Healthshare Diagnostics Ltd (or the GP/specialist referring you) is required to obtain your consent to use your personal data. This consent must be a ‘positive opt-in’ and in all circumstances before we proceed we need your permission to access your data.
We will record your consent to use your personal information in your patient record in our Patient Administration System.
At any time you can inform us that you no longer wish us to use your personal information. Whilst it is not a precondition of receiving your care, Healthshare Diagnostics Ltd clinicians and other staff have a duty to care for you safely. If they cannot ensure your care safety with the withdrawal of your information which they need, they may well discharge you from the service and ask you to return to your GP.
This course of action is of course a last resort and Healthshare Diagnostics Ltd will endeavour in all circumstances to continue your care.
This fair processing notice explains why Healthshare Diagnostics Ltd collects information about you and how that information may be used.
The health care professionals who provide you with care maintain records about your health and any investigations, treatment or care you have received previously (e.g. NHS Trust, GP Surgery, Walk-in clinic, etc.). These records help to provide you with the best possible healthcare.
Health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. These records are a Special Category under the law and as such our responsiveness to handle and process your personal data are even more sensitive. Records which Healthshare Diagnostics Ltd hold about you may include the following information:
To ensure you receive the best possible care, your records are used to inform the care you receive. Information held about you may be used to help protect the health of the public. Information may be used within the service for clinical audit to monitor the quality of the service provided.
Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified.
If you want to know more please click here to view the leaflet ‘How information about you helps us to provide better care ‘
We are committed to protecting your privacy and will only use information collected lawfully in accordance with:
• General Data Protection Regulation (GDPR) 2018
• Human Rights Act 1998
• Common Law Duty of Confidentiality
• Health and Social Care Act 2012
• NHS Codes of Confidentiality and Information Security
• Information: To Share or Not to Share Review
Every member of staff who works for our organisation has a legal obligation to keep information about you confidential. Individual staff may only view your records with a legitimate reason for a legitimate purpose. This would of course include the clinician(s) directly involved in your care or other staff who might be ordering or receiving diagnostic results linked to your care.
Other administration or management staff may need to access and use your records to contact you regarding appointments or your care. Our Patient Administration System where your records are stored creates a record of who has accessed your record for control and audit purposes.
Accessing or allowing someone else to access, your record without a legitimate purpose by a Global Clinic member of staff is a serious data breach and is dealt with under our disciplinary procedures.
We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any 3rd party without your explicit consent unless there are exceptional circumstances (i.e. life or death situations), where the law requires information to be passed on and / or in accordance with the new information sharing principle following Dame Fiona Caldicott’s information sharing review (Information to share or not to share) where ‘The duty to share information can be as important as the duty to protect patient confidentiality.’ This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles. They should be supported by the policies of their employers, regulators and professional bodies.
We are required to verify your identity each time you contact us. You will be asked to provide identity information (for example full name, address, date of birth and NHS number) so your records can be located.
If you wish a spouse, relative or carer to communicate with us on your behalf we will need to obtain your explicit consent before doing so.
Where we use your personal data
Your personal data is stored securely within the United Kingdom in databases accessed with multiple levels of security. This ensures that only authorised staff access your record.
The databases are held on IT systems using highly regulated and mandated NHS equipment, software and security.
Data is transmitted using the NHS mandated network that is appropriately encrypted to NHS Standards.
Our Patient Administration Systems are accessible within the European Union. We may send your data outside the United Kingdom to the European Union to Clinicians as part of the patient pathway.
You have a right to have inaccurate personal data rectified or completed if it is incomplete. Clinical notes and clinical opinions will not generally be altered but may of course be supplemented by additional personal data.
We may also have to share your information, subject to strict agreements and your consent on how it will be used, with the following organisations:
You will be informed who your data will be shared with and you will be asked for explicit consent for this when this is required. In all circumstances we will transit your personal data securely. In almost all instances the transfer of your data will be electronic either through the encrypted NHS network, or using NHS.net secure encrypted email or through an NHS encrypted portal (e.g. enabling an x-ray result to be shared between NHS organisations).
In order to communicate with you, we are likely to do this by telephone, SMS, email, and/or post. If we contact you using the telephone number(s) which you have provided (landline and/or mobile), and you are not available which results in the call being directed to a voicemail and/or answering service, we may leave a voice message on your voicemail and/or answering service as appropriate.
Any message left will be discrete and will not contain confidential information. In almost all circumstances the message will simply ask you to contact us.
In your initial patient registration with us we will seek your consent to contact you and via which route. If your preference for how we communicate with us changes please contact us so that we may amend your preferences.
You have a right under the General Data Protection Regulation (GDPR) 2018 to request access to obtain copies of what information the service holds about you and to have it amended should it be inaccurate. Your data is provided without cost to you. In order to request this, you need to do the following:
Your request can be made to the service in person in the clinic, on the telephone or in writing (letter or e-mail)We are required to respond to you within 30 days
Unlike many other types of personal information, under GDPR there is no ‘Right to Erasure’ of records. Indeed the Health Act requires us to retain your records for a minimum of 7 years after we have finished your care (discharge).
Healthshare Diagnostics Ltd may from time to time contact patients to promote either other services offered by the Healthshare Group.
Should you have any concerns about how your information is managed, please contact the Service Manager or our Data Protection Officer. If you are still unhappy following interaction with Healthshare Diagnostics Ltd, you can then complain to the Information Commissioners Office (ICO) via their website (www.ico.gov.uk).
You are able to contact our Data Protection Officer by e-mail or by calling 01732 525935.
It is important that you tell the person treating you if any of your details such as your name or address have changed or if any of your details such as date of birth is incorrect in order for this to be amended. You have a responsibility to inform us of any changes so our records are accurate and up to date for you.
The General Data Protection Regulation 2018 requires organisations to register a notification with the Information Commissioner to describe the purposes for which they process personal and sensitive information. Healthshare Group is registered with the Information
This information is publicly available on the Information Commissioners Office website www.ico.org.uk.
If you are happy for your data to be extracted and used for the purposes described in this fair processing notice then you do not need to do anything.
If you do not want your personal data being extracted and leaving the service for any of the purposes described, you need to let us know as soon as possible.
We will then ensure your records are prevented from leaving the service and / or leaving the central information system at the Health and Social Care Information Centre (HSCIC) for use by secondary providers.
This Privacy Notice explains the kind of personal data Healthshare collects from you when visiting any of our sites with CCTV in operation and how Healthshare uses this data.
1. Why we collect personal data?
Healthshare collects data through the CCTV system for various reasons:
The CCTV system is not used for any other purpose, such as to monitor the work of employees or their attendance. It is important to notice that the location and positioning of the video-cameras are such that they are not intended to cover the surrounding public space; the cameras are aimed to give a general overview of what`s happening in certain places but not to recognize persons.
The system is also not used as an investigative tool or to obtain evidence in internal investigations or disciplinary procedures unless a security incident is involved. (In exceptional circumstances, the data may be transferred to investigatory bodies in the framework of a formal disciplinary or criminal investigation). The CCTV cameras are installed at the entrances, placed and focused in a way that only people who want to access the site or the annexed facilities including parking areas property are filmed.
The CCTV system covers the area of entry and exit points of the building, entry points inside the building, delivery, and outer area of the building.
2. What kind of data does Healthshare collect?
Healthshare collects just images caught on camera, and no voice is recorded.
3. Who is responsible for the processing of the data?
Healthshare is the legal entity who initiated the processing of personal data and who determines the objective of this processing activity. Moreover, the Head of Information Governance is responsible for this operation.
4. Which is the legal basis for this processing operation?
Healthshare uses video-surveillance equipment for security and access control purposes, which is an action necessary for the management and functioning of Healthshare. Therefore, the processing is lawful under Article 5(a) of the Regulation (EC) No 45/2001.
Carrying out video-surveillance is necessary for compliance with a legal obligation of EU law to which Healthshare is subject. Therefore, the processing is lawful under Article 5(b) of the Regulation (EC) No 45/2001.
In addition, at the entrance there is one on-the-spot-notice about the video-surveillance activity, clearly visible so in this case using the specific sign-posted part of the facility may constitute the fact that the processing is lawful under Article 5(d) of the Regulation (EC) No 45/2001 because “the data subject has unambiguously given his or her consent”.
5. Who can see my data?
The images can be accessed by the operation, IT and IG staff members of Healthshare and by the contracted security company. Access to the hard-disc recorder is highly limited, being protected by a password and recording any log or action from the staff members. The data cannot be accessed without the authorisation of the Head of Information Governance.
6. How to control your data?
You can send an email request to IG@healthshare.org.uk
7. Can I access my data?
You have the right to access your data at any time and free of charge, by sending an email request to IG@healthshare.org.uk.
8. Can I modify my data?
Modifying the CCTV footage is not allowed. However, you can modify the report written by the operation staff in connection with a security incident, if applicable in your case.
9. Can I block you from processing my data?
You have the right to block the processing of your personal data at any time by sending an email request to IG@healthshare.org.uk when you contest the accuracy of your personal data or when Healthshare no longer needs the data for completing its tasks. You can also block the processing activity when the operation is unlawful, and you oppose to the erasure of the data. However, blocking is not possible in case of an official investigation.
10. Can I delete my data?
You have the right to delete your data at any time by sending an email request to IG@healthshare.org.uk when the processing activity is unlawful.
11. Do you share my data with other organisations?
We keep your data inside Healthshare unless you ask us or give us your permission to share it. In case we share your data with third parties, you will be notified to whom your personal data has been disclosed.
12. Do I have the right to object?
Yes, you have the right to object at any time by sending an email request to IG@healthshare.org.uk when you have legitimate reasons relating to your particular situation. Moreover, you will be informed before your information is disclosed for the first time to third parties, or before it is used on their behalf, for direct marketing purposes.
Healthshare will confirm your requests within 21 days from the receipt of the request.
13. What can I do in the event of a problem?
The first step is to notify Healthshare by sending an email to IG@healthshare.org.uk and ask us to take action.
The second step, if you obtain no reply from us or if you are not satisfied with it, contact our data protection officer (DPO) at email@example.com.
At any time you can lodge a complaint with the Information Commissioners Office on 0303 123 1113, who will examine your request and adopt the necessary measures.
14. When will we start the processing operation?
We will start the processing operation when you are visiting Healthshare`s premises.
15. Security of personal data
Healthshare is committed to protecting the security of your personal data. Therefore, we use several security technologies and procedures to help us to protect your personal data from unauthorised access, use or disclosure. We keep your data on computer systems that are limited access and just in controlled facilities.
16. How long do we keep your data?
Healthshare will keep your personal data for 28 calendar days after your visit to our premises. After that period any CCTV recorded footage is automatically deleted.