Fair Processing Notice (Privacy Notice)
This Fair Processing Notice informs all users of MediServices healthcare Ltd, how we use the information we collect, who we share it with and how we maintain patient confidentiality.
Our commitment to Data Privacy and Confidentiality Issues
All our Professional Practitioners, staff and associated practitioners are committed to protecting your privacy and will only process data in accordance with the Data Protection Legislation. This includes the General Data Protection Regulation (EU) 2016/679 (GDPR), the Data Protection Act (DPA) 2018, the Law Enforcement Directive (Directive (EU) 2016/680) (LED) and any applicable national Laws implementing them as amended from time to time. The legislation requires us to process personal data only if there is a legitimate basis for doing so and that any processing must be fair and lawful.
In addition, consideration will also be given to all applicable Law concerning privacy, confidentiality, the processing and sharing of personal data including the Human Rights Act 1998, the Health and Social Care Act 2012 as amended by the Health and Social Care (Safety and Quality) Act 2015, the common law duty of confidentiality and the Privacy and Electronic Communications (EC Directive) Regulations.
This statement is a written record that demonstrates that we have shown due regard to the need to eliminate unlawful discrimination, advance equality of opportunity and foster good relations with respect to the characteristics protected by equality law.
Why we collect information about you.
We collect and process personal and sensitive personal data about our service users to ensure that you receive the best possible treatment and care.
Information is collected in several ways, either via your healthcare professional, referral details from your GP or other referrers, or directly given by you.
To lawfully process this personal data, as required under UK Data Protection Act 2018 and the EU General Data Protection Regulation 2016/679 (Article 6 (1)), there must be an appropriate legal basis such as:
- direct clinical care
- medical diagnosis and treatment
Categories of data
We collect information and maintain records about your health and treatment to make sure that you receive the best possible medical diagnosis, care treatment.
This information may be stored electronically and may include the following:
- Details such as your name, address, date of birth, next of kin, ethnicity, and contact details.
- Details about your care and treatment such as appointments, test results, medical history,
- symptoms, which has been provided by our partners (Referrer or NHS Trust).
- All information about patients is treated confidentially and only ever shared on a need to know basis.
Whilst attending the appointment for clinics, the NHS Trust also records CCTV images for the prevention and detection of crime and to protect staff, patients, and visitors and Trust property. (This is not monitored by MediServices)
Security of information
We take our duty to protect your personal information and confidentiality very seriously and everyone working for the NHS has a legal duty to keep information about patient’s confidential and secure, as set out in the NHS Confidentiality Code of Conduct
The information is held and processed in accordance with and under the legal governance of:
- UK Data Protection Act 2018
- EU General Data Protection Regulation 2016/679
- Human Rights Act 1998
- Health and Social Care Act 2015
- Common Law Duty of Confidentiality
- The Health Service Act 2006
- Records Management NHS Code of Practice for Health and Social Care
We are regularly audited and assessed to ensure that appropriate security measures and good practice is in place. We ensure that the information we hold is kept in secure locations, is protected by appropriate security and access is restricted to authorised personnel only.
Senior Information Risk Owner, who provides the focus for the management of information risk and provides our Trust Board with assurance that information risk is being managed appropriately and effectively across the organisation. A Caldicott Guardian, who is a senior health professional responsible for protecting the confidentiality of patient information and enabling and overseeing appropriate information-sharing.
All employees are bound by the terms and conditions of their professional ethic codes of practice and contractual employment contract. Only authorised staff who have a legitimate involvement in patient care are given access to the records. Any potential breach of confidentiality is a staff disciplinary offence and is taken very seriously. We also ensure that other organisations e.g., suppliers who support us, have adequate information security standards in place.
All information held is used specifically for the purposes it was consented to unless
statutory legislation permits otherwise, for example disclosure is required to protect the health and safety of others who may be put at risk, or there is an urgent safeguarding matter to resolve.
We will only keep your information if it is necessary and in accordance with the retention periods set out in the retention policy of the data controller or Records Management Code of Practice 2021
All records are destroyed confidentially once their retention period has been met, and the Trust has made the decision that the records are no longer required.
Direct care purposes
The NHS Trust, partners or referrer will normally share information about patient with MediServices. we arrange the clinics for diagnostic care, once patient is seen the report will be shared back to the referrer exclusively through secure email, so that you may receive the best quality of care.
Data sharing agreements with MediServices and Partners are in place to ensure that the requirements of law and guidance are being met. Principal organisations.
All information will be stored securely on a protected IT system and only accessed by authorised persons.
Indirect care purposes
Your information will also be used to help us manage and improve the NHS and protect the health of the public by using it to:
- Investigate patient queries, complaints, and legal claims.
- Patient Satisfaction Surveys
Nationally there are strict controls on how your information is used for these purposes. These regulate whether your information must be anonymised first and with whom we may share identifiable information.
Where information sharing is required with third parties, we will always have a relevant contractual obligation and Data Sharing Agreement in place and will not disclose any health information without your explicit consent unless there are exceptional circumstances, e.g., if the health or safety of others was at risk or where the law requires it to carry out a statutory function.
Confidential personal information about your health and care is only used where allowed by law and would never be used for insurance or marketing purposes without your explicit consent.
SMS text messaging
When attending the Trust for an outpatient appointment or procedure, patients may be asked to confirm their contact number/mobile telephone number. We may use these numbers or where you have provided your contact details from the referral from our partners, to send your appointment details and reminder messages via SMS text message.
Most of our patients appreciate these reminders and it can help in reducing the number of missed appointments. If you do not wish to receive these texts, please inform us.
Patient Satisfaction Surveys
We may also use your details to contact you with regards to patient satisfaction surveys relating to services you have used. This is to improve the way we deliver healthcare to you and other patients.
The Trust may also pass your contact information to approved contractor to carry out surveys for the purpose of implementation. Only anonymised reports/referrals are used to help make service improvements. Details about any such surveys will be informed through posters and leaflets to enable you to make an informed decision. Any objection to taking part will be respected and you have the right to opt-out of this.
How to access your health records, raising concerns.
The EU General Data Protection Regulation 2016/679 and UK Data Protection Act Law 2018 give you the right to access the information we hold about you. Requests must be made in writing to:
MediServices healthcare Group
Unit 28, Greenland's Business Centre,
Studley road, Redditch, B98 7HD
Freedom of Information
The Freedom of Information Act 2000 provides members of the public access to recorded official information held by public authorities, subject to exemptions. For more details or to request some information from us
A Data Controller is a person who (either alone or jointly or in common with other persons) determines the purposes for which, and the way, any personal data are, or are to be, processed.
The Data Processor is responsible for processing data on behalf of the data controller as set out in the data controllers' agreement.
Notification with Information Commissioner's Office (ICO)
The ICO is the UK's independent regulatory body set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
We are data protection registered with the ICO, registration number: ZA228727.
Patients have the right to complain to the Information Commissioner, the supervisory authority, if they should ever be dissatisfied with the way we have handled or shared their personal information:
The Information Commissioner's Office (ICO)
Tel: 0303 123 1113
Information Commissioner's Office website (www.ico.org.uk)