Greenwich Health Ltd. Privacy Policy
Your data, privacy and the Law. How we use your medical records:
-
This company handles medical records according to the laws on data protection and confidentiality.
-
We share medical records with health professionals who are involved in providing you with care and treatment. This is on a need to know basis and event by event.
-
We may share some of your data with emergency care services.
-
Data about you, usually de-identified, is used to manage the NHS and make payments.
-
We share information when the law requires us to do, for instance when we are inspected or reporting certain illnesses or safeguarding vulnerable people.
-
Your data is used to check the quality of care provided.
-
For more information contact us on engagement@greenwich-health.com
Privacy Notice Direct Care
Plain English explanation
Greenwich Health views data on you relating to who you are, where you live, what you do, your family, possibly your friends, your employers, your habits, your problems and diagnoses, the reasons you seek help, your appointments, where you are seen and when you are seen, who by, referrals to specialists and other healthcare providers, tests carried out here and in other places, investigations and scans, treatments and outcomes of treatments, your treatment history, the observations and opinions of other healthcare workers, within and without the NHS as well as comments and aide memoires reasonably made by healthcare professionals involved in your health care.
When registering for NHS care, all patients who receive NHS care are registered on a national database, the database is held by NHS Digital, a national organisation which has legal responsibilities.
If your health needs require care from others elsewhere outside this company we will exchange with them whatever information about you that is necessary for them to provide that care.
Your consent to this sharing of data, within the company and with those others outside the company is assumed and is allowed by the Law.
People who have access to your information will only normally have access to that which they need to fulfil their roles, for instance admin staff will normally only see your name, address, contact details, appointment history and registration details in order to manage your appointments, our clinical teams will only see information relevant to the service they are providing (For Example: NHS Health Checks clinicians will only see information relevant to this service) whilst the GP you see or speak to will normally have access to everything in your record.
You have the right to object to our sharing your data in these circumstances but we have an overriding responsibility to do what is in your best interests. Please see below.
We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.
1) Data Controller contact details:
Greenwich Health/Patients Host Practice
2) Data Protection Officer contact details:
David James, Chief Operating Office and DPO
25-27 John Wilson Street, Woolwich, London, SE18 6PZ
3) Purpose of the processing
Direct Care is care delivered to the individual alone, most of which is provided in the surgery. After a patient agrees to a referral for direct care elsewhere, such as a referral to a specialist in a hospital, necessary and relevant information about the patient, their circumstances and their problem will need to be shared with the other healthcare workers, such as specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.
4) Lawful basis for processing
The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:
Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”
We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”*
5) Recipient or categories of recipients of the processed data
The data will be shared with Health and care professionals and support staff in this company and at hospitals, diagnostic and treatment centres who contribute to your personal care.
6) Rights to object
You have the right to object to some or all the information being processed under Article 21. Please contact the Data Controller or the company. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance.
7) Right to access and correct
You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
8) Retention period
The data will be retained in line with the law and national guidance. https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016 or speak to the company.
9) Right to Complain
You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/
or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)
Privacy Notice Direct Care Emergencies
There are occasions when intervention is necessary in order to save or protect a patients life or to prevent them from serious immediate harm, for instance during a collapse or diabetic coma or serious injury or accident. In many of these circumstances the patient may be unconscious or too ill to communicate. In these circumstances we have an overriding duty to try to protect and treat the patient. If necessary we will share your information and possibly sensitive confidential information with other emergency healthcare services, the police or fire brigade, so that you can receive the best treatment.
The law acknowledges this and provides supporting legal justifications.
Individuals have the right to make pre-determined decisions about the type and extent of care they will receive should they fall ill in the future, these are known as “Advance Directives”. If lodged in your records these will normally be honoured despite the observations in the first paragraph.
1) Data Controller contact details:
Greenwich Health/Patients Host Practice
2) Data Protection Officer contact details:
David James, Chief Operating Office and DPO
25-27 John Wilson Street, Woolwich, London, SE18 6PZ
3) Purpose of the processing
Doctors have a professional responsibility to share data in emergencies to protect their patients or other persons. Often in emergency situations the patient is unable to provide consent.
4) Lawful basis for processing
This is a Direct Care purpose. There is a specific legal justification;
Article 6(1)(d) “processing is necessary to protect the vital interests of the data subject or of another natural person”
And
Article 9(2)(c) “processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent”
Or alternatively
Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”
We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”*
5) Recipient or categories of recipients of the shared data
The data will be shared with Healthcare professionals and other workers in emergency and out of hours services and at local hospitals, diagnostic and treatment centres.
6) Rights to object
You have the right to object to some or all of the information being shared with the recipients. Contact the Data Controller or the company. You also have the right to have an “Advance Directive” placed in your records and brought to the attention of relevant healthcare workers or staff.
7) Right to access and correct
You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law. If we share or process your data in an emergency when you have not been able to consent, we will notify you at the earliest opportunity.
8) Retention period
The data will be retained in line with the law and national guidance.
9) Right to Complain
You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/
or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)
Privacy Notice Direct Care – Care Quality Commission
Plain English Definition
The Care Quality Commission (CQC) is an organisation established in English law by the Health and Social Care Act. The CQC is the regulator for English health and social care services to ensure that safe care is provided. They inspect and produce reports on all English general practices in a rolling 5 year program. The law allows CQC to access identifiable patient data as well as requiring this company to share certain types of data with them in certain circumstances, for instance following a significant safety incident.
For more information about the CQC see: http://www.cqc.org.uk/
1) Data Controller contact details:
Greenwich Health/Patients Host Practice
2) Data Protection Officer contact details:
David James, Chief Operating Office and DPO
25-27 John Wilson Street, Woolwich, London, SE18 6PZ
3) Purpose of the processing
To provide the Secretary of State and others with information and reports on the status, activity and performance of the NHS. The provide specific reporting functions on identified.
4) Lawful basis for processing
The legal basis will be
Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.”
And
Article 9(2)(h) “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;”
5) Recipient or categories of recipients of the shared data
The data will be shared with the Care Quality Commission, its officers and staff and members of the inspection teams that visit us from time to time.
6) Rights to object
You have the right to object to some or all of the information being shared with NHS Digital. Contact the Data Controller or the company.
7) Right to access and correct
You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
8) Retention period
The data will be retained for active use during the processing and thereafter according to NHS Policies and the law.
9) Right to Complain
You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/
or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)
Privacy Notice Direct Care – Safeguarding
Some members of society are recognised as needing protection, for example children and vulnerable adults. If a person is identified as being at risk from harm we are expected as professionals to do what we can to protect them. In addition we are bound by certain specific laws that exist to protect individuals. This is called “Safeguarding”.
Where there is a suspected or actual safeguarding issue we will share information that we hold with other relevant agencies whether or not the individual or their representative agrees.
There are three laws that allow us to do this without relying on the individual or their representatives agreement (unconsented processing), these are:
Section 47 of The Children Act 1989 :
(https://www.legislation.gov.uk/ukpga/1989/41/section/47),
Section 29 of Data Protection Act (prevention of crime) https://www.legislation.gov.uk/ukpga/1998/29/section/29
and
section 45 of the Care Act 2014 http://www.legislation.gov.uk/ukpga/2014/23/section/45/enacted.
In addition there are circumstances when we will seek the agreement (consented processing) of the individual or their representative to share information with local child protection services, the relevant law being; section 17 Childrens Act 1989 https://www.legislation.gov.uk/ukpga/1989/41/section/17
1) Data Controller contact details:
Greenwich Health/Patients Host Practice
2) Data Protection Officer contact details:
David James, Chief Operating Office and DPO
25-27 John Wilson Street, Woolwich, London, SE18 6PZ
3) Purpose of the processing
The purpose of the processing is to protect the child or vulnerable adult.
4) Lawful basis for processing
The sharing is a legal requirement to protect vulnerable children or adults, therefore for the purposes of safeguarding children and vulnerable adults, the following Article 6 and 9 conditions apply:
For consented processing;
6(1)(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes
For unconsented processing;
6(1)(c) processing is necessary for compliance with a legal obligation to which the controller is subject
and:
9(2)(b) ‘…is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of …social protection law in so far as it is authorised by Union or Member State law..’
We will consider your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”*
5) Recipient or categories of recipients of the shared data
The data will be shared with Anita Erhabor (Designated Nurse Safeguarding Lead – 020 3049 9002/07988 005 5383) or The Multiagency Safeguarding Hub (MASH – 020 8921 3172)
6) Rights to object
This sharing is a legal and professional requirement and therefore there is no right to object.
There is also GMC guidance:
https://www.gmc-uk.org/guidance/ethical_guidance/children_guidance_56_63_child_protection.asp
7) Right to access and correct
The DSs or legal representatives has the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
8) Retention period
The data will be retained for active use during any investigation and thereafter retained in an inactive stored form according to the law and national guidance.
9) Right to Complain
You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/
or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)
* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.
The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.
In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.
Three circumstances making disclosure of confidential information lawful are:
-
where the individual to whom the information relates has consented;
-
where disclosure is in the public interest; and
-
where there is a legal duty to do so, for example a court order.
Service Providers
Google Analytics
Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of our Service. This data is shared with other Google services. Google may use the collected data to contextualise and personalise the ads of its own advertising network.You can opt-out of having made your activity on the Service available to Google Analytics by installing the Google Analytics opt-out browser add-on. The add-on prevents the Google Analytics JavaScript (ga.js, analytics.js, and dc.js) from sharing information with Google Analytics about visits activity.For more information on the privacy practices of Google, please visit the Google Privacy & Terms web page: https://policies.google.com/privacy?hl=en
Facebook remarketing service is provided by Facebook Inc. You can learn more about interest-based advertising from Facebook by visiting this page: https://www.facebook.com/help/164968693837950
To opt-out from Facebook’s interest-based ads follow these instructions from Facebook: https://www.facebook.com/help/568137493302217
Facebook adheres to the Self-Regulatory Principles for Online Behavioral Advertising established by the Digital Advertising Alliance. You can also opt-out from Facebook and other participating companies through the Digital Advertising Alliance in the USA http://www.aboutads.info/choices/, the Digital Advertising Alliance of Canada in Canada http://youradchoices.ca/ or the European Interactive Digital Advertising Alliance in Europe http://www.youronlinechoices.eu/, or opt-out using your mobile device settings.
For more information on the privacy practices of Facebook, please visit Facebook’s Data Policy: https://www.facebook.com/privacy/explanation