What is a Privacy Notice?

Find out about privacy notices and what they should include. The UK General Data Protection Regulation (GDPR) requires that data controllers provide certain information to people whose information (personal data) they hold and use. A privacy notice is one way of providing this information. This is sometimes referred to as a fair processing notice.

A privacy notice should identify who the data controller is, with contact details for its Data Protection Officer. It should also explain the purposes for which personal data are collected and used, how the data are used and disclosed, how long it is kept, and the controller’s legal basis for processing.

In addition Healthcare Central London Ltd (HCL) may occasionally be required to collect and use certain types of such personal information to comply with the requirements of the law. No matter how it is collected, recorded and used (such as, on a computer or other digital media, on hardcopy, paper or images, including CCTV) this personal information will be dealt with properly to ensure compliance with data protection legislation – the European General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA2018) which implements the GDPR in the UK.

We may collect and use personal data for the functions that we exercise jointly with the NHS.
HCL fully support and we are able to demonstrate compliance with the six principles of Data Protection Act 2018 which are summarised below:

• Personal data shall be processed lawfully, fairly and in a transparent manner in relation to individuals;
• Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
• Personal data processed must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
• Personal data shall be accurate and, where necessary, kept up to date.
• Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
• Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

Information covered by data protection legislation

The GDPR definition of “personal data” covers any information relating to an identified or identifiable natural person – i.e. living individuals. Pseudonymised personal data is covered, however anonymised or aggregated data is not regulated by the GDPR or DPA2018, providing the anonymisation or aggregation has not been done in a reversible way.

Individuals and individual employee from which they can be identified can be identified by various means including their:

It may include but may not be limited to the following:

• Personal contact information such as name, title, address, telephone number(s) and personal and/ or company email addresses.
• Date of birth.
• Gender.
• Marital status and details of next of kin or dependents.
• Employment records (including job titles, start date, work history, working hours, training records and professional memberships).
• Workplace location.
• Salary and benefit details and history including payroll records and tax records/information.
• Holiday and absence records.
• Copy documents such as passport or driving license or other identification document provided to us as part of our legal obligation to check an employee’s right to work in the UK.
• Recruitment information (including references and other information included in a CV or cover letter or as part of the job application process).
• Information relating to qualifications and performance including appraisal records.
• Disciplinary and grievance information.
• CCTV footage, photographs and other information obtained through electronic means such as swipe card records, time and attendance data and/or data from vehicle tracking software.
• Information about an employee’s use of our information and communications systems.
• Telephone conversation recordings and activity related to making and receiving telephone calls
• Health information for employment purposes

How is Personal Data collected?

Typically an employee will have provided Personal Data or we have recorded Personal Data about the employee in connection with or in the course of their employment. Occasionally we are passed Personal Data by a third party such as our payroll provider, HR advisers or training providers.

For what purposes is Personal Data used?

We will only use Personal Data when the law allows us to which can be summarized under the following headings:

1. Consent: an individual has given clear consent for us to process their personal data for a specific purpose.
2. Contract: the processing is necessary for a contract we have with the individual or because they have asked us to take specific steps before entering into a contract.
3. Legal obligation: the processing is necessary for us to comply with the law.
4. Vital interests: the processing is necessary to protect someone’s life.
5. Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
6. Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party. Details of the Personal Data that we are most likely to process are set out in Appendix One.

How we keep your information confidential and safe

Everyone working for our organisation is subject to the Common Law Duty of Confidence. Information provided in confidence will only be used for the purposes advised with consent given by the patient unless there are other legal bases covered by the law.

All our staff are expected to make sure information is kept confidential and receive regular training on how to do this.

The health records we use may be electronic, on paper, or a mixture of both. We use a combination of working practices and technology to ensure that your information is kept confidential and secure.

Your records are backed up securely according to our standard procedures, NHS policies and in accordance with DPA 2018 . We ensure that the information we hold is kept in secure locations, is protected by appropriate security and access is restricted to authorised personnel.

We also make sure external organisations who process your personal information in order to support us are contractually required to have appropriate organisation and technical measures to protect your personal data.
We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

• Data Protection Act 2018;
• UK GDPR;
• General Data Protection Regulation (GDPR) 2016;
• Human Rights Act 1998;
• Common Law Duty of Confidentiality;
• NHS Codes of Confidentiality and Information Security;
• Health and Social Care Act 2012 and 2015;
• And all other applicable legislation.

We will maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if we reasonably believe that others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (such as a risk of serious harm to yourself or others) or where the law requires information to be passed on.

Children and Families

We use the data we gather from children, young people and families we are supporting for the sole purpose of providing the best care and support that we can provide to them. This might also include being able to evaluate the quality of support we have given and audit our practices in order to improve our services.

We will share information where we believe that the sharing of that information is in the best interests of supporting a child or young person. Where it is legally required to do so, and prior to the sharing of any information, we will obtain the necessary consent of relevant parent/guardian.

We take our responsibility to safeguard the welfare of children, young people and vulnerable adults very seriously. We are legally obliged to pass on personal information to the relevant authority if we thought a child, young person or vulnerable adult was at risk. When you begin to receive a service, you will be notified of how your personal data will be used and under what circumstances shared. We will also continue to update you through privacy notices such as this one.

If you are receiving a service from us, we would collect your personal data as part of receiving that service. This might include quite sensitive information relating to the support we are providing to you.

If you are under 13, we will need to get consent, when required by law, from the relevant adult/s who act as your parent/guardian to hold your personal information.

Sometimes another agency (like a school, GP or local authority) might have information that they want to pass onto us, but we would only take that data where we have a lawful basis to do so.

What rights and obligations do Employees have?

Duty to inform us of changes

It is important that Personal Data is kept accurate and up to date. Employees should please advise us if their personal information changes whilst they are employed by us.

Rights in connection with Personal Data

Under certain circumstances, individuals have the right to:

• Request a copy of their Personal Data (commonly known as a “data subject access request”). This enables them to receive a copy of the personal information we hold about them and to check that we are lawfully processing it.
• Request correction of the Personal Data that we hold about them.
• Request the erasure of Personal Data. An individual may ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. An individual may also request that we stop processing Personal Data where we are relying on a legitimate interest and there is something about their particular situation which permits an object to processing on this ground.
• Request the restriction of processing of Personal Data for example until its accuracy or the reason for processing it is more clearly established.
• Request the transfer of Personal Data to another party. Individuals who wish to review, verify, correct or request erasure of Personal Data, object to the processing of Personal Data, or request that we transfer a copy of Personal Data to another party, please contact our nominated Data Controller

Distribution and Implementation

This document will be made available to all staff via the intranet site. A notice will be issued in the staff bulletin notifying of the release of this document.

Training Plan

A training needs analysis will be undertaken with staff affected by this document by the Corporate Information Governance team in conjunction with the Data Protection Officer.

Based on the findings of that analysis appropriate training will be provided to staff as necessary.

Monitoring

Compliance with the policies and procedures laid down in this document will be monitored via the Data Protection Officer a and the Corporate Information Governance team, together with independent reviews from Internal Audit

What we may need to comply with a Data Subject Access Request

We may need to request specific information to help us confirm a lawful right to access the information (or to exercise any other rights). This is another appropriate security measure to ensure that Personal Data is not disclosed to any person who has no right to access it.

Equality Impact Assessment

This document forms part commitment to create a positive culture of respect for all staff and service users. The intention is to identify, remove or minimise discriminatory practice in relation to the protected characteristics (race, disability, gender, sexual orientation, age, religious or other belief, marriage and civil partnership, gender reassignment and pregnancy and maternity), as well as to promote positive practice and value the diversity of all individuals and communities.

As part of its development this document and its impact on equality has been analysed and no detriment identified.

Charges

No fee is usually required to access Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if the request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

Right to withdraw consent

In certain circumstances consent may be required to the processing of Personal Data. Where an employee provides such consent to the processing of Personal Data for a specific purpose, that employee has the right to withdraw consent for that specific processing at any time. To withdraw consent, please contact the nominated Data Controller. Once notification is received that consent has been withdrawn, we will no longer process Personal Data for the said specific purpose, unless we have another lawful basis to do so.

Our Data Protection Officer

We will have in place a Data Protection Officer at all times so far as is possible. At the date of issue of this Privacy Notice we have appointed the person. The Data Protection Officer will oversee compliance with this Privacy Notice. For any questions about this Privacy Notice or how we handle Personal Data, please contact the Data Protection Officer using the contact details included.

Making a complaint

Individuals have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection matters.

Amending this Privacy Notice

We may update this Privacy Notice from time to time and we will issue a new privacy notice when we make any material changes including when we the identity of the Data Protection Officer changes.

What is a Privacy Notice?

Find out about privacy notices and what they should include. The UK General Data Protection Regulation (GDPR) requires that data controllers provide certain information to people whose information (personal data) they hold and use. A privacy notice is one way of providing this information. This is sometimes referred to as a fair processing notice.

A privacy notice should identify who the data controller is, with contact details for its Data Protection Officer. It should also explain the purposes for which personal data are collected and used, how the data are used and disclosed, how long it is kept, and the controller’s legal basis for processing.

In addition Healthcare Central London Ltd (HCL) may occasionally be required to collect and use certain types of such personal information to comply with the requirements of the law. No matter how it is collected, recorded and used (such as, on a computer or other digital media, on hardcopy, paper or images, including CCTV) this personal information will be dealt with properly to ensure compliance with data protection legislation – the European General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA2018) which implements the GDPR in the UK.

We may collect and use personal data for the functions that we exercise jointly with the NHS.

HCL fully support and we are able to demonstrate compliance with the six principles of Data Protection Act 2018 which are summarised below:

• Personal data shall be processed lawfully, fairly and in a transparent manner in relation to individuals;
• Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
• Personal data processed must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
• Personal data shall be accurate and, where necessary, kept up to date.
• Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
• Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

Information covered by data protection legislation

The GDPR definition of “personal data” covers any information relating to an identified or identifiable natural person – i.e. living individuals. Pseudonymised personal data is covered, however anonymised or aggregated data is not regulated by the GDPR or DPA2018, providing the anonymisation or aggregation has not been done in a reversible way.

The information we collect about you is:-

• Personal contact information such as name, title, address, telephone number(s) and personal and/ or company email addresses.
• Date of birth.
• Gender.
• Marital status and details of next of kin or dependents.
• Healthcare information about you
• CCTV footage For premises we operate from
• Telephone conversation recordings and activity related to making and receiving telephone calls.

How is Personal Data collected?

We rely on patients to provide this information to us to support and provide treatment and care services.

For what purposes is Personal Data used?

We will only use Personal Data when the law allows us to which can be summarized under the following headings:

1. Consent: an individual has given clear consent for us to process their personal data for a specific purpose.
2. Contract: the processing is necessary for a contract we have with the individual or because they have asked us to take specific steps before entering into a contract.
3. Legal obligation: the processing is necessary for us to comply with the law.
4. Vital interests: the processing is necessary to protect someone’s life.
5. Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
6. Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party. Details of the Personal Data that we are most likely to process are set out in Appendix One.

   For the purposes of the activities we carry out nearly all of our processing will be reliant upon a public task.

How we keep your information confidential and safe

Everyone working for our organisation is subject to the Common Law Duty of Confidence. Information provided in confidence will only be used for the purposes advised with consent given by the patient unless there are other legal bases covered by the law.

All of our staff are expected to make sure information is kept confidential and receive regular training on how to do this.

The health records we use may be electronic, on paper, or a mixture of both. We use a combination of working practices and technology to ensure that your information is kept confidential and secure.

Your records are backed up securely according to our standard procedures, NHS Records Management Code of Practice and in accordance with the Data Protection Act 2018 . We ensure that the information we hold is kept in secure locations, is protected by appropriate security and access is restricted to authorised personnel.

We also make sure external organisations who process your personal information in order to support us are contractually required to have appropriate organisation and technical measures to protect your personal data.

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

• Data Protection Act 2018;
• UK GDPR;
• Human Rights Act 1998;
• Common Law Duty of Confidentiality;
• NHS Codes of Confidentiality and Information Security;
• Health and Social Care Act 2022;
• And all other applicable legislation.

We will maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if we reasonably believe that others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (such as a risk of serious harm to yourself or others) or where the law requires information to be passed on.

Children and Families

We use the data we gather from children, young people and families we are supporting for the sole purpose of providing the best care and support that we can provide to them. This might also include being able to evaluate the quality of support we have given and audit our practices in order to improve our services.

We will share information where we believe that the sharing of that information is in the best interests of supporting a child or young person. Where it is legally required to do so, and prior to the sharing of any information, we will obtain the necessary consent of relevant parent/guardian.

We take our responsibility to safeguard the welfare of children, young people and vulnerable adults very seriously. We are legally obliged to pass on personal information to the relevant authority if we thought a child, young person or vulnerable adult was at risk. When you begin to receive a service, you will be notified of how your personal data will be used and under what circumstances shared. We will also continue to update you through privacy notices such as this one.

If you are receiving a service from us, we would collect your personal data as part of receiving that service. This might include quite sensitive information relating to the support we are providing to you.

If you are under 13, we will need to get consent, when required by law, from the relevant adult/s who act as your parent/guardian to hold your personal information.

Sometimes another agency (like a school, GP or local authority) might have information that they want to pass onto us, but we would only take that data where we have a lawful basis to do so.

Rights in connection with Personal Data

Under certain circumstances, individuals have the right to:

• Request a copy of their Personal Data (commonly known as a “data subject access request”). This enables them to receive a copy of the personal information we hold about them and to check that we are lawfully processing it.
• Request correction of the Personal Data that we hold about them.
• Request the erasure of Personal Data. An individual may ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. An individual may also request that we stop processing Personal Data where we are relying on a legitimate interest and there is something about their particular situation which permits an object to processing on this ground.
• Request the restriction of processing of Personal Data for example until its accuracy or the reason for processing it is more clearly established.
• Request the transfer of Personal Data to another party. Individuals who wish to review, verify, correct or request erasure of Personal Data, object to the processing of Personal Data, or request that we transfer a copy of Personal Data to another party, please contact our nominated Data Controller

To exercise any of these rights as a patient please contact our Data Protection Officer on umar.sabat@ig-health.co.uk

What we may need to comply with a Data Subject Access Request

We may need to request specific information to help us confirm a lawful right to access the information (or to exercise any other rights). This is another appropriate security measure to ensure that Personal Data is not disclosed to any person who has no right to access it.

Equality Impact Assessment

This document forms part commitment to create a positive culture of respect for all staff and service users. The intention is to identify, remove or minimise discriminatory practice in relation to the protected characteristics (race, disability, gender, sexual orientation, age, religious or other belief, marriage and civil partnership, gender reassignment and pregnancy and maternity), as well as to promote positive practice and value the diversity of all individuals and communities.

As part of its development this document and its impact on equality has been analysed and no detriment identified.

Charges

No fee is usually required to access Personal Data (or to exercise any of the other rights). However, we may charge a reasonable fee if the request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

Right to withdraw consent

In certain circumstances consent may be required to the processing of Personal Data. Where an employee provides such consent to the processing of Personal Data for a specific purpose, that employee has the right to withdraw consent for that specific processing at any time. To withdraw consent, please contact the nominated Data Controller. Once notification is received that consent has been withdrawn, we will no longer process Personal Data for the said specific purpose, unless we have another lawful basis to do so.

Our Data Protection Officer

We will have in place a Data Protection Officer at all times so far as is possible. At the date of issue of this Privacy Notice we have appointed the person. The Data Protection Officer will oversee compliance with this Privacy Notice. For any questions about this Privacy Notice or how we handle Personal Data, please contact the Data Protection Officer using the contact details included.

Making a complaint

Individuals have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection matters.

Amending this Privacy Notice

We may update this Privacy Notice from time to time and we will issue a new privacy notice when we make any material changes including when we the identity of the Data Protection Officer changes.

Questions about the Terms of Service should be sent to us at hcl.corporate@nhs.net