top of page
  • Facebook

Privacy Notice – R&B Clinical

This privacy notice explains why R&B Clinical collects information about you, how it is kept secure and how that information is used.

This notice will explain:

  • Why we collect your information, what is collected and how we use it

  • How we keep your information safe and secure

  • Why we share your information and who with

  • How to opt out of sharing your data

  • Your data rights under UK GDPR 2021

  • How long we can legally keep your information

  • The lawful basis for processing your personal and sensitive information

  • How to complain

Introduction

The General Data Protection Regulation (GDPR) became law on 25 May 2018.  This regulation protects the personal and sensitive data of a living individual.  It is currently known as the UK GDPR 2021 after the United Kingdom withdrew from the European Union on 31 January 2020.

R&B Clinical are the data controller for any personal and sensitive data we hold about you.  We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

  • Data Protection Act 2018

  • The GDPR 2016 and UK GDPR 2021

  • The Human Rights Act 1998

  • Common Law Duty of Confidentiality

  • Health and Social Care Act 2012

  • NHS Codes of Confidentiality, Information Security and Records Management

  • The Caldicott Principles

Why do we collect your information?

Healthcare professionals who provide you with care are required by law to maintain your medical record with details of any care or treatment you received.  This information will be used to aide clinicians to make decisions, either individually or jointly, about your health and to make sure it is safe and effective.  Other reasons include:

  • Looking after the health of the public

  • Development of future services to better serve the practice population

  • To help us investigate patients’ concerns, complaints or legal claims

  • Allow clinicians to review their service of care to ensure it is of the highest standards, and provide a basis of further training of care is not as expected

  • Research Ethics Committee approved research (patient consent will be required)

What information do we collect?

The healthcare professionals who provide you with care maintain records about your health and any treatment or care you receive as a patient under our service.  These records help to provide you with the best possible healthcare.

Information we hold about you may include the following:

  • Your personal details, i.e. address, next of kin, contact details, email address

  • Contact you have had with the service, i.e. appointments including what kind of appointment, who it was with and what happened during the appointment

  • Reports about your health, treatment and care

  • Results of investigations, i.e. laboratory test results, x-rays, scan results, etc

  • Information provided to the service by you (including information you provide via our service website).

How do we keep your information safe and secure?

Every member of staff who works for R&B Clinical has a legal obligation to keep information about you confidential.  We maintain our duty of confidentiality by conducting annual training and awareness, ensuring access to personal data is limited to the appropriate staff and information is only shared with organisations and individuals that have a legitimate and legal basis for access.

 

We will not disclose your information to any third party without your permission unless there are exceptional circumstances, or where the law requires information to be passed on, for example:

  • We believe you are putting yourself at risk of serious harm.

  • We believe you are putting a third party (adult or child) at risk of serious harm.

  • We have been instructed to do so via court order made against the service.

  • Your information is essential for the investigation of a serious crime.

  • You are subject to the Mental Health Act (1983)

  • UK Health Security Agency and Office for Health Improvement and Disparities needs to be notified of certain infectious diseases.

  • Regulators use their legal powers to request your information as part of an investigation.

 

Our policy is to respect the privacy of our patients, their families and our staff, and to maintain compliance with the UK GDPR and all UK specific Data Protection Requirements. Our policy is to ensure all personal data related to our patients will be protected.

 

All employees must sign a confidentiality agreement as part of their condition of employment.  We also ensure that data processors who support us are legally and contractually bound to operate and prove security arrangements are in place where data which could or does identify a person are processed.

 

Third party processors include:

  • Companies which provide core IT services and support to the practice and its clinical systems

  • Systems which manage patient facing services (PFS) – the service website, data hosting service providers, appointment booking systems, electronic prescription services, document management services, text messaging services etc

  • Clinical systems Semble

  • For more information, please see ‘Data Processors’ below

 

We will email or text you regarding matters of medical care, such as appointment reminders and, if appropriate, test results, unless you have separately given the service your explicit consent to do so.  We maintain our duty of confidentiality to you and will only use or share information with others if they have a genuine need for it.  We will not share your information to a third party without your permission, unless there are exceptional circumstances, i.e., life and death, or where the law requires us to share your information.

Why do we share your information, and who do we share it with?

Confidential patient data will be shared within the healthcare team at the service, including nursing staff, administration staff (prescription, secretaries, reception, finance) and with other healthcare professionals to whom a patient is referred with patient consent.

 

Data processors

The service uses data processors to perform certain administrative tasks for us, particularly where these involve large numbers of patients.  Details of the data processors are listed below:

 

  • Semble - Health Clinical Systems

  • SignatureRx – Prescription Service

  • The Doctors Laboratory – Private Pathology Service

  • Babbelvoice – Phone System (call recording)

  • Stripe – Card Payment system

  • Sumup – Card Payment system

  • Univision – CCTV monitoring system

 

Data sharing schemes

 We do not have any data sharing schemes in place, but we may ask you to provide us with a copy of your GP Medical record, which can be accessed electronically online. This can be activated by your GP practice at your request. Summary Care Record - NHS England have also created a Summary Care Record which contains information about medication you are taking, allergies you suffer from and any bad reactions to medication that you have had in the past. 

 

Mandatory disclosure of information

We are sometimes legally obliged to disclose information about patients to relevant authorities.  In these circumstances the minimum identifiable information that is essential to serve that legal purpose will be disclosed.

The organisation will also have a professional and contractual duty of confidentiality.  Data will be anonymised if possible before disclosure if this would service the purpose for which the data is required.

Organisations which we are legally obliged to release patient data to include:

  • Care Quality Commission

  • Driver and Vehicle Licensing Agency

  • General Medical Council

  • His Majesty’s Revenue & Customs

  • Police

  • The Courts

  • UK Health Security Agency and Office for Health Improvement and Disparities

  • Local Authorities (Social Services)

  • The Health Service Ombudsman

  • Medical defence organisation – in the event of an actual or possible legal proceedings

 

Permissive disclosure of information

The service can release information from your medical records to relevant organisations, only with your explicit consent.  These include:

  • Your employer

  • Insurance companies

  • Solicitors

  • Local Authorities (the Council)

  • Police

  • Community hospitals

  • Palliative care hospitals

  • Mental health Trusts

  • NHS hospitals

  • Social care organisations

  • NHS commissioning support units

  • Independent contractors, i.e., dentists, opticians, pharmacists

  • Private sector providers

  • Voluntary sector providers

  • Local ambulance Trust

  • Education services

  • Fire and Rescue services

 

 

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Legal basis for processing your personal data

We need to know your personal, sensitive, and confidential data so that we can provide you with healthcare services as a private GP provider service.  Under the new rules called General Data Protection Regulation (GDPR) there are different reason why we may process your data, however we mostly rely upon:

Article 6(1)(e): Official Authority; and

Article 9(2)(h): Provision of health

 

For much of our processing, in particular:

  • Maintaining your electronic health record

  • Sharing information from, or allowing access to healthcare professionals involved in providing you with direct medical care

  • Referrals for specific healthcare purposes

  • Our data processors

  • Organising your prescriptions, and investigations

  • Some permissive disclosures of information

 

We also rely upon:

 

  • Article 6(1)(d): Vital interests – to share information with another healthcare professional in a medical emergency.

  • Article 6(1)(c): Legal obligation – Mandatory disclosure of information to NHS Digital and CQC, etc

  • Article 6(1)(a): Consent – Certain permissive disclosures of information, i.e., insurance companies

  • Article 9(2)(j): Research – for accredited research undertaken in the surgery, with your explicit consent.

 

Your data rights

The UK GDPR allows you to ask for any information the service holds about you.  It also allows you to ask the service to rectify any factually inaccurate information and object to how your information is shared with other organisations (opt-out).

 

Data being used or shared for purposes beyond individual direct care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

 

Right of access

The service holds both personal and sensitive data (health records) about you.  If you need to review a copy of your record, you can contact the service to make a ‘Subject Access Request’.  Please note, if you receive a copy, there may be information that has been hidden. Under UK GDPR the service is legally permitted to apply specific restrictions to the released information.  The most common restrictions include:

  • Information about other people (known as ‘third party’ data) unless you provided the information, or they have consented to the release of their data held within your health records.

  • Information which may cause serious physical or mental harm to you or another living person.  For some Subject Access Request cases, a GP will perform a ‘serious harms test’.  If the GP has any cause to believe that specific information will cause you or someone else serious harm, it will not be released.

 

Right to rectification

You have the right to have any factual inaccuracies about you in your health record corrected.  Please contact the service with your request.

Right to withdraw consent

Where the service has obtained your consent to process your personal data for certain activities, (e.g., preparation for a subject access request for a third party), you have the right to withdraw your consent at any time.

What should you do if your personal information changes?

It is important that you tell the person treating you if any of your details such as your name or address have changed or if any of your details such as date of birth is incorrect for this to be amended. You have a responsibility to inform us as soon as possible of any changes so our records are accurate and up to date for you.

How long will we store your data?

The NHS Records Management Code of Practice 2021 identifies will replace the 2016 version. specific retention periods which are listed in Appendix II: Retention Schedule.

Please see https://www.nhsx.nhs.uk/information-governance/guidance/records-management-code/records-management-code-of-practice-2021/ for a copy of the 2021 NHS retention period policy.

How can you complain?

If you have any concerns about how your data is managed, please contact the Business Manager in the first instance. 

For independent advice about data protection, privacy and data sharing issues, you can contact:

The Information Commissioner

Wycliffe House

Water Lane

Wilmslow

Cheshire, SK9 5AF

Tel: 0303 123 1113

Web: www.ico.org.uk

 

Further information

If you have any concerns about how your data is shared or would like to know more about your rights in respect of your personal data held by the service, please contact the Data Protection Officer.

Data Protection Officer

Any queries about data protection issues should be addressed to:

 

Dr Robert Caudwell

Email: randbclinical@gmail.com

 

ICO Registration: ZB551183 

bottom of page