Privacy Notice

Privacy Notice Urgent Care 24 (UC24) is a Mutual Society registered with the Financial Conduct Authority delivering NHS services to the residents of Halton, Knowsley, Liverpool and Sefton. UC24 works exclusively for the NHS and provides the following services: • An Out of Hours Service – for urgent care when your regular GP Practice is closed, covering the populations of Halton, Knowsley and Liverpool • Primary Care Streaming services in the A&E departments at Alder Hey Children’s Hospital, Aintree Hospitals NHS Trust and the Royal Liverpool University Hospital NHS Trust • Health assessment service for Asylum Seekers • Extended Access/Primary Care support for residents registered with GPs in Knowsley • General Practice in Sefton based at: Crossways Surgery (Liverpool Rd), Crosby Village Surgery, Litherland, Seaforth Village Surgery, Maghull, Thornton What is a Privacy Notice? This tells you how UC24 processes information about you in accordance with the General Data Protection Regulations (GDPR), it is called a fair processing notice and explains: • Why we collect information about you • How your records are used • Circumstances where we may need to share information about you and • Your rights Your Personal Information For the purposes of GDPR, UC24 is a “Data Controller”, registered as such with the Information Commissioner’s Office (notification number Z9410058). How your information is used, and your rights explained: This Privacy Notice explains how UC24 meets the requirements of GDPR so that in relation to the information it holds, whether it is digital or on paper, and how information is processed and shared, fairly, lawfully and securely. GDPR states those who record and process personal information must explain how the information is used, and must ensure personal data is: 1. Processed lawfully, fairly and in a transparent manner 2. Collected for specific, lawful and legitimate purposes 3. Adequate, relevant and limited to what is necessary for the purpose 4. Accurate and up to date 5. Kept for no longer than necessary 6. Protected and processed securely. UC24 uses personal, sensitive, medical and confidential information for a number of specific purposes in order to provide individual care, and to support improving health care and services, through research and planning across a range of services and locations in Halton, Knowsley, Liverpool and Sefton. The information we collect is used: • To provide safe and effective preventative healthcare services and patient care • For tasks carried out in the public interest/public health • To plan future services • For historical, statistical or research purposes • Under Legal obligation or performance of an NHS contract • For the purpose of carrying out obligations under Employment Law • To contact you with regards to services you have received from us • To investigate complaints and legal claims • To prevent serious crime and fraud. Lawful basis for processing Processing of data as described in this notice is supported under the following sections of the GDPR: Article 6(1)(c) – ‘processing is necessary for compliance with a legal obligation to which the controller is subject…’ Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…” What laws are relevant to the handling of personal information? The UK and European law determines how organisations can use personal information. The key legislation and guidance governing the use of information are listed below: • European Data Protection Regulation (formerly The Data Protection Act 1998) • The Human Rights Act 1998 • Freedom of Information (Scotland) Act 2002 • Computer Misuse Act 1998 • Access to Health Records Act 1990 • Health and Social Care Act 2015 • The Human Rights Act 1998 • Common law Duty of Confidentiality • NHS Codes of Practice Information we collect about you The health care professionals who provide you with care maintain records about your health and can usually view records of any treatment or care you have received previously (e.g. from Hospitals, GP Surgeries, A&E, etc.). These records help to provide you with the best possible healthcare. Records UC24 holds about you when you have used one of our services may include the following: • Details about you, such as your address, contact details and next of kin • Any contact we have had with you, such as appointments, telephone consultations, visits to our Urgent Care Centres/Surgeries or home visits to you by us • Notes and reports about your health • Details about your treatment and care • Results of investigations, such as laboratory tests and x-rays. • Relevant information from other health professionals, relatives or those who care for you Consent, Data Processing and Data Sharing: • For most purposes, we will only process your Patient Data with your consent. If consent is given, all patients have the right to withdraw their consent at any time. • There will be occasions when Patient Data will be shared without consent, particularly to protect vulnerable adults and children, to prevent serious crime or to protect public health. • Where consent is required and the Patient lacks the capacity to give consent, a legal representative, power of attorney, parent/guardian may consent on their behalf or, in a situation of clinical urgency, the clinician may access Patient Data in the best interests of providing good patient care. Your clinician/care provider will discuss with you the reasons for this where feasible. • There are specific and clearly defined circumstances where we are required by law to share patient information which can identify you. • UC24 has an obligation to assist in the prevention of crime and may supply information to the Police, provided we are satisfied that the request is connected to an investigation and that disclosure would be lawful and proportionate. • UC24 has a legal obligation to safeguard public funds and we reserve the right to check information you have provided for accuracy, in order to detect fraud. We participate in anti-fraud data matching exercises carried out by other agencies such as the NHS Counter Fraud Authority. • UC24 will share data with local GP Practices, NHS Trusts and Hospitals, Ambulance Services, NHS111 and Community healthcare providers who are directly involved in your care. • UC24 does not sell or otherwise share personal details to any external or third-party organisations. • Wherever possible we will use only anonymised data for research, audit and planning purposes. • A number of statistical analytical exercises may be carried out on the information we hold in order to monitor our performance and to improve our service. These statistics may be published or shared with other organisations, but no individual will be possible to identify from the data. Data Confidentiality and Data Security • UC24 is committed to taking all reasonable measures to ensure the confidentiality and security of sensitive personal data for which we are responsible, whether computerised or on paper • All patients and employees have the right to be informed if they have been involved in a personal data breach • All staff are required to undertake annual information governance training and to be familiar with information governance policies and procedures • Everyone working for the NHS is subject to the NHS Code of Confidentiality Information provided in confidence will only be used for the purposes advised and normally consented to by the service user, unless required or permitted by the law • We make sure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed • Our Senior Information Risk Owner (SIRO) is accountable for the management of all information assets and any associated risks and incidents • The UC24 Caldicott Guardian, is a clinician with the responsibility to ensure the protection of patient confidentiality throughout the organisation in accordance with your legal rights • Our Data Protection Officer Monitors compliance, Data Protection Policies and Procedures on behalf of the Controller They can be contacted by writing to: Senior Information Risk Owner /Caldicott Guardian/ Data Protection Officer Urgent Care 24 2-4 Enterprise Way Wavertree Technology Park Liverpool L13 1FB How can I access my personal data? If you would like to receive a copy of all or part of your medical record, you have the right to request this under a Subject Access Request. There will be no charge for receiving copies of your medical information held by UC24, but there may be a charge for additional copies or for information which we have supplied to you in response to a previous request. If preferred, an electronic copy can be requested. You only have a right to data relating to you so, if third parties are named in your record, references to those third parties will be removed before we send the information to you. You can authorise someone else to make the application for your records on your behalf and, if you have parental responsibility for a child, you may make an application to see that child’s notes. In certain circumstances, your records or part of your records may be withheld. If this is the case the reason(s) will be discussed with you. Please be aware that personal information relating to a deceased person is not subject to GDPR but the Access to Health Records Act 1990. Requests for access to medical records should be completed within 30 days of receipt of request. This can be extended by up to an additional 60 days, if the request is deemed complex, requires additional clarification or multiple requests have been made. UC24 will provide a clear explanation as to why this timescale might be extended in the event of a complex query. If you would like a copy of some or all of your personal information, please contact the Practice Manager of the surgery and/or the Governance Team (at the address below). Urgent Care 24 2-4 Enterprise Way Wavertree Technology Park Liverpool L13 1FB If you are not satisfied with the response you receive you may refer your complaint to an independent arbiter such as the Information Commissioner. What if I believe data held about me is incorrect or inaccurate? If at any time you feel information held by UC24 relating to you is incorrect, please notify us and it will be investigated. Rectification requests on non factual information, or opinions, are unlikely to be successful, but will be assessed on a case by case basis. You may exercise your right to object to data being processed if you believe data about you is being collected, processed or shared unlawfully, and whilst this is investigated, it may be restricted until a decision is made. You have the right to withdraw your consent to data processing and usage at any time. On investigation, it is the responsibility of UC24 to justify why we are continuing to process the data or if the objection will be upheld. You also have the right to object to direct marketing at any time and ask for it to stop. While UC24 does sell goods or services, your data may be used invite you to attend for screening or vaccinations. When we receive any request to access, edit or delete personal identifiable information, we shall first take reasonable steps to verify your identity before granting you access or otherwise taking any action. This is important to safeguard your information. How can I remove my information from your records/systems? GDPR gives you the right to ‘be forgotten’ by having the data we hold about you deleted. In a healthcare setting, it would be very uncommon for such a request to be approved, as the risks associated with removal or deletion of health information could seriously harm or endanger a patient/staff member. Patients’ records also become legal documents in some cases, and UC24 has a legal obligation under employment contracts and various legislation to retain all documentation. Please direct any such request or concern to the service manager and/or Data Protection Officer (at address below). Urgent Care 24 2-4 Enterprise Way Wavertree Technology Park Liverpool L13 1FB How long is my health information kept? UC24 applies the retention and destruction schedules contained in Records Management NHS Code of Practice for Health and Social Care. The table below lists a subset of the retention periods. Record Type Record Retention Period Adult Health Record 10 years after date of last entry or 3 years after death if earlier Children and Young Peoples Records Retain until the patient’s 25th birthday or 26th if young person was 17 at conclusion of treatment, or 3 years after death Complaints 8 years from completion of action What if I want my data transferred to another organisation? The right to portability ensures a person has a right to request their data in a structured, commonly used readable format, in order to be transferred to another system or organisation. The processing has to have been carried out automatically by electronic means but can include data observed by the use of a service or device (for example, X-rays or ECG tracings). Portability is not erasure, but simply another possible format for disclosure of certain information. If you believe any decisions are being made by an automated decision making process you can object to this, unless necessary for the performance of a contract or authorised by law. GDPR states this right may be exercised in order to ensure some sort of human element/involvement in the decision making process, giving patients a right to express their view or contest the decision and to have an explanation about what is being done. What do I do if I have a Complaint? UC24 aims to provide you with the best possible care, and ensure you have a positive experience. However, if you have been unhappy with any aspects of your care, you can raise any issues with us by contacting: Governance Department Urgent Care 24 2-4 Enterprise Way Wavertree Technology Park Liverpool L13 1FB For independent advice about data protection, privacy and data-sharing issues, we are unable to resolve your complaint you can contact: The Information Commissioner Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF Tel: 0303 123 1113 Website: Reviews of and Changes to our Fair Processing Notice We will keep our Privacy Notice under regular review. This notice was last reviewed July 2018