Privacy Policy
This notice sets out the privacy policy for MySkinDoctor Ltd (the company) and aims to explain how we use your information. The term service in this document refers to all clinical, administrative and online services provided by MySkinDoctor Ltd. The contents of this privacy policy cover all clinical services provided by the company.
Security of Information
Confidentiality affects everyone: The service collects, stores and uses large amounts of personal data every day, such as medical or personal records which may be paper-based or held on a computer.
We take our duty to protect your personal information and confidentiality very seriously and are committed to taking appropriate measures to ensure it is held securely and only accessed by those with a need to know.
At executive level, we have appointed a Senior Information Risk Owner (SIRO), Andrew Catlin, who is accountable for the management of all our information systems and the data they hold. The SIRO also makes sure that any associated risks or incidents are documented and investigated appropriately. We also have a Caldicott Guardian, Dr Bav Shergill, who has responsibility for providing advice on protecting patient confidentiality and sharing patients’ information securely when appropriate. We also have a Data Protection Officer (DPO), who is responsible for managing our day to day Information Governance and GDPR compliance obligations.
How to contact us if you have a question
All our services have dedicated patient helplines and, if you have a question about your care or how we use your data, you can reach the appropriate person by calling or writing to us using the details below. If your query relates to how we use your information, you can write to the Data Protection Officer at the following addresses:
Adam Harding, Data Protection Officer
MySkinDoctor, Technology House, West Road, Fishersgate, BN41 1QH
Email: adam.harding@myskindoctor.co.uk
Tel: 01903 896625
How do I make a complaint?
If you are unhappy with any aspect of the services or care we provide, please contact us immediately so that we can investigate and respond. We will handle all complaints in line with our complaints policy and procedures to give you a speedy response.
Important: If your treatment has not met your expectations or if you have suffered any adverse side-effects or complications then please get in touch with us as soon as possible. Our clinicians are highly experienced, and we are supported by Consultant Dermatologists who are experts at managing a wide variety of complex skin conditions, rare treatment complications and corrective procedures.
We pride ourselves on the care we provide so you can rest assured that if you do need to make a complaint or raise an issue about the quality of services you have received, a manager will be in touch with you quickly to see how we can help.
Loren Byrnes, Service Manager
MySkinDoctor, Technology House, West Road, Fishersgate, BN41 1QH
Email: loren.byrnes@myskindoctor.co.uk
Tel: 01903 896625
If you still have concerns about the care you have received or if we are unable to resolve your complaint to your satisfaction then you can also contact the Care Quality Commission on 03000 616161 or write to them at:
CQC National Customer Service Centre, Citygate, Gallowgate, Newcastle upon Tyne, NE1 4PA
You can also complain about how we handle your data to the Information Commissioner’s Office
(ICO) via telephone on 0303 123 1113 or via their website at:
https://ico.org.uk/concerns/
The NHS Care Record Guarantee
Everyone working within the NHS has a legal duty to keep information about you confidential. Similarly, anyone who receives information from us has a legal duty to keep it confidential. The Care Record Guarantee is our commitment that we will use records about you in ways that respect your rights and promote your health and wellbeing.
An explanation of the Care Record Guarantee and guidance on keeping your online health and social care records safe and secure can be obtained from NHS England:
https://www.nhs.uk/nhsengland/thenhs/records/healthrecords/documents/patientguidancebooklet.pdf
Why do we collect information about you?
The doctors, nurses and administrative team caring for you keep records about your health and any treatment and care you receive from the NHS. These records help to ensure that you receive the best possible care and may be written on paper or held on a computer. They may include:
- Basic details about you such as name, address, date of birth, next of kin, GP practice and contact details
- Contact we have had with you such as appointments or clinic visits
- Notes and reports about your health, treatment and care
- Results of x-rays, scans and laboratory tests
- Relevant information from people who care for you and know you well such as health or social care professionals, relatives or carers
- Access to GP health records or records from other NHS services recorded on our clinical system, TPP SystmOne
- Access to National healthcare records, demographics and GP history.
It is essential that we have accurate and up to date information about you so that we can give you the best possible care. Please check that your personal details are correct whenever you visit us and inform us of any changes, for example, by calling our patient helpline on 01903 896625 as soon as possible. This minimises the risk of you not receiving important correspondence.
What is the lawful basis of processing for personal and healthcare data?
The main reason why we collect and process your personal data is for providing direct care, and under GDPR we process the majority of this data under Article 6 (1) (e) and Article 9 (1) (h) of the General Data Protection Regulations (GDPR).
Essentially, Article 6 (1) (e) is the lawful basis which allows us to process your personal data on the basis that we are required to do so in the exercise of official authority, which is bestowed upon the organisation on the basis that we have secured NHS Contracts with NHS organisations to deliver clinical services on behalf of the National Health Service.
To process your healthcare records, we mostly rely upon Article 9 (1)(h), which provides the company with a lawful basis to process your healthcare records for the provision of healthcare, medical diagnosis, treatment and general management of healthcare services.
The service therefore does not generally rely upon consent for processing your data for direct care, as we have a statutory duty to process and collect certain data on behalf of the National Health Service. Consent is generally only used as a lawful basis for processing data within the organisation for specific medical research projects.
Data on patients who are incapacitated might be processed under Article 9 (c) which is designed to protect their vital interests where the data subject is physically or legally incapable of giving consent.
Processing intimate images for healthcare data?
Sometimes an intimate examination may be necessary by a MySkinDoctor clinician due to the proximity of the skin issue subject of the consultation. These can be embarrassing or distressing for patients, and whenever there is a clinical need to examine you as the patient or your child, we will be sensitive to what you may consider as intimate and mindful of the cultural and religious differences in perception. Whilst this is likely to include examinations of breasts, genitalia and the perianal area, but could also include any examination the patient perceives as intimate.
MySkinDoctor clinicians will remain professionally curious and vigilant throughout the consultation process and will follow the guidance contained within the “Key principles for intimate clinical assessments undertaken remotely in response to COVID-19”.
MySkinDoctor has a moral and legal responsibility to consider the possibility of any safeguarding issues, particularly if the patient is under 18 years old or is a vulnerable person, and whether these obligations can be fully explored via remote consultation. If safeguarding concerns reveal themselves at any stage, MySkinDoctor will convert a remote consultation to a face-to-face assessment, unless there are compelling reasons why that cannot happen, and follow existing child and adult protection referral pathways.
The General Medical Council (GMC) and Nursing and Midwifery Council (NMC) advise that informed consent to receive and store the patient's image is necessary. The decision to store an intimate image in the patient’s clinical record must be justifiable and transparent, and MySkinDoctor will only store images if this is what we would do in a face to face consultation.
MySkinDoctor clinicians are instructed to record in the EPR (SystmOne) the clear justification for the need to store an intimate image in the clinical record. If a patient does not agree to the retention of the image this should not automatically preclude them from being able to continue with a remote assessment, where this is appropriate (without their image being retained), and alternative options for examination, such as a face to face examination, will be offered to the patient.
The process of obtaining and documenting consent will include an explanation as to why an image will help in providing clinical care, the different options for assessment available to a patient and the associated limitations and risks, including the option to have a face to face examination. There will be a record and access control in SystmOne on who is authorised to see the image and that it will be used for direct care purposes and that it won’t be used for any other purpose without the patient’s express permission. MySkinDoctor has strict policies that mirror the NHS regarding data storage and retention duration.
Whilst patient consent does not need to be written down, MySkinDoctor clinicians will check to see whether you have understood the information they have given, and whether or not you would like more information before making a decision about providing consent. For true consent to be given, we believe patients must feel comfortable to decline consent and find it easy to do so.
How we use your personal information
In general terms, your records are used to direct, manage and deliver your care so that:
- The doctors, nurses and other health or social care professionals involved in your care have accurate and up to date information to assess your health and decide on the most appropriate care for you.
- Health and social care professionals have the information they need to assess and improve the quality and type of care you receive.
- Appropriate information is available if you see another doctor, or are referred to a specialist or another part of the NHS or social care.
- Your concerns can be properly investigated if a complaint is raised.
Do I need to disclose my data?
Some of your information must be disclosed to us so that we can meet our legal obligations as a healthcare provider, but mostly it is to ensure that you receive safe and effective treatment.
Information which you must disclose includes basic contact information, your date of birth and any relevant healthcare information which may affect your treatment or the safety of our staff.
Please treat all questions about your health as obligatory, as our clinicians will usually need this information to ensure that your treatment is appropriate and that your diagnosis is correct. You can always ask for clarification as to why your data is required and how it will be used in response to anything we ask of you, and there is no need to be embarrassed as our clinicians have seen a wide variety of conditions over the years.
Failure to notify us of some information may result in either an incorrect diagnosis or treatment being given which is at best ineffective, or in some cases harmful. Please note that failure to disclose personal data which is required in order to provide accurate diagnosis or a safe and effective treatment may mean that we are unable to provide you with any further care.
Treatment is always at the discretion of the clinician involved in your care and the Service Manager. We reserve the right to refuse treatment for any reason and may decide to do so if we are concerned about the accuracy of information provided, have concerns about your physical or mental wellbeing, concerns about the necessity of the procedure, or simply if the clinician does not feel comfortable providing the consultation on the day. We will put your safety first as our top priority at all times.
How do we capture your information?
Most of the information we hold about you will come directly from you and your GP, in the form of a referral via eRS and your responses to questions on the MySkinDoctor App. From time to time, we may also receive referral letters or letters from other healthcare professionals involved in your care which will form part of your record. An example of this might be a specialist letter from an NHS provider involved in your care.
When keeping notes we will keep your information limited to your health, but please be aware that we may from time-to-time capture other relevant information that you share with us. Please note that the information you share with us will be held confidentially for the purposes of direct care, and we will restrict access to only those involved in providing or administrating your care. If you have disclosed any information to us that you would like us not to record in your notes, then please make it clear to us to exclude this information from your notes.
Here is a brief overview of how we might collect information from you:
Registration Form
Your GP will refer you directly into the MySkinDoctor teledermatology service at which point you will be sent some instructions on how to download the App. Once the App is downloaded onto your mobile device, you will submit your contact details and then upload a couple of pictures of your skin problem.
Data collected from the App will include your basic demographic details (name, address, date of birth, NHS number, email address, phone number) along with photographs of your skin problem. If at any point you feel uncomfortable using the application, please do not hesitate to contact our administration team who will arrange for you to be seen through our traditional service.
Consultation
A Consultant Dermatologist will then review your images and respond with diagnosis and information about your condition, or will alternatively offer you either an appointment in a physical clinic location or an online video consultation. Both our clinicians and administration teams will use data stored by the App to make decisions about your health. This data will include images submitted by patients.
Where you opt for a F2F or video appointment, our clinicians may take notes during or after your consultation based on what you have discussed with the clinician. These notes may include personal data relating to your health or care you are receiving, along with professional opinions about your diagnosis or treatment options.
Consent Forms
Consent is included as part of the process for agreeing to download the App for your treatment, which is clearly communicated. Consent may be withdrawn at any time by your removing of the App from your device.
Telephone Notes & Conversations
Our administrative team or clinicians may also record details of any phone conversations we have with you. This is to help us provide the very best possible care.
Emails or Letters
Any correspondence between the service and you will generally be considered part of your medical record.
Patient Surveys
From time to time, we may also ask you to complete a satisfaction survey to provide some feedback on the services we provide.
Direct care purposes
Unless you object, we will normally share information about you with other health and social care professionals directly involved in your care so that you may receive the best quality care. For example, every time you receive a consultation via the MySkinDoctor App, we will send your GP a summary of any diagnoses, test results or treatment given.
As you may be seen by a Consultant Dermatologist or a doctor with specialist training in dermatology, we would normally correspond with your GP to explain what your diagnosis is and how we plan to treat it so that your GP is aware of your medical history. This will help your GP to have more awareness aware about the type of skin issues you are experiencing.
If you would prefer us not to share your treatment information with your GP, please inform your clinician or the Administration Team and we will make a note of your request on your medical records.
We will not disclose your information to any other third parties without your permission unless
there are exceptional circumstances, such as when either you or somebody else’s health and safety is at risk; or the law requires us to pass on this information.
Referrals to other Healthcare Providers
As a Consultant-led provider of Dermatology services, most patients are seen and treated within our App services. However, some patients may need to be referred onwards to another healthcare provider for further treatment. This can happen during triage of your referral if our triage team feel that another specialty or service might be more appropriate based on your medical history or the content of your referral letter. This can also happen after you have been seen if you require a more specialist treatment which we are unable to provide within the service, or if a local clinical pathway requires that we refer you into a specialist service.
If we need to refer or redirect your referral to another healthcare provider, we will inform both you and your GP at the time this is done via letter. We will typically include personal details such as your name, contact details and address as part of your referral letter, along with a description of your medical problem and potentially copies of your medical records, recent consultations and relevant photographs so that the healthcare provider receiving your referral has all the information required to ensure you receive the right treatment in a timely fashion. We will only include information which is relevant to your condition for direct care purposes.
If you would like us to not share some or all of your clinical information when making a referral, please contact our Data Protection Officer.
Skin Cancer Referrals
It is recommended that all patients with a confirmed skin cancer diagnosis should be referred to a Multidisciplinary Team meeting (MDT) for discussion. This is where multiple experienced Consultant Dermatologists, Cancer Specialist Nurses, Oncologists, Radiologists and Plastic Surgeons meet to discuss cases of skin cancer.
There are a wide variety of reasons why patients are discussed at an MDT meeting. Sometimes it might be for the group to agree a diagnosis, to approve a treatment or care plan, or sometimes to approve or recommend a specific treatment or procedure.
Some highly specialist treatments for suspected skin cancer also require discussion in a MDT before they can be performed. If your doctor needs to refer you to MDT for discussion, then your doctor may also ask your permission to take a picture of your skin so that it can be discussed in the weekly MDT meeting. This is to ensure that the treatment you receive is going to be appropriate and proportional given the available treatment options on the National Health Service.
Often a photograph is also required before you are approved for Moh’s Micrographic Surgery, a specialist surgical technique for the treatment of certain skin cancers on difficult surgical sites which is expensive and highly specialist to perform. If this is the case, then your photograph will be sent along with your referral to the NHS Hospital hosting the meeting where it might be shown on a projector and discussed. The MDT will then make a recommendation on the most appropriate treatment for you based on this information.
Indirect Care Purposes
In some cases, we might also need to share your data with other healthcare organisations and national bodies such as NHS Digital, under a legal obligation, Article 6 (1) (c), or with health and social care organisations for Safeguarding purposes under social protection law Article 9 (2) (b).
We also use information we hold about you to:
- Review the care we provide to ensure it is of the highest standard and quality
- Ensure our services can meet patient needs in the future
- Investigate patient queries, complaints and legal claims
- Ensure the hospital receives payment for the care you receive
- Prepare statistics on NHS performance
- Audit NHS accounts and services
- Undertake heath research and development (with your consent – you may choose whether to be involved)
- Help train and educate healthcare professionals.
Nationally there are strict controls on how your information is used for these purposes. These control whether your information has to be de-identified first and with whom we may share identifiable information. You can find out more about these purposes, which are also known as secondary uses, on the NHS England and Health and Social Care Information Centre’s websites:
Self-Funded Patient Prescriptions
If you use MySkinDoctor’s self-funded service, you may require a prescription from the Consultant Dermatologist reviewing your case. If a prescription is required, prescriptions will be emailed to your registered email address via an e-prescription service, SignatureRx. Please note that prescriptions are not subsidised by the NHS and therefore the price of private medicine varies depending on the type of medicine that you have been prescribed.
MySkinDoctor provides a diagnosis and initial treatment only. We are unfortunately unable to offer repeat prescriptions through this service. If a prescription is offered, this can usually be continued with either your local dermatologist or GP by providing them with a copy of your clinic letter.
Data shared will include your:
- Name
- Date of birth
- Gender
- Phone number
- Email address
- Address
- Postcode
Commissioning Activity and Service Reporting
As a provider of Acute NHS Dermatology services, we are both contractually and legally required to send some limited personal information to NHS organisations to enable the UK healthcare system to operate in an efficient and cost-effective manner. This data helps Commissioners pay for treatments, plan capacity and evaluate the quality of healthcare services.
NHS Digital
NHS Digital has morphed into an element of NHS England, rather than its previous status as an NHS ‘At Arms Length’ entity. It remains the central organisation for data collection within the NHS. It is responsible for the design, operation and maintenance of national IT systems which allows the NHS to provide joined up and secure care. It is one of the few organisations in the UK permitted to receive healthcare data with patient-identifiable information, which it collects and pseudonymises the data for secondary uses such as statistics and invoice validation. All hospitals and secondary care providers in the UK are required to submit data which may contain personal data as part of the National Contract.
Commissioning Datasets
We submit commissioning datasets to our NHS customers for NHS Digital monthly reporting, which contain data on all consultations, type of treatment, and cancelled and missed appointments within the service.
This is a contractual requirement as we are required to send this data to to receive payment for your consultation or treatment within the service. The data is primarily intended for commissioning purposes such as invoice validation, and statistical purposes.
A full list of data items can be found on the NHS Data Dictionary page at: https://www.datadictionary.nhs.uk
However, in the interest of transparency and keeping you informed, we currently submit the following personal data items for all patients:
- National unique Identifiers such as your NHS number or local Pathway ID’s
- NHS e-Referrals Unique Booking Reference Number (UBRN) of your referral (if applicable)
- Diagnosis and procedure codes
- Attendance and referral dates, clinician seen and clinic location.
If you haven’t requested your record to be formally withheld, we will also submit:
- Your postcode
- Your date of birth.
Lastly, on the rare occasions that a patient does not have a valid NHS Number and hasn’t requested their record to be withheld then we may also submit your name and address so that the NHS can successfully recover costs from the appropriate Integrated Care Board or your country of origin.
The rest of your medical record is not shared as part of the commissioning dataset. This includes:
- Consultation notes
- Medical history
- GP Letters
- Referral Letters
- Clinical notes.
The commissioning datasets are then securely sent to our XML translation service provided by Egton Medical Information Systems Ltd (EMIS), who convert our dataset into XML, validate our dataset and submit the data directly to the national Secondary Use Services (SUS+) system managed by NHS Digital. All data is encrypted during transit and sent securely through the N3 / HSCN secure network for healthcare organisations.
Once the data is in the national SUS+ system, other NHS organisations can access the pseudonymised records to perform their official functions such as invoice validation and statistical analysis.
In addition, some Integrated Care Boards (ICBs) receive pseudonymised commissioning data from a Data Services for Commissioners Regional Office (DSCRO). To facilitate this, data is sent securely to the relevant DSCRO for the patient, an organisation that officially specialises in processing, analysing and packaging patient information within a secure environment into a format NHS commissioners can legally use; anonymised patient level data. More information about the DSCRO service can be found at:
https://digital.nhs.uk/data-services-for-commissioners-dsfc
Referral Datasets
Integrated Care Board (ICBs) also request information on referrals received and onward referrals made by clinicians within the service. This data is sent securely monthly and includes:
- NHS Number
- Referral Date
- Registered GP Practice and Registered GP
- Reason for referral
- Referral Urgency
- Referral Destination
- Referral Source.
Other ways in which we use your information:
Call recording
Telephone calls to the service may be recorded for the following purposes:
- To prevent crime or misuse.
- To make sure that staff act in compliance with Trust procedures.
- To ensure quality control.
- Training, monitoring and service improvement.
SMS text messaging and automated voice reminders
We use your telephone number(s) to send your appointment details via SMS text message and we also send automated reminder calls a few days before the appointment.
Most of our patients appreciate these reminders and we know that it reduces the number of missed appointments, but if you do not wish to receive them please let us know.
Medical Photography / Video
To provide the very best care for patients we may sometimes ask for your permission to take a photograph of your skin problem to discuss your treatment with other consultants and skin specialists either via email, at a multidisciplinary meeting (MDT) or at one of our quarterly Postgraduate Education events.
This is particularly helpful for rarer, unusual or more complicated skin conditions where your diagnosis or treatment plan might not be straight forward. Clinical cases may be discussed in this way for direct care purposes, to establish the most appropriate diagnosis and treatment plan for you if it does not significantly delay or adversely your care, or in most cases discussed at our postgraduate event, patients are discussed to help educate other clinicians on how to manage more difficult dermatology conditions that are hard to diagnose, hard to treat or rare to see in clinical practice.
At our postgraduate education events, all clinicians within the service are encouraged to bring along interesting clinical cases for discussion, which allows our Consultant Dermatologists and GP with Specialist Interest in Dermatology practitioners to discuss the most appropriate diagnosis and management plan for patients with similar conditions. The discussion is informal and enables all doctors involved in providing dermatology to improve their diagnosis and management skills.
Some skin conditions are so rare that a Consultant Dermatologist may only see a single clinical case presenting during their professional career or perhaps only read about a rare condition in a text-book, so the pooling of knowledge and sharing of these rare cases amongst Dermatologists helps to deliver better and safer patient care in the Consultant-led service.
If a clinician thinks that discussing your skin condition with their peers in this setting may help educate other clinicians or improve your care, they may seek permission to take a photograph and share this securely with other clinicians either via email or at one of our postgraduate education events. You are completely free to object to this.
Marketing
We will never use any of your information for marketing purposes or pass on your information to third parties without your explicit and express consent.
Occasionally we may ask you for permission to take a picture or video of your treatment for marketing or patient educational purposes, but if this is the case you will be asked for your explicit and unambiguous consent to allow us to share your photographs, and you are completely free to object without affecting the care you receive.
If you would like to request that we no-longer use your photographs or video footage of your procedure, please contact our Data Protection Officer in writing at:
Data Protection Officer, MySkinDoctor, Technology House, West Road, Portslade, Brighton, West Sussex, BN41 1QH
How you can access your records
You have the right to get a copy of the information that is held about you. This is known as a subject access request. A Subject Access Request (SAR) allows patients to request Information on how we are using and sharing your data, along with details of what information we have.
However, a subject access request goes further than this and an individual is entitled to be:
- told whether any personal data is being processed
- given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people;
- given a copy of their personal data in electronic or paper form
- given details of the source of the data (where this is available).
Requests can be made verbally to any member of staff, however, we request applications be made in writing to the Data Protection Officer and accompanied by evidence of your identity (see the section below). This is to ensure that your records and information is only released under your strict authority and to ensure that we keep all of your information confidential.
We will then provide your information to you within one month of receipt of:
- your written request
- satisfactory evidence of your identity
- authority to act on someone else’s behalf (if appropriate)
- an indication of what information you are requesting to enable the service to locate it in an efficient manner.
Confirming your identity for a Subject Access Request
To avoid personal data about one individual being sent to another, either accidentally or as a result of deception, we need to be satisfied that we know the full identity of the requester and that they have the appropriate authority to receive the information. We will therefore ask for enough information to judge whether the person making the request is the individual to whom the personal data relates (or a person authorised to make a SAR on their behalf).
In the case of parents or guardians requesting information on their children, we will typically need confirmation from the child that we have authority to release their information to you if the child is over 12 years old and capable of making a request themselves (see below).
Subject Access Requests for Children and Young Adults
Information about children may be released to a person with parental responsibility. However, the best interests of the child will always be considered. Even if a child is very young, data about them is still their personal data and does not belong to anyone else. It is the child who has a right of access to the information held about them.
Before responding to a request for information held about a child, we will first consider whether the child is mature enough to understand their rights. If we are confident that the child can understand their rights, then we will respond to the child rather than to the parent. What matters is that the child can understand (in broad terms) what it means to make a subject access request and how to interpret the information they receive as a result of doing so.
We consider each subject access request for information on a case by case basis, but typically a child of 12 years or older is viewed as capable of making a subject access request. When considering releasing information on children, we will consider, among other things:
- where possible, the child’s level of maturity and their ability to make decisions like this
- the nature of the personal data
- any court orders relating to parental access or responsibility that may apply
- any duty of confidence owed to the child or young person
- any consequences of allowing those with parental responsibility access to the child’s or young person’s information. This is particularly important if there have been allegations of abuse or ill treatment
- any detriment to the child or young person if individuals with parental responsibility cannot access this information; and
- any views the child or young person has on whether their parents should have access to information about them.
Subject Access Requests for people with disabilities
If you are disabled and not physically capable of making a subject access request in writing, please call the clinic via telephone and explain and we will make reasonable adjustments to ensure that we deal promptly with your request. We are also happy to provide your data in large print or audio format if required.
Subject Access Requests for Deceased patients
We will consider each subject access request relating to a deceased patient on a case by case basis, but typically we do not release information on deceased patients as disclosure might constitute an actionable breach of confidence if in principle a personal representative exists who would be able to take legal action. More information about section 41 exemptions can be found in the guidance from the Information Commissioners Office document titled Information about the deceased:
https://ico.org.uk/media/for-organisations/documents/1202/information-about-the-deceased-foi- eir.pdf
Your rights under the General Data Protection Regulations
Your right to object
You have the right to restrict how and with whom we share information in your records that identifies you. If you object to us sharing your information we will record this explicitly within your records so that all healthcare professionals and staff involved with your care are aware of your decision. If you choose not to allow us to share your information with other health or social care professionals involved with your care, it may make the provision of treatment or care more difficult or unavailable. Please discuss any concerns with the clinician treating you so that you are aware of any potential impact. You can also change your mind at any time about a disclosure decision.
Your right to Data Portability
We support the right of data portability where possible. Under GDPR you have the right to a copy of your information in a portable format, either electronic or paper based. As most healthcare IT systems are not yet interoperable, we will typically supply your information in a Microsoft Office, image format (jpeg) or Adobe PDF document format, or alternatively a simple print out via paper.
If you would like us to supply your records or any information we hold on you in an alternate or specific format, please notify us and we will endeavour to meet your request. We will supply your information for free.
Your right to Restrict Processing
You have the right to request the further processing of your information. An example of this might be to prevent us from sharing your medical records with your GP or other healthcare providers. If you would like us to restrict the processing of your information in any way, please inform your clinician or a member of our administrative team or contact our Data Protection Officer.
Your right to Erasure
If you would like us to erase some information we hold about you, please contact our Data Protection Officer at one of our clinics and we will consider your request.
We can’t guarantee that all requests will be met as we also have some legal responsibilities placed upon us which might require us to keep your data, but if the erasure can be performed without detriment to our legal obligations we will be happy to consider it.
Please note that we may need to keep some of your medical records on file in the interests of establishment, exercise or defence of legal claims.
Your right to access information in alternative formats / Large Format Print
If during the course of your interactions with us you require information from us in an alternative format due to a disability, please let a receptionist or your clinician know. We are always happy to provide large print or audio versions of any documents used within the service. Examples may include:
- Consent forms
- Prices
- Treatment or Patient Information
- Correspondence or Pathology results (where applicable).
Data Retention Periods
Unless otherwise specified, we will treat any information you share with us as part of your medical record. We will hold your information in accordance with the Records Management Code of Practice of Health and Social Care 2016 guidance from NHS Digital.
Data Accuracy
If you think any information we hold about you is inaccurate, please let us know.
How we will notify you of any Data Breaches
If a data breach occurs and your data is compromised as part of the breach, we will promptly inform you of the nature of the breach and which data may have been compromised in line with the General Data Protection Regulations (GDPR). We take data security very seriously and work hard to keep your data secure at all times. We have detailed risk assessments, policies, procedures and technical measures in place to ensure your data is protected, and in the event of a data breach we will report it to the Information Commissioner’s Office (ICO) and Care Quality Commission (CQC) in line with our breach policies and GDPR legislation.
Equality Statement
This Policy forms part of the company’s commitment to create a positive culture of respect for all staff and service users. The intention is to identify, remove or minimise discriminatory practice in relation to the protected characteristics (race, disability, gender, sexual orientation, age, religious or other belief, marriage and civil partnership, gender reassignment and pregnancy and maternity), as well as to promote positive practice and value the diversity of all individuals and communities. As part of its development this Policy and its impact on equality has been analysed and no detriment identified.