Data Privacy Notice
DATA PRIVACY NOTICE
Primary Healthcare Derby (PHD)
Personal data – what is it?
Personal data relates to an individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of personal data is governed by the General Data Protection Regulation (the “GDPR”).
Who are we & how do we process your personal data?
Primary Healthcare Derby is the data controller (contact details below). This means we decide how your personal data is processed and for what purposes.
Primary Healthcare Derby complies with its obligations under the “GDPR” by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
We use your personal data for the following purposes: -
To raise the profile of the federation;
To inform you of news, events, contracts and services run by Primary Healthcare Derby;
To manage our employees;
To enable us to provide a service to our member practices
To administer membership records;
To maintain our own accounts and records (including shareholder records);
What is the legal basis for processing your personal data?
Processing is necessary for carrying out legal obligations in relation employment, shareholder records, or a collective agreement.
Processing is carried out by a not-for-profit organisation: -
the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes); and
the processing relates only to employees or former employees (or those who have regular contact with it in connection with those purposes); and
there is no disclosure to a third party without consent.
How do we maintain the confidentiality of your records?
We are committed to protecting your privacy and will only use information collected lawfully in accordance with:
Data Protection Act 1998 and General Data Protection Regulation 2016
Human Rights Act 1998
Common Law Duty of Confidentiality
Health and Social Care Act 2012
NHS Codes of Confidentiality, Information Security and Records Management
Information: To Share or Not to Share Review
Every member of staff who works for an NHS organisation has a legal obligation to keep information confidential.
We will only ever use or pass on information about you if others have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations). This decision will be taken by only our designated IG Lead, Jools Roome, firstname.lastname@example.org
Who are our partner organisations?
We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations;
GP’s (Appendix A)
NHS Trusts / Foundation Trusts (Appendix B)
NHS Derby & Derbyshire Clinical Commissioning Group
North of England Commissioning Support Unit
Derbyshire County Council & Derby City Council
Independent Contractors such as dentists, opticians, pharmacists (where applicable, non-current)
East Midlands Ambulance Service
Private Sector Providers
Voluntary Sector Providers
Health and Social Care Information Centre (HSCIC)
Derbyshire Fire and Rescue Services
Derbyshire Police & Judicial Services
Other ‘data processors’ which you will be informed of
You will be informed who your data will be shared with and in some cases asked for explicit consent.
We may also use external companies to process personal information, such as for archiving purposes. These companies are bound by contractual agreements to ensure information is kept confidential and secure.
Access to personal information
You have a right under the Data Protection Act 1998 to request access to view or to obtain copies of what information the company holds about you and to have it amended should it be inaccurate. In order to request this, you need to do the following:
• There may be a charge to have a printed copy of the information held about you
• We are required to respond to you within 40 days
• You will need to give adequate information (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified, and your records located.
Change of Details
It is important that you tell the person treating you if any of your details such as your name or address have changed or if any of your details such as date of birth is incorrect in order for this to be amended. You have a responsibility to inform us of any changes so our records are accurate and up to date for you.
The Data Protection Act 1998 requires organisations to register a notification with the Information Commissioner to describe the purposes for which they process personal and sensitive information.
This information is publicly available on the Information Commissioners Office website www.ico.org.uk
The practice is registered with the Information Commissioners Office (ICO).
How do we monitor compliance with GDPR and other Data Protections Laws?
To assure that Primary Healthcare Derby is compliant with GDPR and other data protection laws it will publish the Data Protection Policy (this document), with the next review set for July 2020. Primary Healthcare Derby will ensure there is appropriate awareness raising and training for all employees. Primary Healthcare Derby with its DPO will conduct an annual audit cycle of training, policies and record keeping. Alexin Healthcare will follow the advice of its DPO in regard to matters raised from these audits.
Who is the Data Protection Officer?
The company has a designated Data Protection Officer (DPO).
The DPO has an expert knowledge of data protection law and they monitor compliance of the practice with data protection regulations. However, responsibility for compliance remains with the data controller and data processor.
They are able to act independently to assure compliance. The DPO reports to the highest level of management in Primary Healthcare Derby, the Board. They will co-operate with national supervisory authorities such as the ICO.
The DPO for Primary Healthcare Derby is Paul Couldrey and his email address is: email@example.com
Should you have any concerns about how your information is managed by the company please contact the Operational Manager at the following address: Jools Roome; firstname.lastname@example.org
If you are not able to reach a satisfactory resolution with the Operational Manager, you can raise your complaint to the DPO for further review and consideration.
If you remain unhappy following this process by Primary Healthcare Derby, you can then complain to the Information Commissioners Office (ICO). www.ico.org.uk, email@example.com, telephone: 0303 123 1113 (local rate) or 01625 545 745
Appendix A – GP Practices
Alvaston Medical Centre
Brook Medical Centre
Chapel Street Medical Centre
Derby Family Medical Centre
Derwent Medical Centre
Derwent Valley Medical Practice
Friar Gate Surgery
Haven Medical Practice
Hollybrook Medical Practice
Lister House Peartree
Lister House Chellaston
Macklin Street Surgery
Melbourne & Chellaston Medical Practice
Mickleover Medical Centre
Overdale Medical Practice
Park Farm Medical Centre
Park Lane Surgery
Peartree Medical Centre
St Thomas Road Surgery
The Park Medical Practice
Vernon Street Medical Centre
Wellbrook Medical Centre
Wilson Street Surgery
Appendix B – NHS Trusts
University Hospitals of Derby & Burton
Derbyshire Community Health Services NHS Foundation Trust