Please note we can only take referrals from your GP

GPs Referring Patients

Terms & Conditions

Harrow Health CIC Privacy Notice for Patients

About Harrow Health CIC:

Harrow Health CIC (HHCIC) has been delivering bespoke healthcare via community-based clinics since 2007. We would like to assure all our patients that we value your privacy and want you to understand the choices and control you have over your personal data with us.

About General Data Protection Regulation (GDPR) and your personal data

The General Data Protection Regulation (GDPR) is European Union (EU) legislation that became directly applicable to all EU Members effective 25th May 2018. It is a regulation by which the European Parliament, the Council of the EU, and the European Commission intend to strengthen and unify data protection for every natural person living in the European Union.

Your personal data includes all the information we hold about you, which identifies you. Examples of your personal data include your name, email address, postal address, date of birth, location data and in some cases opinions that we document about you, as well as special categories of data such as medical and health records, Care plans, information about your religious beliefs, ethnic origin & race, sexual orientation and political views.

This privacy notice is to help explain the choices you have over your personal data, why and how we process it, and to give you the opportunity to have control over it.

Our responsibilities

HHCIC is the data controller of the personal data you provide. We have appointed a Data Protection Officer (DPO) who will have the day-to-day responsibility for ensuring that we comply with the Data Protection Legislation, and for dealing with any requests we receive from individuals exercising their rights under the Data Protection Legislation.

Why do we need to process your personal data?

We process your personal data so that we may provide you with an effective service. As a health care provider working with and providing NHS funded services, we collect and use information about you to enable the delivery of good health care. We may also process your personal data to respond to any queries or comments you submit to us and to correspond with you on a day-to-day basis.

We may sometimes process your personal information on the grounds of consent from you, for the provision of health or social care or treatment and the management of health. If we obtain consent from you for the processing of your personal data, you can withdraw your consent at any time. This will not affect the lawfulness of any processing we carried out, prior to you withdrawing your consent. We use the following lawful basis highlighted in the GDPR for processing your personal data:

  • Article 6, (e) “Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;”
  • Article 9, (h) “Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…”

 

There are principles in GDPR to protect you, and to ensure that you are aware about your rights regarding your data. These principles include:

  • To process all personal information lawfully, fairly and in a transparent manner.
  • Personal information to be collected for specified, explicit and legitimate purpose.
  • To ensure that the personal information processed is adequate, relevant and limited to the purposes for which it was collected.
  • Personal information should be accurate and up to date.
  • Personal information is to be retained for no longer than is necessary for the purpose(s) for which it was collected.
  • To keep personal information securely using appropriate technical or organisational measures.

 

Your health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. Records, which HHCIC hold about you, may include the following:

  • Details about you, such as your address, carer, legal representative, emergency contact details
  • Any contact HHCIC has had with you, such as appointments, clinic visits, emergency appointments, etc.
  • Notes and reports about your health.
  • Details about your treatment and care.
  • Results of investigations such as laboratory tests, x-rays etc.
  • Relevant information from other health professionals, relatives or those who care for you.

Risk Stratification and Health Checks

Sometimes we will use risk stratification data tools to help determine the risk of suffering a condition, preventing an unplanned or (re)admission, and identifying a need for preventive intervention. Information about you is collected from a number of sources including NHS Trusts, your GP and from other services. A risk score is then arrived at through an analysis of your de-identified information, and is only provided back to your GP as data controller in an identifiable form. Risk stratification enables your GP to focus on preventing ill health, as well as the treatment of sickness. If necessary, your GP may be able to offer you additional services. Please note, you have the right to opt out of your data being used for this purpose.

Information sharing

We may also have to share your personal information, subject to data sharing agreements, with our partner organisations and occasionally with external companies for facilitation or onwards monitoring of your care. We only transfer your personal data to the extent we need to. Recipients of your personal data include, but are not limited to:

  • NHS Trusts / Foundation
  • Trusts Education Services
  • Organisations that help to manage and store your data like Emis Web
  • Independent Contractors such as dentists, opticians, pharmacists
  • GP’s
  • NHS Commissioning
  • Support Units
  • Local Authorities Fire and
  • Rescue Services
  • Voluntary Sector Providers
  • Police & Judicial Services
  • Ambulance Trusts
  • Private Sector Providers
  • Clinical Commissioning Groups
  • Other ‘data processors’
  • Social Care Services
  • Other Private Sector Providers
  • NHS England (NHSE) and NHS Digital (NHSD)
You will be informed who your data will be shared with, and in some cases asked for consent for this to happen when this is required. We may also use external companies to process personal information, for services such as archiving. These companies are bound by contractual agreements to ensure personal information is kept confidential and secure. All employees and sub-contractors engaged by our practice(s) are asked to sign a confidentiality agreement. If a sub-contractor acts as a data processor for HHCIC, an appropriate contract (articles 24-28) will be established for the processing of your personal information.

Transfers and safeguards of your personal data to other countries

Your personal and sensitive data will only be stored and processed on servers based within the European Economic Area (EEA). Your data will only be processed by our staff based within the UK and not beyond the EEA region.

Retention periods

We will only keep your personal information for as long as it is required to be retained under the statutory limits. The retention period may be discretional but largely guided by law and other codes of conduct like the Records Management Code of Practice for Health and Social Care, which we are expected to abide by. Once your personal information is no longer needed as set out in this Privacy notice, it will be securely and confidentially destroyed.

What are your rights?

You have guaranteed rights under the GDPR, which we will uphold at all times. We have summarised the rights which may be available to you below, depending on the grounds on which we process your data.

Access to your data

You have the right to ask us to confirm that we process your personal information, as well as having the right to request access to/copies of that information. You can also ask us to provide a range of personal information, although most of that corresponds to the information set out in this fair processing notice.

We will provide the personal information free of charge unless your request is manifestly unfounded, or excessive or repetitive, in which case we are entitled to charge a reasonable fee. We may also charge you if you request more than one copy of the same information.

We will provide the information you request within one month of receiving your request, provided you have submitted the correct proof of identity details. If we need more information to comply with your request, we will let you know.

Rectification of your data

If you believe personal information we hold about you is inaccurate or incomplete, you can ask us to rectify that information. We will comply with your request within one month of receiving it, unless we do not feel it is appropriate, in which case we will let you know why. We will also let you know if we need more time to comply with your request.

Right to be forgotten

In some circumstances you have the right to ask us to delete personal data we hold about you. This right is available to you:

  • Where we no longer need your personal data for the purpose for which we collected it
  • Where we have collected your personal data on the grounds of consent and you withdraw that consent
  • Where you object to the processing and we do not have any overriding legitimate interests to continue processing the data
  • Where we have unlawfully processed your personal data (i.e. we have failed to comply with GDPR)
  • Where the personal data must be deleted to comply with a legal obligation

 

There are certain scenarios in which we are entitled to refuse to comply with a request. If any of those apply, we will let you know.

Right to restrict processing

  • In some circumstances you are entitled to ask us to suppress processing of your personal data. This means we will stop actively processing your personal data, but we do not have to delete it. This right is available to you:
  • If you believe the personal data we hold is not accurate – we will cease processing it until we can verify its accuracy.
  • If you have objected to us processing the data – we will cease processing it until we have determined whether our legitimate interests override your objection.
  • If the processing is unlawful.
  • If we no longer need the data, but you would like us to keep it because you need it to establish exercise or defend a legal claim.

Data portability

You have the right to ask us to provide your personal data in a structured, commonly used and machine-readable format, so that you are able to transmit the personal data to another data controller. This right only applies to personal data you provide to us:

  • Where processing is based on your consent or for performance of a contract, (i.e. the right does not apply if we process your personal data on the grounds of legitimate interests).
  • Where we carry out the processing by automated means.

 

We will respond to your request as soon as possible, and in any event, within one month from the date we receive it. If we need more time we will let you know.

Right to object

You are entitled to object to us processing your personal data:

  • If the processing is based on legitimate interests or performance of a task in the public interest or exercise of official authority
  • For direct marketing purposes (including profiling)
  • For the purposes of scientific or historical research and statistics

 

In order to object, you must have grounds for doing so based on your particular situation. We will stop processing your data unless we can demonstrate that there are compelling legitimate grounds which override your interests, rights and freedoms or the processing is for the establishment, exercise or defence of legal claims.

Automated decision-making

The transfer of your data from NHS systems such as the Summary Care Record and NHS Choices is automated in how it is received; however, no care or treatment decisions made about you are automated in any way.

Where personal data comes from

The personal data we hold about you has been submitted to us by you for the purposes of delivering healthcare. We will not use any information about you that is available in publicly accessible sources.

If we require any additional details about you in order to complete your treatment, we will request it directly from you.

Your right to complain about our processing

If you think we have processed your personal data unlawfully or that we have not complied with GDPR, you can report your concerns to the supervisory authority in your jurisdiction. The supervisory authority in the UK is the Information Commissioner’s Office (“ICO”). You can call the ICO on 0303 123 1113 or get in touch via other means, as set out on the ICO website – https://ico.org.uk/make-acomplaint/

The right to lodge a complaint and how to contact us

Should you have any concerns about how your information is used and/or managed, please contact:

Data Protection Officer Harrow Health CIC Metro House, Ground Floor 203 Pinner Road, Northwood, Middlesex HA6 1BX

Phone: 020 8866 4100 Email: Harhl.feedback@nhs.net.

If your feel your complaint has not been adequately dealt with by us, you have the right to take this further with the Information Commissioners Office (ICO) via their website www.ico.gov.uk.