The General Data Protection Regulation (GDPR) is European Union (EU) legislation that became directly applicable to all EU Members effective 25th May 2018. It is a regulation by which the European Parliament, the Council of the EU, and the European Commission intend to strengthen and unify data protection for every natural person living in the European Union.
Your personal data includes all the information we hold about you, which identifies you. Examples of your personal data include your name, email address, postal address, date of birth, location data and in some cases opinions that we document about you, as well as special categories of data such as medical and health records, Care plans, information about your religious beliefs, ethnic origin & race, sexual orientation and political views.
This privacy notice is to help explain the choices you have over your personal data, why and how we process it, and to give you the opportunity to have control over it.
HHCIC is the data controller of the personal data you provide. We have appointed a Data Protection Officer (DPO) who will have the day-to-day responsibility for ensuring that we comply with the Data Protection Legislation, and for dealing with any requests we receive from individuals exercising their rights under the Data Protection Legislation.
We process your personal data so that we may provide you with an effective service. As a health care provider working with and providing NHS funded services, we collect and use information about you to enable the delivery of good health care. We may also process your personal data to respond to any queries or comments you submit to us and to correspond with you on a day-to-day basis.
We may sometimes process your personal information on the grounds of consent from you, for the provision of health or social care or treatment and the management of health. If we obtain consent from you for the processing of your personal data, you can withdraw your consent at any time. This will not affect the lawfulness of any processing we carried out, prior to you withdrawing your consent. We use the following lawful basis highlighted in the GDPR for processing your personal data:
There are principles in GDPR to protect you, and to ensure that you are aware about your rights regarding your data. These principles include:
Your health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. Records, which HHCIC hold about you, may include the following:
Sometimes we will use risk stratification data tools to help determine the risk of suffering a condition, preventing an unplanned or (re)admission, and identifying a need for preventive intervention. Information about you is collected from a number of sources including NHS Trusts, your GP and from other services. A risk score is then arrived at through an analysis of your de-identified information, and is only provided back to your GP as data controller in an identifiable form. Risk stratification enables your GP to focus on preventing ill health, as well as the treatment of sickness. If necessary, your GP may be able to offer you additional services. Please note, you have the right to opt out of your data being used for this purpose.
We may also have to share your personal information, subject to data sharing agreements, with our partner organisations and occasionally with external companies for facilitation or onwards monitoring of your care. We only transfer your personal data to the extent we need to. Recipients of your personal data include, but are not limited to:
You have the right to ask us to confirm that we process your personal information, as well as having the right to request access to/copies of that information. You can also ask us to provide a range of personal information, although most of that corresponds to the information set out in this fair processing notice.
We will provide the personal information free of charge unless your request is manifestly unfounded, or excessive or repetitive, in which case we are entitled to charge a reasonable fee. We may also charge you if you request more than one copy of the same information.
We will provide the information you request within one month of receiving your request, provided you have submitted the correct proof of identity details. If we need more information to comply with your request, we will let you know.
If you believe personal information we hold about you is inaccurate or incomplete, you can ask us to rectify that information. We will comply with your request within one month of receiving it, unless we do not feel it is appropriate, in which case we will let you know why. We will also let you know if we need more time to comply with your request.
In some circumstances you have the right to ask us to delete personal data we hold about you. This right is available to you:
There are certain scenarios in which we are entitled to refuse to comply with a request. If any of those apply, we will let you know.
You have the right to ask us to provide your personal data in a structured, commonly used and machine-readable format, so that you are able to transmit the personal data to another data controller. This right only applies to personal data you provide to us:
We will respond to your request as soon as possible, and in any event, within one month from the date we receive it. If we need more time we will let you know.
You are entitled to object to us processing your personal data:
In order to object, you must have grounds for doing so based on your particular situation. We will stop processing your data unless we can demonstrate that there are compelling legitimate grounds which override your interests, rights and freedoms or the processing is for the establishment, exercise or defence of legal claims.
The personal data we hold about you has been submitted to us by you for the purposes of delivering healthcare. We will not use any information about you that is available in publicly accessible sources.
If we require any additional details about you in order to complete your treatment, we will request it directly from you.
If you think we have processed your personal data unlawfully or that we have not complied with GDPR, you can report your concerns to the supervisory authority in your jurisdiction. The supervisory authority in the UK is the Information Commissioner’s Office (“ICO”). You can call the ICO on 0303 123 1113 or get in touch via other means, as set out on the ICO website – https://ico.org.uk/make-acomplaint/
Should you have any concerns about how your information is used and/or managed, please contact:
Data Protection Officer Harrow Health CIC Metro House, Ground Floor 203 Pinner Road, Northwood, Middlesex HA6 1BX
Phone: 020 8866 4100 Email: Harhl.feedback@nhs.net.
If your feel your complaint has not been adequately dealt with by us, you have the right to take this further with the Information Commissioners Office (ICO) via their website www.ico.gov.uk.