Introduction

Your information, what you need to know

This privacy notice explains why we collect information about you, how that information will be used, how we keep it safe and confidential and what your rights are in relation to this.

Why we collect information about you

Health care professionals who provide you with care are required by law to maintain records about your health and any treatment or care you have received.  These records help to provide you with the best possible healthcare and help us to protect your safety.

We collect and hold data for the purpose of providing healthcare services to our patients and running our organisation which includes monitoring the quality of care that we provide. In carrying out this role we will collect information about you which helps us respond to your queries or secure specialist services. We will keep your information in written form and/or in digital form.

Our Commitment to Data Privacy and Confidentiality Issues

As a private medical Partnership, all of our GPs, staff and associated practitioners are committed to protecting your privacy and will only process data in accordance with the Data Protection Legislation.  This includes the General Data Protection Regulation (EU) 2016/679 (GDPR) now known as the UK GDPR, the Data Protection Act (DPA) 2018, the Law Enforcement Directive (Directive (EU) 2016/680) (LED) and any applicable national Laws implementing them as amended from time to time.  The legislation requires us to process personal data only if there is a legitimate basis for doing so and that any processing must be fair and lawful.

In addition, consideration will also be given to all applicable Law concerning privacy, confidentiality, the processing and sharing of personal data including the Human Rights Act 1998, the Health and Social Care Act 2012 as amended by the Health and Social Care (Safety and Quality) Act 2015, the common law duty of confidentiality and the Privacy and Electronic Communications (EC Directive) Regulations. 

Data we collect about you

Records which this company will hold or share about you will include the following:

• Personal Data – means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 
• Special Categories of Personal Data – this term describes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.  
• Confidential Patient Information – this term describes information or data relating to their health and other matters disclosed to another (e.g. patient to clinician) in circumstances where it is reasonable to expect that the information will be held in confidence.  Including both information ‘given in confidence’ and ‘that which is owed a duty of confidence’. As described in the Confidentiality: NHS code of Practice: Department of Health guidance on confidentiality 2003.
• Pseudonymised – The process of distinguishing individuals in a dataset by using a unique identifier which does not reveal their ‘real world’ identity.
• Anonymised – Data in a form that does not identify individuals and where identification through its combination with other data is not likely to take place.
• Aggregated – Statistical data about several individuals that has been combined to show general trends or values without identifying individuals within the data.

How we use your information 

The main lawful basis that we rely on to collect, store, use and share your personal and health information for direct care, the administration of direct care services (prevention, investigation and treatment) and the planning of healthcare services under Data Protection Legislation are as follows:

• Commissioned NHS work eg Children in Care and Carer medicals
  • The performance of a task carried out in the public interest or in the exercise of official authority…’ Article 6(1)(e). Where NHS England commission health services via Integrated Care Boards (ICB) under the Health and Social Care Act or NHS providers directly contract with us. This includes the services or treatments provided and any associated billing, audit or necessary reporting.
  • Improvements in information technology are also making it possible for us to share data with other healthcare organisations for the purpose of providing you, your family and your community with better care.  Where your record is accessed without your permission it is necessary for them to have a legitimate basis in law. This is explained further in the Local Information Sharing at Appendix A. Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service.  Collecting this information helps to ensure you get the best possible care and treatment. The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
• Improving the quality and standards of care provided by the service
• Research into the development of new treatments and care pathways
• preventing illness and diseases
• Monitoring safety
• Planning services
• Risk stratification
• Population Health Management 
• For Private work
  • Contract: To deliver contractual services to an individual Article 6 (1) (b). This is necessary to enable us to carry out our obligations to you arising from any contract that is in the process of, or has been entered into, between us and you. This includes any services or treatments provided by us to you and the associated billing, accounting, audit and payment verification and any necessary reporting.
• For Personal data concerning health and other special categories of personal data. Article 9(2) (h) ‘…for the medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’
• Vital Interests: Article 6 (1) (d). There may be occasions where we rely on the lawful basis of Vital Interests in the event that we need to process personal data to protect an individual’s life.
• Legal Obligation: Article 6 (1) ©. Sometimes we are required by law to collect and/share your information. Examples of this may include: to safeguard children or vulnerable adults, where it is in the wider public interest (including public health), detection or prevention of a serious crime, to defend a legal claim, reporting to DVLA, or where required by court order.
• Legitimate interests: Article 6 (1) (f). Where processing is necessary for the purposes of our legitimate interests or a third party and your interests and fundamental rights do not override those interests.
• Consent: Article 6 (1) (a). Consent under data protection legislation will not be the basis for providing you with healthcare services. However, your consent will be sought in certain instances, where we do not rely on another lawful basis to process your information. For example, if you wish to sign up to receive marketing information from us, or to release your information to a third party (who we do not have a lawful basis to share your information with). Where consent is given as the lawful basis for processing your information, your consent can be withdrawn at any time.

If you fail to provide personal information

Failure to provide us with your personal information (including your health related information) may, dependant on what is withheld, result in our inability to fulfil our contractual and other legal obligations or may compromise the care that we are able to provide.

Who we may receive your information from and share your information with and why when caring for you.

Safe and effective care is dependent upon relevant information being shared between all those involved in the direct and ongoing care of a patient. All health and adult social care providers are subject to the statutory duty under section 251B of the Health and Social Care Act 2012 to share information about a patient for the purpose of their direct care. This duty is subject to the Common Law Duty of Confidentiality, the UK General Data Protection Regulation (UK GDPR) and Data Protection Act (DPA) 2018. Your personal information will only be shared in accordance with your rights under these laws.

You have the right to raise an objection to your health information being shared with other health care providers for your direct care, but in some circumstances this may delay or affect the care you receive. If you wish to object, it is important that you raise and discuss this directly with your main health care professional (i.e. consultant), to ensure you receive advice on the possible outcomes of this decision. Please note that this is not an absolute right. Health care professionals may, in some circumstances, override this decision based on legal requirements or professional duty.

We may share your information with individuals or organisations involved in your direct care where there is a legitimate reason to do so i.e.: they require relevant information to assist them in the effective provision of your direct healthcare needs. The type of individuals and organisations we may share your information with for your direct care includes, but not limited to:

• Doctor with practicing privileges: A doctor may make decisions about what information is collected and held on our shared records about you and may maintain their own set of medical records in relation to the treatment that they provide. They are a Data Controller in respect of your personal information which they hold within their records, meaning that they must comply with the data protection legislation when handling your personal information. Your doctor may also contract with their own service providers i.e. external medical secretaries, or external parties that provide billing services. They will remain responsible for your personal information obtained in respect of those services.
• People and Organisations involved in your care: Health and social care professionals, including support personnel (including but not limited to: consultants, medical secretaries, receptionists, nurses, allied health professionals, porters, volunteers and other members of the direct care support team). Personal and payment information will be shared with the relevant finance department for the purposes of appropriate billing of services provided.
• Diagnostic and medical devices suppliers: Diagnostic testing organisations are provided with relevant information to provide diagnostic tests or allow contact with you to book a test/procedure. Medical device suppliers are provided with your information to support in the development and or supply of medical devices for you.
• Pharmacies: Pharmacists are provided with relevant information to fulfil a prescription or to allow contact with you and to provide relevant prescriptions and supporting advice.
• Referrals such as hospital appointments/specialists/dentists/GPs for ongoing care/continuing health care services/community services (including mental health and social services) and ICB approvals for certain NHS health services: When referrals are made for patients to a NHS or private health or social care provider, a record of the patient’s health history is typically included to assist the receiving healthcare professional make a holistic assessment and/decision. This is important, because removal of areas of the history that could be considered relevant, may affect the outcome of referrals and treatment. Following the referral, discharge summaries are typically provided back to the referring health care professional to support your ongoing care needs. If there are areas of your healthcare history that you do not want to be shared, please raise this directly with your healthcare professional who holds that data. 
• Electronic patient record sharing: Regional health and social care initiatives that promotes the safe, transparent sharing of your healthcare records for the purpose of your direct care needs. To ensure partner organisations comply with the law and to protect the use of your information, robust data sharing agreements and arrangements are in place to ensure your data is always protected and used for the intended purpose of your direct care needs.
• NHS Digital’s National Care Records Service (NCRS): We use NHS Digital’s National Care Records Service (NCRS) to support safe and effective care. The service provides a quick and secure way for clinicians involved in your care to access important summarised information, such as your current medications and allergies. If access is required, a Ramsay member of staff who is working as a registered healthcare professional (nurse or pharmacist), will ask for your permission (over the telephone or face to face), to access this information.)They will discuss any concerns and if you object, will respect your decision. Robust access controls are in place to monitor legitimate access for direct care purposes.
• Patient Reported Outcome Measures (PROMs) - an NHS England led programme to measure health gain in patients in certain circumstances based on responses to questionnaires. Responses are voluntary and used for your direct care pathway, as well as shared under strict agreements with Private Healthcare Independent Network and NHS England for analysis for improving patient outcomes. Further information can be found in the PROMs leaflet provided by your consultant or on the following link https://digital.nhs.uk/data-and-information/data-tools-and-services/data-services/patient-reported-outcome-measures-proms
• Video and telephone consultations are an alternative to face to face appointments. There may be instances where we offer you an appointment via telephone or video consultation. By accepting the invitation and entering the consultation you are agreeing to this. Your personal/confidential patient information shared on the consultation will be safeguarded in the same way as it would with any other consultation and relevant information added to your patient record.
• Video or audio consultations/appointments are not typically recorded, but if they are, your permission will be sought as to the purpose and use of the recording i.e.: for direct care purposes: diagnosis, treatment or care. If, as part of the consultation, still images or photographs are taken/obtained and are to be kept, they will be securely stored as part of your patient record. Saved recording or images will be stored as part of your patient record in line with our policies. If the recording/images are to be used for any other reason than what the original permission was obtained for, then further permission from you would be required prior to that use. If recordings or still images obtained are no longer needed (i.e.: are adequately described in the clinical notes) then the recording/images will be confidentially and securely destroyed as per our policies.
• Third party data processors: We use “Data Processors” who are third parties, to provide technical, administrative and support services to assist us with the delivery of health care services to you. We have robust contracts and agreements in place and will only disclose personal information that is necessary to provide the service that they are undertaking on our behalf. They cannot do anything with your personal information unless we have instructed them to. They will not share your personal information with any organisation apart from us, unless they have an overriding legal obligation to do so. They will hold it securely and retain it for the period we instruct. This includes services such as: clinical systems, system support services, document storage and destruction services, telephony system suppliers, digital scanning and dictations services.
• Depending on how you are funded:
  • For NHS patients: We provide information to the NHS funding organisation about your treatment and associated clinical requirements. We only provide relevant information to which they are entitled. Contracts and agreements are in place for this purpose.
  • For private patients: We only provide relevant information to which they are entitled to support payment for the treatment and services.

Where your information may be used and shared which is not directly related to your care

Whenever you use a health or care service, such as for hospital appointments and admissions, GP appointments, Accident & Emergency, or using community care services, important information about you is collected to help ensure you get the best possible care and treatment. This information may also be used by us and other approved organisations for non-direct care purposes where there is a lawful basis to help with: planning services, improving care, research into developing new treatments and preventing illness. All of this helps in providing better care to you and your family and future generations. Anonymised information (where you cannot be identified) will be used for non-direct care purposes whenever possible. Confidential information about your health and care is only used in this way where the law allows and is shared in alignment with the National Data Opt-Out Policy.

We are legally obliged to share information in some circumstances. For example, to comply with a statutory obligation, a court order or where a regulatory body has requested access to certain information under their statutory powers, as part of their duties to investigate complaints, accidents or health professionals’ fitness to practice.

In any event, we will ensure that we have a lawful basis on which to share the information.

We may use your information beyond your direct care, where we have a lawful basis and in accordance with data protection legislation. Wherever possible, data is anonymised or pseudonymised so you cannot be identified directly from the data. We may use data for the following types of non-direct care purposes:

• Audit our accounts and services;
• Investigate complaints, legal claims or untoward incidents;
• Make sure our services meet the needs of our patients in the future;
• Prepare statistics on our performance;
• Review the care we provide to ensure it is of the highest standard;
• Teach and train healthcare professionals Conduct health research and development;
• Review cost of services where applicable.

We may share your information with organisations beyond your direct care where there is a legal and legitimate reason to do so:

• National Data Opt-Out The national data opt-out is a service which enables patients receiving NHS funded care to opt-out from the use of their data beyond their individual care or treatment (for example research or planning purposes), unless there are overriding legal exemptions that apply. All healthcare providers are required to be compliant with the national data opt-out programme by 31 March 2022. We will comply with this requirement by applying opt-outs to data requests that are in scope of the National Data Opt-out. This means that if there is a data request that is in scope of the National Data Opt-out and you have provided your NHS number to us and registered your choice with the National Data Opt-out programme, your data would not be shared by us. To find out more or to register your choice to opt out, please visit here or by calling 0300 303 5678 Your individual care will not be affected if you have applied the National Data Opt-out.
• Professional Regulatory Body Investigations have the legal powers to request information that would assist them in their regulatory functions in relation to fitness to practise investigations of regulated medical, nursing, pharmaceutical, allied health and social care professionals. Only relevant information is provided and where possible, you will be notified or data anonymised.
• Care Quality Commission Access to Health Records: CQC has powers under the Health and Social Care Act 2008 to access and use your health information where it is necessary to carry out their functions as a regulator. This means that inspectors may ask to look at certain records to decide whether we are providing safe, good quality care.
• Medicines and Healthcare Products Regulatory Agency (“MHRA”) Parameters for sharing information that are justified are in place. The MHRA cannot disclose information if it would breach data protection legislation and can only be disclosed where it is considered necessary and proportionate.
• NHS Digital, NHS England, Public Health England and the Department of Health and Social Care: Certain directives are in place from the Secretary of State for Health and Social Care to provide confidential information. This is a mandated under specific directions. Typically, the data provided is pseudonymised, meaning it cannot directly identify you, as personal identifiers are replaced with a key-code. As this data could be re-identified by those authorised to do so, this data is still considered identifiable and as such, robust safeguards to protect data are put in place.
• National and other professional research/audit programmes and registries Health and social care research, audits and registries may be conducted and managed by organisations commissioned by the NHS, other health and social care organisations, universities, or commercial research and audit partners for such purposes as developing new treatments and improving healthcare outcomes. We always ensure that data protection and confidentiality laws are followed to protect your data, this includes compliance with the National Data Opt-Out Policy where applicable.
• The courts, DVLA, police, other third party law enforcement agencies. Examples include The Ministry of Defence, The Home Office: Where legally required by court order or as written in law, or where reasonably necessary for the prevention or detection of crime. We always confirm the lawful basis, proportionality of the data requested and comply with our data protection obligations.
• Third party organisations who provide elements of services to us for the planning, management and auditing of healthcare services and to support us in defending a legal claim. Wherever possible and depending on purpose, de-identified or anonymised data will be shared. We have contracts and agreements in place for these services. Where suppliers are engaged as our processors, they will only process data as instructed by us. We only share data that is proportionate and relevant to the service and where there is a lawful basis for the processing. They will not share your personal information with any organisation apart from us unless there is an overriding legal obligation to do so. We have contracts and agreements in place for these services.
• Private Medical Insurers funding audits. Where you have received private medical insurance funding for a service provided by us, the insurer may conduct audits for the purpose of reviewing specific services and billing provisions as outlined in contracts and agreements. Data is anonymised or pseudonymised wherever possible.
• Third party representative (family, friend, solicitor or Power of Attorney (PoA) to whom you have given your consent, or who has PoA granted, to view or receive your record, or part of your record under your Right of Access. Please note, if you give another person consent to access your record we may need to contact you to verify/clarify your request and consent before we release the record. It is important to us that you are clear and understand how much information and what aspects of your record will be released to another individual on your behalf.
• Third party organisations who you have given your consent to view or receive your record, or part of your record. We may also need to clarify with you and the requesting organisation, the purpose of the data sharing request, to ensure we meet our data protection obligations and to justify the disclosure.

Safeguarding of children or vulnerable adults

If we have significant concerns or hear about an individual child or vulnerable adult being at risk of harm, we may share relevant information with other organisations, such as local authorities and the Police, involved in ensuring their safety.

Statutory disclosures

Sometimes we are duty bound by laws to disclose information to organisations such as the Care Quality Commission, the Driver and Vehicle Licencing Agency, the General Medical Council, Her Majesty’s Revenue and Customs and Counter Fraud services.  In these circumstances we will always try to inform you before we are required to disclose and we only disclose the minimum information that the law requires us to do so

This may only take place when there is a clear legal basis to use this information.  All these uses help to provide better health and care for you, your family and future generations.  Confidential patient information about your health and care is only used like this where allowed by law or with consent. 

Pseudonymised or anonymised data is generally used for research and planning so that you cannot be identified.

How long do we hold information for?

In line with our internal record management policies, we will retain/store your health record for as long as necessary to provide the services set out in this Privacy Notice. We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. 

Records storage length will depend on the category of work:

-        Looked After Children work (Initial Health Assessments, Adult Health medicals and Adoption reports) will be kept for the length of time as agreed in the particular NHS contract. This would usually be for 1 year after the medical. After which all records will be deleted / destroyed.

-        Private medical records will be stored on secure approved electronic cloud based medical records system. Records that have completed the specified retention period will be reviewed and if retention no longer needed, will be securely destroyed in line with our policies.

Baker Baker Health uses Cloud based storage for all of it’s records and only uses paper when unavoidable. The email system has been approved by NHS digital. Personal confidential and commercially confidential information on paper will be disposed of by approved and secure confidential waste procedures. We keep a record of retention schedules within our information asset registers, in line with the Records Management Code of Practice for 2021.

Individuals Rights under UK GDPR 

Under UK GDPR 2016 the Law provides the following rights for individuals.  The NHS upholds these rights in a number of ways:

1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure (not an absolute right) only applies in certain circumstances
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling.

Right of Access to your information (Subject Access Request)

Under Data Protection Legislation everybody has the right of access to, or request a copy of, information we hold that can identify them, this includes medical records. There are some safeguards regarding what patients will have access to and they may find information has been redacted or removed for the following reasons;

• It may be deemed to risk causing harm to the patient or others
• The information within the record may relate to third parties who are entitled to their confidentiality, or who have not given their permission for the information to be shared.

Patients do not need to give a reason to see their data. And requests can be made verbally or in writing.  Although we may ask them to complete a form in order that we can ensure that they have the correct information required.

Where multiple copies of the same information is requested, the company may charge a reasonable fee for the additional copies. 

Patients will need to provide proof of identity to receive this information. We will not share information relating to you with other individuals without your explicit instruction or without sight of a legal document.

You can make a request via email (hello@bakerbakerhealth.com), verbally or in writing but we will need to verify who you are and may need to clarify the request with you to ensure we have understood correctly.

How we communicate with you

In order to provide you with accurate and timely information about your appointments, relevant information relating to your episodes of care, or other enquires, we will need to contact you. Where telephone contact is made, we use call display to assist you in identifying and returning calls to us.

While we will use our best efforts to contact you using any expressed preferred method of contact, this may not always be possible and will be determined by the reason for our contact.

Reasons for contact includes, but are not limited to:

• ensure that we provide you with updates and/or reminders regarding your appointment;
• confirm admission times and or fasting times if relevant;
• provide you with your medical information (including test results and other clinical updates) and/or invoicing information;
• to check on some patients post-discharge, depending on the complexity of their procedure, where there may be a need to do so;
• follow up on any correspondence you have sent, to pass on compliments to staff;
• communicate with you about any concerns you have raised;
• respond to email enquiries;
• respond to telephone enquiries;
• respond to website enquires;
• provide marketing materials where you have indicated you wish to receive them.
   

Text Messaging

If you provide us with your mobile phone number, we may use this to send you text reminders about your appointments or other health related information. You are able to opt out of this service or update your number by informing us at hello@bakerbakerhealth.com 

Emails

Where you have provided us with your email address, we may use this to send you information relating to your health and the services we provide.  If you do not wish to receive communications by email, please let us know at hello@bakerbakerhealth.com.  Please note that we will use encrypted emails which means that no one can see or tamper with the data while it is being transferred across the network or internet to you. Your own emails to us may not be encrypted, so you will need to consider this for any information you are emailing to us. 

Change of Details

It is important that you tell the company if any of your contact details such as your name or address have changed, or if any of your other contacts details are incorrect including third party emergency contact details.  It is important that we are made aware of any changes immediately in order that no information is shared in error. 

Notification

Data Protection Legislation requires organisations to register a notification with the Information Commissioner to describe the purposes for which they process personal and sensitive information.

We are registered as a Data Controller and our registration can be viewed online in the public register at:  http://ico.org.uk/what_we_cover/register_of_data_controllers

Any changes to this notice will be published on our website. 

Data Protection Officer

Should you have any data protection questions or concerns, please contact our Data Protection Officer, Dr Hewer, via hello@bakerbakerhealth.com.

What is the right to know?

The Freedom of Information Act 2000 (FOIA) gives people a general right of access to information held by or on behalf of public authorities, promoting a culture of openness and accountability across the public sector.  You can request any non-personal information that the company holds, that does not fall under an exemption.  You may not ask for information that is covered by the Data Protection Legislation under FOIA.  However, you can request this under a right of access request – see section above ‘Access to your information’.  

Right to Complain

If you have concerns or are unhappy about any of our services, please contact the companies Data Protection Officer, Dr Hewer, via hello@bakerbakerhealth.com .  Or via the ICO details listed below.

For independent advice about data protection, privacy and data-sharing issues, you can contact: 

The Information Commissioner 

Wycliffe House, Water Lane, Wilmslow, Cheshire 

SK9 5AF 

Phone: 0303 123 1113     Website: https://ico.org.uk/global/contact-us

Right to withdraw consent

Generally, we will only ask for your consent for processing your information under a UK GDPR and DPA 2018 lawful basis, when no other legal grounds apply. For example, for direct marketing communications or to release your information where there is not an alternative lawful basis to do so. In these circumstances, we aim to be clear and transparent about why we need your consent. Where we rely on your consent to process your personal information, you have the right to withdraw your consent by contacting us and we will stop the processing for which the consent was obtained.

The NHS Constitution 

The NHS Constitution establishes the principles and values of the NHS in England. It sets out the rights patients, the public and staff are entitled to.  These rights cover how patients access health services, the quality of care you’ll receive, the treatments and programs available to you, confidentiality, information and your right to complain if things go wrong. These are applicable to work done under NHS contracts, eg Looked After Children work.

The NHS Constitution for England - GOV.UK (www.gov.uk)

Changes to this Privacy Notice

We reserve the right to update this privacy notice at any time and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.