The Dermatology Partnership are committed to protecting the privacy and security of your personal information. We will ensure that any information you provide to us will be collected and used in accordance with the General Data Protection Regulation and the Data Protection Act 2018. This Data Protection Privacy Statement explains how we will collect, use, disclose and protect your personal data.
1. Collection of Personal Data
Most of the personal information we process is provided to us directly by you or by our partners, such as:
- You have used one of our services.
- Your information has been passed to us by our partners, such as results of tests and information from people who care for you, including health professionals and relatives.
- You have applied for a job or position with us.
- You have given us feedback or posted on one of our social media sites.
- The professionals caring for you keep records about your health and any care you receive to ensure that you are provided with the best possible treatment.
- You have registered to one of our healthcare trainings.
The types of personal data we collect are:
- Contact information (e.g. name, email address, telephone number)
- Demographic information (e.g. age, gender, address).
- Payment information (e.g. credit card details, insurance company details)
- Interaction data (e.g. website usage, purchase history).
- Medical history (e.g. allergies, medication, conditions).
2. How we use your personal information
Your personal data is used in accordance with Data Protection Laws for the following:
- Patient data is held for the purpose of providing patients with appropriate, high quality, safe and effective care and treatment.
- Staff employment data is held in accordance with Employment, Taxation and Pensions law.
- Contractors’ data is held for the purpose of managing their contracts.
- Healthcare professional’s data is held for the purpose of providing training.
We may also use your data to help us improve our services by:
- Reviewing the care we provide to our patients by way of patient and partner surveys.
- To send you marketing and promotional materials.
- Investigating patient queries, complaints, incidents and legal claims.
3. What is the Lawful Basis for processing Personal Data?
The General Data Protection Regulations (GDPR) sets out conditions for lawful processing of personal data (Article 6) and further conditions for processing special categories of personal data (Article 9). These are similar to the conditions in Schedules 2 and 3 of the Data Protection Act 1998 (DPA98) with sensitive personal data now called ‘special categories’ of personal data. As personal data concerning health is one of the special categories, organisations that process such data must be able to demonstrate that they have met a condition in both Article 6 and Article 9 of the GDPR.
The lawful basis for processing special category health data for direct care is that processing is: ‘necessary… in the exercise of official authority vested in the controller’ (Article 6(1)e). Additionally, sometimes ‘processing is necessary for compliance with a legal obligation to which the controller is subject’ (Article 6(1)c). For these bases, we need to demonstrate that we do have the official authority.
The special category condition for processing for direct care is that processing is: ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…’ (Article 9(2)(h)).
In addition to a GDPR Article 9 condition for processing, it is also necessary to identify an additional condition in Schedule 1 of the DPA 2018. For the provision of direct care the relevant condition is ‘Health or social care purposes’ (Schedule 1, Part 1 (2)). Where there are concerns about public health, such as for notifiable diseases, then the lawful basis is for processing personal data is: 9(2)(j) ‘ …necessary for reasons of public interest in the area of public health…or ensuring high standards of quality and safety of health care and of medicinal products or medical devices… For suspected or actual safeguarding issue we will share information that we hold with other relevant agencies whether or not the individual or their representative agrees. The purpose of the processing is to protect the child or vulnerable adult. The lawful basis for processing personal information is: 6(1)(c) legal obligation and 9(2)(b) ‘..is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of …social protection law in so far as it is authorised by Union or Member State law. Where there is a request for personal confidential data from an insurance company, solicitor, or employer (or similar third party) the lawful basis and lawful condition for processing will be explicit consent under both Articles 6(1)(a) and Article 9(1)(a). Sometimes, we may rely on 6(1)f legitimate interests as a basis for processing carried out not in the performance of our official tasks, such as for system backup and recovery processes.
The lawful basis for processing special category health data for direct care is that processing is: ‘necessary… in the exercise of official authority vested in the controller’ (Article 6(1)e). Additionally, sometimes ‘processing is necessary for compliance with a legal obligation to which the controller is subject’ (Article 6(1)c). For these bases, we need to demonstrate that we do have the official authority.
The special category condition for processing for direct care is that processing is: ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…’ (Article 9(2)(h)).
In addition to a GDPR Article 9 condition for processing, it is also necessary to identify an additional condition in Schedule 1 of the DPA 2018. For the provision of direct care the relevant condition is ‘Health or social care purposes’ (Schedule 1, Part 1 (2)). Where there are concerns about public health, such as for notifiable diseases, then the lawful basis is for processing personal data is: 9(2)(j) ‘ …necessary for reasons of public interest in the area of public health…or ensuring high standards of quality and safety of health care and of medicinal products or medical devices… For suspected or actual safeguarding issue we will share information that we hold with other relevant agencies whether or not the individual or their representative agrees. The purpose of the processing is to protect the child or vulnerable adult. The lawful basis for processing personal information is: 6(1)(c) legal obligation and 9(2)(b) ‘..is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of …social protection law in so far as it is authorised by Union or Member State law. Where there is a request for personal confidential data from an insurance company, solicitor, or employer (or similar third party) the lawful basis and lawful condition for processing will be explicit consent under both Articles 6(1)(a) and Article 9(1)(a). Sometimes, we may rely on 6(1)f legitimate interests as a basis for processing carried out not in the performance of our official tasks, such as for system backup and recovery processes.
Service Improvement
The purpose for implementing the above is to maintain and monitor the performance of our services and to constantly look to improve the site and the services it offers to our users. The lawful basis we rely on to process your personal data is either Article 6(1)(a) of the GDPR, for example when we require your consent for surveys, or Article 6(1)(f) which allows us to process personal data when it’s necessary for our legitimate interests. You have the right to opt out of your data being processed for these purposes.
Representation of Organisation
We process small amounts of data for those representing other organisations, such as partners organisations and suppliers. This will usually be limited to, for example, contact details, as is covered by Article 6(1)b whereby processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract.
Application and Employment
The lawful basis for processing data for job applications and employment is covered by Article 6(1)b whereby processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract’, and 6(1)c, ‘processing is necessary for compliance with a legal obligation wo which the controller is subject’.
4. Your Data Protection Rights
Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information.
Your right of access
You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process.
Your right to rectification
You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.
Your right to erasure
You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing
You have the right to ask us to restrict the processing of your information in certain circumstances.
Your right to object to processing
You have the right to object to processing if we are able to process your information because the process forms part of our public tasks, or is in our legitimate interests.
Your right to data portability
This only applies to the information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated.
5. Who might we share your data with?
We may share information with relevant third parties for direct care or safeguarding purposes.
Under the Data Protection Act and the NHS Confidentiality Code of Conduct, all our staff are required to protect your information, inform you of how your information will be used and that it will be shared across your integrated care team when relevant.
We will share information about you with staff in other organisations when it is necessary for your care. These may include:
- Your GP practice
- Other healthcare professionals involved in your care
- Local authorities
- When required to by a formal court order
- When sharing information with the police may prevent a serious crime or prevent harm to you or other people.
6. Do we use Data Processors?
We use data processors who are third parties who provide elements of services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for only the period we instruct.
This data is held in England. We do not process data outside England.
We will not share your information with any third parties for the purpose of direct marketing.
This data is held in England. We do not process data outside England.
We will not share your information with any third parties for the purpose of direct marketing.
7. How long is the Personal Data stored for?
We will store patient data for as long as we are providing care, treatment or recalling patients for further care. We will archive (that is, store it without further action) for as long as is required for legal purposes as recommended by the NHS or other trusted experts recommend.
We must store employment data for six years after an employee has left.
We must store contractors’ data for seven years after the contract is ended.
We will store healthcare professional’s data held for training purposes for as long as we are creating training materials. If no longer wish to receive updates on our training then please email [email protected] to remove your details from our database.
We must store employment data for six years after an employee has left.
We must store contractors’ data for seven years after the contract is ended.
We will store healthcare professional’s data held for training purposes for as long as we are creating training materials. If no longer wish to receive updates on our training then please email [email protected] to remove your details from our database.
8. What if you are not happy or wish to raise a concern about our data processing?
You can complain in the first instance to our Data Protection Officer by emailing [email protected] and we will do our best to resolve the matter. If your query is unable to be resolved satisfactorily you can complain to the Information Commissioner at www.ico.org.uk/concerns or by calling 0303 123 1113.
