Abihealth Privacy Policy:

Patient Privacy Effective Date: 20/9/2020

Version: 2.0 Review Date: 24/01/2024

BACKGROUND

At Abihealth we are committed to protecting the privacy of all who come into contact with our organisation, whether that be as a patient or in a working capacity. In this policy we explain how we collect and process data subject information so that it complies with the legal obligations of the Data Protection Act 2018 and the EU General Data Protection Regulation (GDPR). By following this legislation, we ensure that data is processed lawfully, fairly and transparently. The policy should be read in parallel with our Terms and Conditions.

PURPOSE

The purpose of this policy is to provide our patients with information on:

• why we collect information about them
• how we intend to use that information and why
• how we would share this information with anyone else
• What privacy rights our patients have, and how the law protects them

This Policy is kept on our website in order to meet this purpose

SCOPE

This policy is for patients and all other data subjects who come into contact with our organisation.

DEFINITIONS/ WHO IS WHO

• Abihealth is a ‘Data Controller’ for the purposes of these individuals’ personal data and is responsible for determining the purpose and means of the processing of that data
• Patients (as well as all past and current employees, workers, volunteers, consultants and apprentices) are ‘Data Subjects’
• Abihealth has appointed a ‘Data Protection Officer’ who is responsible for overseeing what we do with your information and monitoring our compliance with data protection law
• ‘Patient Data’: AS a healthcare provider Abihealth is required to maintain medical records of care provided. We store Patient Data in a medical records system specifically developed in order to fulfil the requirements of the applicable legislation. This is operated by a third-party provider. Patient data is handled and stored within the UK

THE SIX DATA PROTECTION PRINCIPLES

Abihealthprocesses personal data in accordance with the six Data Protection Principles for GDPR identified by the ICO. These require that data:

1. Be adequate, relevant and limited to what is necessary for the purposes for which it is processes.
2. Be processed fairly, lawfully and transparent.
3. Be accurate and kept up to date. Any inaccurate data must be deleted or rectified without delay.
4. Be collected and processed only for specified, explicit and legitimate purposes.
5. Not be kept for longer than is necessary for the purposes for which it is processed.
6. Be processed securely.

WHAT PERSONAL DATA DOES ABIHEALTH STORE?

‘Personal data’ is defined as information relating to a living person (‘data subject’) that can be used to identify them on its own, OR in combination with other information likely to be collected by the organisation. This applies whether the information is stored physically, electronically, or in any other format.

Personal data might be provided to the organisation by the individual, or someone else (such as your NHS GP), or it could be created by the organisation. For those seeking to work for Abihealth it could be provided or created as part of the recruitment process; in the course of the contract of employment (or services); or after its termination.

The types of personal data we collect are:

Personal Details – When patients register with us, and as they receive ongoing care from us, we collect the following to enable us to provide an ongoing effective service:

• Personal Details (such as name, date of birth, gender, marital status)
• Contact details (such as address, email address and personal telephone numbers
• Emergency contact details
• Information about other relevant care providers (such as the patient’s NHS GP and consultants whose care they are under)
• Financial information (such as bank account details)

Patients are responsible for the accuracy of personal data that they provide us with. Health and (typically more sensitive) health-related information: – Whilst providing you with healthcare we will assimilate further sensitive information about you, which may include special categories of personal data about you. This includes:

• Health Data: information including health data from consultations with us, health data derived from our patients directly or via devices, and past medical history.
• Information about racial or ethnic origin
• Information about political opinions
• Information about religious beliefs
• Information about sexual orientation
• Information regarding employment

HOW AND WHY DO WE USE AND SHARE THIS DATA?

We collect personal information about our patients that we require in order for us to provide high quality, safe, effective healthcare, and in order to satisfy our contract with our patients as comprised in our terms and conditions.

There are instances where we are required by law to collect personal data, and from time to time we may require to collect personal data as per the terms of a contract we have with that patient. This data can be collected by us direct from the patient prior to and during treatment by us, via relatives and friends who may provide us with information about a patient, or from external sources referring to us (e.g., an employing organisation directing you to us) or updating us following a referral (e.g., a healthcare professional who we have referred to writing back to us).

Everyone working for our organisation is subject to the Common Law Duty of Confidentiality. Information provided to us in confidence by or in consultation with our patients will only be used for the purposes advised, unless there are other circumstances covered by the law. We will only share patient information where there is a lawful basis, such as:

• Performing the contract of services between the Practice and the individual
• Complying with any legal obligation
• If it is necessary for the Company’s legitimate interests (or for the legitimate interests of someone else). The Practice can only do this in circumstances where the individual’s interests and rights do not override those of the Practice (or their own). Individuals have the right to challenge the Practice’s legitimate interests and request that this processing be halted

EXAMPLES OF HOW THE COMPANY WILL USE THE PERSONAL DATA OF OUR PATIENTS INCLUDES:

• For provision of healthcare including medical diagnosis and treatment
• For securely sharing prescriptions with pharmacies
• For securely sharing with laboratory services to accompany samples we have taken
• For sharing care episodes with your NHS GP (with your consent)
• For referrals to other health and social care organisations
• For secure administration of payments (NB Where payments are required, credit and debit card details will be taken and handled by a third-party processor that will store all payment information and transaction details. We will retain details of transactions but will not retain card information.)
• Where required to share information in compliance with reasonable requests by regulatory bodies including the General Medical Council, MHRA, and Care Quality Commission
• As otherwise required by law, for example the Children’s Act 1989 requires information to be shared in Safeguarding cases
• Police and other law enforcement agencies in limited circumstances where we are asked to provide information for criminal investigations
• Protection of vital interests, for example to protect someone’s physical integrity of life
• Measuring and improving our service through, for example clinical audit and service monitoring: Information may be used to monitor the quality of the service we provide. Where we do this, we take strict measures to ensure individual patients cannot be identified and the information is anonymized.
• Aggregated data for the purposes of analysing and presenting trends such as consultation numbers per month. NB no data that can identify an individual will ever be used in aggregated data)
• Marketing purposes – strictly with your consent, which it is your right to withdraw at any time
• Security – we may need to capture recordings of you such as CCTV footage for security purposes

Wherever possible we do so with patient consent, providing the patient has capacity to give this, or with consent from an authorised representative

WHERE IS PATIENT DATA KEPT?

Health record data is kept in the UK stored by a third party electronic medical records company, with whom we have a contract that protects your privacy.

HOW LONG IS DATA STORED?

We retain personal information for as long as is necessary to fulfil the purposes for which we have collected it. Where we no longer have a lawful basis for holding patient data, we will securely destroy it. Regarding retention periods for healthcare data, we follow the recommendations made in the Records Management Code of Practice for Health and Social Care 2016 (https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/codes-of-practice-for-handling-information-in-health-and-care). For other personal data, we consider the amount, nature and sensitivity of the data, and the potential risk of harm from unauthorized use or disclosure.

DATA SUBJECT RIGHTS

As data subjects, patients have the right to information about what personal data an organisation controls and or processes, how it is processed and on what basis. They have the right to:

• Access their personal data via a Subject Access Request
• Correct any inaccuracies in their personal data
• Request that we erase their personal data in the case that the organisation was not entitled under the law to process it, or the data is no longer needed for the purpose it was collected
• Object to data processing where the organisation is relying on a legitimate interest to do so, and the data subject contends that their rights and interests outweigh those of the organization and wish us to stop
• Object if the organization processes their personal data for marketing purposes
• Request the transfer of their personal information to another healthcare company acting as a controller who provides a similar level of service to Abihealth.
• Be notified of a data security breach (within the appropriate timescales) concerning their personal data

For any of the above, or any other objections to how we handle data, please contact our Data Protection Officer. This can be done by:

• Email: by emailing [email protected] and addressing your email to the Data Protection Officer (DPO) (for especially sensitive requests/ objections We may require requests in writing with your signature, in which case we will contact you accordingly)
• Writing: by writing to Data Protection Officer, Abihealth Solutions, 15-17 Britannia Road, Sale, Manchester, M332AA

In most situations for the purposes of the provision of safe effective healthcare, the company will not rely on consent as a lawful ground to process patient data. If the organisation does request consent to the processing of your personal data for a specific purpose, for example marketing, the patient should have the right to decline or withdraw your consent at a later time. To withdraw consent, you should contact c[email protected].

HANDLING DATA BREACHES

Abihealth has measures in place to minimise and prevent data breaches from occurring, however, we recognize that they can happen at any time, and should they happen we recognize our responsibilities. Should a breach of personal data occur, Abihealth will make note of the relevant details and circumstances, and keep evidence related to that breach. If the breach is likely to result in a risk to the rights and freedoms of individuals, then the Practice will notify the Information Commissioner’s Office within 72 hours. If you are aware of a data breach, you must contact our Data Protection Officer immediately and retain any related evidence to the breach that you may have.

SUBJECT ACCESS REQUESTS

Data subjects can make a Subject Access Request (‘SAR’) to access the information that the organisation holds about them. If you wish to make a SAR in relation to your own personal data this should be made in writing to the Data Protection Officer, sent to our postal address. The Organisation will respond within one month unless the request is complex or numerous – if this is the case, then the Practice will need more time to complete the request and can extend the response period by a further two months.

A Subject Access Request does not incur a fee, however, if the request is deemed to be manifestly unfounded or excessive then Organisation is entitled to charge a reasonable administrative fee or refuse to respond to the request.

DATA SUBJECTS’ CONCERNS AND COMPLAINTS

If you have any concerns or a complaint with how we manage your data and privacy, we ask that you first contact us at [email protected], call us on 01615182999, or write to us at Abihealth Solutions, 15-17 Britannia Road, Sale, Manchester, M332AA. Whilst we would always prefer to hear from you first, you do however have the right to make a complaint via the Information Commissioner’s Office (www.ico.org.uk) who are the UK supervisory authority for data protection issues (www.ico.org.uk).

FUTURE POLICY UPDATES

We may update this policy at any time, and we will notify our customer base of any changes and a link to our updated policy when we make any updates.

We may also notify you in other ways from time to time about the processing of your personal information.

RESOURCES

Information Commissioner’s Office website

www.ico.org.uk

Abihealth ICO Number – ZA522731 

• Data Protection and Information Security Policy and Procedures
• Medical Record Management Policy

COOKIES

Our site uses Cookies from Google Analytics. This helps our website know who is visiting for the first time, who is returning and what device you are using. This information helps us develop this site to provide you with a better experience. Cookies do not contain personal information but do uniquely identify your web browser.