask us or give us your permission to share it. In case we share your data with third parties, you will be notified to whom your personal data has been disclosed.
- Do I have the right to object?
Healthshare will confirm your requests within 21 days from the receipt of the request.
- What can I do in the event of a problem?
At any time you can lodge a complaint with the Information Commissioners Office on 0303 123 1113, who will examine your request and adopt the necessary measures.
- When will we start the processing operation?
We will start the processing operation when you are visiting Healthshare`s premises.
- Security of personal data
Healthshare is committed to protecting the security of your personal data. Therefore, we use several security technologies and procedures to help us to protect your personal data from unauthorised access, use or disclosure. We keep your data on computer systems that are limited access and just in controlled facilities.
- How long do we keep your data?
Healthshare will keep your personal data for 28 calendar days after your visit to our premises. After that period any CCTV recorded footage is automatically deleted.