Under the terms of the new GDPR, a privacy notice is required to explain to patients what personal data is held about them and how it is collected and processed.
How we obtain your personal data
Information provided by you
You provide us with personal data upon booking an appointment by either telephone or online.
Information collected from other sources
By registering with the clinic, you consent to your medical history from your previous practice(s) being sent to the clinic at your request. The provision of this information is optional, however essential in some circumstances in order for us to offer the best medical treatment and care.
What information do we collect?
- your name;
- date of birth;
- your contact details (including your telephone contact details, postal address, email address);
- your GP details;
- financial information, such as credit card details used to pay us;
- emergency contact details;
- family details, lifestyle and social circumstances, where relevant to your care;
- Your emergency contact; and
- Sensitive information relating to your health including symptoms, diagnosis, medications, images, treatment, medication sex life, sexual orientation, religion, race, ethnicity and genetic information
How we use your personal data
To provide healthcare services
We are required to keep records about you, your health and your treatment to provide you with safe, effective and efficient healthcare services.
The admin team use your information to make appointments for you, to obtain test results and to electronically store the data. The admin team will only access your medical history and information if they are required to in order to carry out their specific job role and task.
If you have provided your email address, we may communicate with you in this way or send referrals by email to medical professionals who are involved in your medical treatment who may then communicate with you by email.
At all times the staff will protect your personal data in a way which is outlined in the confidentiality agreement stated by the practice, and the requirements stated in the General Data Protection Regulation.
Payment and accounting
This is necessary to enable us to provide you with healthcare and treatment and to fulfil our contract with you for the provision of such care. We use your personal information to ensure our accounting and invoicing activities are accurate and up-to-date. We have an appropriate business need to use your information which does not overly prejudice you. This supports the provision of your healthcare and is necessary for us to establish, exercise or defend our legal rights.
We are accountable for ensuring safe clinical and operational practices are implemented and maintained. We undertake regular audits of compliance to ensure the delivery of standards of treatment, for quality assurance, to ensure services can meet patient needs in the future and to assess adherence to policy and procedure.
Transferring your records in connection with any sale, transfer, or disposal of our business
If we were to sell or transfer a centre or part of our business to another organisation, your patient records would also transfer to the new owner. Limited information may also be shared, where required, with legal and other professional advisors involved in that transaction. Your records would be transferred to minimise the disruption to current and past patients caused by the sale or transfer and to ensure that we and a new owner were able to comply with our legal obligations regarding the retention of patients’ and other clients’ medical records and to ensure continuity of care.
Management of business operations
We have an appropriate business need to use your information which does not overly prejudice you and the use is necessary for us to comply with our legal obligations. In the event that we use special categories information about you for this purpose, it would be because the use is necessary for the provision of healthcare or treatment or the management of healthcare services and systems or the use is necessary to establish, exercise or defend legal claims.
We will keep information about you confidential and will only disclose any information with third parties if it is in your interests to do so and when we are sure that the party with whom we are sharing information is a medical practitioner with whom you have already shared personal information or have agreed to share your medical records with. For example, we might give your mobile phone number to a hospital which wishes to contact you about an appointment which has been made for you.
With your written or verbal consent, we will share information about you with a carer or next of kin.
Information shared with solicitors is only done so when we are sure you have given your express consent.
Where the cost of your treatment and care is covered by insurance, we share your information with your insurer or the administrator of the applicable scheme of insurance. Both Berkshire Health Limited and your insurer are controllers of this personal information. This means that each of us individually may determine the means and the purpose of any processing of the information we hold.
Generally, we share information in order to allow each other to exercise its rights or comply with its obligations under the healthcare services arrangement we have in place, and in the case of the insurer, to manage claims and administer the schemes for insured members.
Specifically, your information may be used in the following shared activities:
- The provision of clinical quality information
- The pre-authorisation of treatment on your behalf
- Invoicing for services provided
- The notification of any serious incidents
- Assisting and cooperating in the investigation of any member complaints
- Allowing your insurer to inspect and audit our facilities
You may exercise your rights against either Berkshire Health Limited or your insurer where we are both controllers of the same information for the same processing purpose. Where we independently hold further information, or process information for purposes in addition to the shared purposes stated above, you should direct any communication concerning your rights to the applicable holder/processor.
Information will be shared with legal agencies and the police on production of a court order or if by not doing so the practice would be breaking the law.
Lawful Basis for Processing
Our legal justification for processing your Personal Data will fall into the categories below:
- Necessary for you to receive healthcare services
- Necessary to fulfil our contract with you for the provision of care and treatment
- Necessary to comply with the law – This applies where we have a legal or regulatory obligation to use your personal data
- Necessary for our legitimate interests – This means where our business interests justify us using your information and that business need does not impact unjustly on your rights
- You have provided your consent to our use of your personal data
Our legal justification for processing your Special Category Personal Data will fall into one of the categories below:
- Necessary for the purposes of preventive medicine, for medical diagnosis and the provision of health or social care or treatment
- You have given your explicit consent for one or more specified purposes
- Necessary to protect your vital interests or the vital interests of another person
- Necessary for reasons of public interest in the area of public health
- Necessary for archiving purposes in the public interest, scientific research or statistical purposes
- Necessary to establish, exercise or defend legal claims
How long do we keep this information about you?
We will keep your paper and electronic records for as long as you are a patient at the practice. The practice will then hold onto your records electronically for a minimum of 7 years. For patients who come to the practice under the age of 18, we will keep their records for a minimum of 7 years from their 18th Birthday.
Right of access
The General Data Protection Regulation (GDPR) grants you the right to access particular personal data which we hold about you. This is referred to as a subject access request. We will respond promptly and at least within one calendar month from the date of receiving the request and all necessary information in writing from you, there is an administration charge for this.
Questions and queries
If you have a complaint regarding the use of your personal information, please write to the Practice Manager, Abby Morgan at 23 Craven Road, Reading, RG1 5LE or email her on firstname.lastname@example.org