Data Protection Privacy Policy
Women’s Ultrasound Centre understands that patients privacy is important to them and patients care about how their personal data is used. The following Data Protection policy applies to Women’s Ultrasound Centre. It is designed to ensure that Women’s Ultrasound Centre (WUC) complies with its obligations under General Data Protection Regulation (GDPR) and that it conforms to the following eight data protection principles.
- Personal data shall be processed fairly and lawfully and in particular shall not be processed unless (a) at least one of the conditions in Schedule 2 is met and b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
- Personal data shall be obtained for only one or more specified and lawful purposes and shall not be further processed in any matter incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed
- Personal data shall be accurate and where necessary, kept up to date.
- Personal data processed for any purpose or purposes shall not be kept for longer than necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the rights of data subjects.
- Appropriate technical and organisation measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures a level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
This policy will be reviewed and updated where necessary. We reserve the right to amend this Data Privacy Policy without prior notice.
This privacy notice explains
- A) What personal data we collect about patients;
- B) Why we collect that data;
- C) Who we might share that data with;
- D) Why we might contact patients and how they can change that;
- E) How long we retain their personal data;
- F) How we keep their personal data secure;
- G) What rights patients have in relation to their personal data
Personal data collected by WUC
The team at WUC caring for patients keep records about their health and any treatment and care they receive from us. These records help to ensure patients receive the best possible care.
These may be held on computer or on paper as ‘physical notes’.
These records will include all or some of the following
Names, addresses, details of next of kin, date of birth, email addresses and phone numbers.
Contact we have had with patients such as appointments, queries, test results.
Notes and reports about patients’ health, treatment and care
Results of x-rays, scans and laboratory tests.
Referrals received and sent concerning patients.
Relevant information we have received from health professionals and relatives.
It is essential that the details we hold are correct and up to date and that we are informed of any changes as soon as possible.
Reasons for collecting patients’ personal data
Patients’ records are used to manage, direct and deliver the care they receive to ensure that the health care professionals involved in their care have accurate and up to date information. This enables them to assess and improve the quality and type of care the patient receives.
WUC also uses this data to communicate with patients, to arrange consultations, follow up appointments and in the event of referring on to other health care professionals or diagnostic tests with the patients’ permission. WUC also uses this data to contact patients with test results where necessary. These are always sent by encrypted email.
Reasons and instances for sharing patients’ data
There is a legal duty for everyone working in healthcare to keep patients’ information confidential. Similarly, anyone who receives information from us (referring doctors etc) has a legal duty to keep it confidential. We will not disclose patient information to any third party without their permission unless there are exceptional circumstances, such as if the health and safety of the patient or others is at risk or if the law requires us to pass on information. In certain limited circumstance we may be legally required to share certain personal data if we are involved in legal proceedings or complying with legal obligations, a court order or the instructions of a government authority.
We do not carry out marketing or profiling.
Disclosure decision – Patients have the right to restrict how and with whom WUC shares the personal information in their file that identifies them. This needs to be noted explicitly in the patients’ notes to ensure all staff and medical practitioners are aware of this decision. By choosing this option the patient must be made aware that it may make the provision of care more difficult or unavailable.
Ways in which WUC contacts patients
When booking an appointment or making an enquiry, patients will be asked for their name, address, date of birth and contact details including email and telephone numbers. These will be used to contact patients about appointments, reminders and test results by phone, letter and email. WUC does not leave voice messages with identifiable/personal information and all emails with sensitive information are sent by an encryption service. If patients wish to change the method of communication used, this can happen at any time by contacting the office by email, post or telephone.
Retention of personal data
We will only keep your personal information as long as it is required and in accordance with UK law.
Keeping patient data secure
We only give staff access to the data that they need to carry out their role.
WUC takes its duty to protect personal information and confidentiality very seriously and is committed to taking all reasonable measures to ensure the confidentiality and security of personal data whether on computer or on paper. Where possible we use commercially available software to store personal data, such as Qinec, DGL Practice Manager, Sage and Viewpoint where the software is regularly checked for security vunerability.
When WUC needs to transfer data outside of the European Economic Area (EEA) it is done with appropriate safeguards in place. If it is transferred with the patients permission to a third party in the US, this may be protected if they are part of the EU-US privacy shield. This requires that the third party provides data protection to standards similar to those in Europe. More information is available about this from the European Commission. All data sent within and outside of the EU is sent using an encrypted format.
Consent – where we do not have a lawful basis to hold or process data, WUC will seek the express consent of individuals to hold data about them. This will be by specific and unambiguous statements.
Patients’ rights over their data under the GDPR legislation
Patients have the right to RECTIFICATION – to correct any data that is incorrect.
Patients have the right to request ERASURE- to delete personal data. Legal advice will be taken in the case of requesting erasure of medical records. This falls under ‘special categories of data’ specified by GDPR and erasure is not necessarily granted.
Patients have the right to RESTRICTION – to block or supress the further processing of personal data in certain circumstances
Patients have the right to SUBJECT ACCESS – to request access to data that WUC holds about them.
Should a patient request a copy of personal information which WUC holds, they should contact WUC in writing outlining the data they are seeking to obtain.
This request will be acknowledged by email. WUC will seek to verify the identity of the individual and that they are lawfully entitled to request this personal data. If WUC are unable to verify the authenticity of the request and the identity of the requester, the request will be refused.
If the request is authorised, the data will be provided within 30 days of the request.
There is not normally a charge for a subject access request but if the request is viewed by WUC to be ‘manifestly unfounded or excessive’ (for example, if the patient makes repetitive requests) a fee may be charged to cover our administration costs in responding.
Reporting a breach
A breach is defined as any event which ‘leads to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’. If a breach occurs, the WUC office should be informed immediately . WUC will need to consider if the breach is likely to ‘result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage’. If it does the ICO must be informed within 72 hours of the breach occurring.
WUC will notify patients directly in the event of any breach of personal data which might expose them to serious risk.
For more information about our legal obligations, please refer to the ICO website www.ico.org.uk
CONTACTING WOMENS’ ULTRASOUND CENTRE
WUC can be contacted about any of these policies. Queries should be addressed to Professor Tom Bourne and either emailed to info@womensultrasound.co.uk