General Data Protection Regulation (GDPR)
Including the Collection of Special Category Data
Patient Consent and/or Parental Consent
1. What data is covered?
This policy details the obligations of Bloomsbury Health Limited (the 'Data Processor' and 'We' and 'Us') and your Treatment Provider (the 'Data Controller') have regarding data protection and your rights under current EU Regulations "General Data Protection Regulations ” ( GDPR ) in conjunction with your use of the recordmyhealth.care application.
Your data, which is provided to us by your Treatment Provider, will be processed, lawfully, fairly and transparently and only collected for specific, explicit and legitimate purposes and not processed further for any incompatible purposes other than the original purpose for collection.
Your Treatment Provider, through their policy, will have obtained your explicit consent to the collection and transfer to us of your Personal and Special Category Data.
In this Privacy notice, “ Personal data ” means any information relating to an individual who can be identified, directly or indirectly, in particular by reference to an identifier such as names, a identification number such as a National Health Service number, location data or an online identifier such as an IP address.
Special Category Data
“Special Category Data” (SCD) may also be collected which may include but not be limited to:-
Name and NHS/Medical Record Number
Under Art 9 of the General Data Protection Regulations, this data is deemed to be Special Category Data and we and your Treatment Provider require your explicit agreement to the collection of the following Data, once given, unless you contact your Treatment Provider and explicitly rescind your consent, it will be deemed to be in place.
Definition of the special category data collected could include -
Name and NHS/Medical Record Number ;
Unless you rescind your agreement given under this GDPR policy you will have deemed to have given your explicit agreement to the collection of this Special Category Data and any other personal data requested.
You may rescind your agreement at any time, please see clause 9 - ‘Withdraw your consent at any time.’ This should be done through your Treatment Provider orrecordmyhealth.care opt out button after you login.
Your Treatment Provider will enter your data you on the application and other personal data such as but not limited to :-
* Address and contact information
* Email address
* Mobile Phone Number
* Your health care treatment details
Our GDPR policy explains how and what we use this personal data for.
You may rescind your agreement at any time, please see clause 9 - ‘Withdraw your consent at any time.’ This should be done through your Treatment Provider who will inform us of this instruction.
You are required to give your consent to the collection, storage, sharing and use of your Personal Data including ‘Special Category Data’ as detailed in this policy, you are deemed to do so unless you specifically withdraw that consent. - see clause 9 for details of how to do this.
Our GDPR policy explains how and what we and your Treatment Provider use this personal data for.
2. Purposes for which we and your Treatment Provider collect and process personal data.
For the performance of our web application; We provide services to individuals ( patients and doctors).
The data we and your Treatment Provider collect depends upon the services provided to you, and we only process personal data and Special Category Data for the purpose for which it was collected by your Treatment Provider.
Persona Data provided to us by your Treatment Provider, for which you have given your consent for that treatment provider to share with us, is collected by us and dealt with as though we have collected it ourselves. The following applies to this Personal Data received by us under these circumstances.
The purposes for which we process data ( including the special Category data) and the legal basis for doing so
Visitors and Patients;-
* for either our, your Treatment Provider or your legitimate interest;
* in respect of any legal obligation we or your Treatment Provider are subject to;
* where you have provided your consent for us to do so;
* where necessary to do so.
Visitors and patients to the recordmyhealth.care website - We may also collect personal data about you when you visit our website.
Information which you provide to us voluntarily - for example when completing any online form to contact us. Such voluntary information may be in the form of;
* Job title and role
* Contact information such as mobile number, email address and other telephone numbers.
* Demographic information, such as industry, post code any preferences and interests
* Any other relevant health information to enable us and your Treatment Provider to offer and supply our/their services to you
Any information which you provide on this basis which may be sensitive, this does not include the Special Category Data, is not collected or processed intentionally. Such information is provided by you on a voluntary basis and you acknowledge and agree that such information may be processed by us and your Treatment Provider
If your personal data is provided by your Treatment Provider, your personal data is collected and stored in our storage facility within our computer system and any data held will be held indefinitely unless deleted by your Treatment Provider.
If you ‘opt out’ of any of our services your basic data will remain on our opt out list.
You are given the opportunity to opt out by the presentation of this option through our ‘I DO NOT CONSENT TO MY OR MY CHILD'S (IF YOU ARE A PARENT OR GUARDIAN) DATA BEING USED.’
You specifically consent to all types of Data processing and for all of the reasons specified in this policy.
Cookies - Data which is automatically collected when you visit our site through Cookies - When you visit we automatically collect certain personal data from your device.
Through our website, in allowing Cookies ( which are small files ) they will transfer this small file to your computer hard drive through your web browser. This enables the website (or your internet service provider) to recognise your browser and capture and remember certain information. Such data is;
* IP address
* Unique device identifier number
* Device type
* Browser type
* Geographical location eg country or city location
* and other technical information
We collect this information through cookies to improve the services supplied to you and it enables us to better understand the visitors to our site.
The purposes for which we collect and/or process your personal data as a visitor or patient to our site;-
* To assist in administering and managing our site.
* For site security for example to authenticate your identity and to prevent unauthorised access to the site.
* To understand which feature of the site visitors or patients use.
* To assist us in monitoring and enforcing all relevant regulations and applicable compliance.
* To assist us in continual risk management assessment.
* Any other purposes for which you provide us with your information.
Legal Grounds for processing personal data of visitors or patients to the site;-
* For the effective and lawful operation of our business.
* To improve and develop our site to enhance user experience.
* Any matter for which we have been given your explicit consent.
If you would like to know more about cookies please go to www.allaboutcookies.org
Other purposes we may collect personal data can be; -
3. Service Providers
We may employ a third party company or individuals to facilitate our service (“ Service Providers “), to provide the Service on our behalf, to perform Service-related services is to asst us in analysing how our Service is used.
These third parties have access to your Cookie Data but not Personal or Special Category data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.
We may use third-party Service Providers to monitor and analyse the use of our Service. The details of which we have provided above ( See Special Category Data )
4. Transfer of Personal Data and its Security
We take all appropriate security and legal precautions to safeguard the safety and integrity of all of your personal data and the Special Category Data that is collected and used within the company. Your personal data will only be accessed by persons within the Treatment Provider organisation and Bloomsbury Health Limited who have a legitimate need to do so.
Access to the confidential data we collect is limited and we have policies and procedures in place to safeguard your information from loss, miss use and improper disclosure.
All of our employees are subject to a company privacy and confidentiality policy which ensures that they are contracted to understand your confidentiality requirements and will work to the best of their ability inline with this policy.
5. Your Rights and our Complaints Procedure.
You have the following rights in relation to your personal data;-
You have access the data we hold about you;
If you note that you data is incorrect or incomplete you have the right to have that data corrected;
You may opt out but your Treatment Provider may not be able to offer you some services;
You may request that your Treatment Provider delete your personal data ( this subject to any legal requirement to retain such data );
You may request a copy of your personal data from your Treatment Provider, this may take up to thirty ( 30 ) days;
You have the right to withdraw your consent to the use of any of your personal data for which you have previously given your consent to the use of;
Your Treatment Provider has complaints procedure which we will deal with any complaints you may have and will acknowledge your complaint and ensure it is investigated honestly and fairly and inform you how it will be handled.
You can contact your Treatment Provider's:
Information Governance Lead
Data Protection Officer
Please see their organisation website for details.
If you have any other queries or wish to exercise any of your rights in respect of your personal data not addressed by your Treatment Provider within 30 days please contact our Data Protection Officer.
If your Treatment Provider or we can't resolve your concern, you have the right to lodge a complaint with the Information Commissioner's Office.
6. Who We, or your Treatment Provider, may disclose your Personal Information to.
We or your Treatment Provider will disclose your personal information to the following;-
As described in clause 2 of this policy;
If required by law;
If disclosure is believed to be appropriate to enforce any of these terms and conditions, to protect and defend rights, property or safety;
In compliance of any court order, proceeding or under any other legal obligation, regulatory or government requirement
We are obliged under current laws and jurisdiction to report suspicious activity to the relevant regulatory authorities. We will also report any suspected criminal activity to the relevant law enforcement body. In some circumstances we may not be permitted to inform you about this in advance of any disclosure, or at all.
There are no third party recipients of personal data only your Treatment Provider Organisation whom are the Data Controller and who might be:
Acute NHS Trust
Public Health England
Mental Health Trust
Clinical Commissioning Group
Commissioning Support Unit
Community Health Provider
Data Service for Commissioners
Eye Care Services
Health and Social care Information Centre
7. How long do we retain your Personal Information
We retain your personal information only as long as it is needed by your Treatment Provider thereafter we only retain any information as long as it is required under the regulatory requirements your Treatment Provider is subject to.
To ensure your Treatment Provider meets their legal liabilities they may retain some information for a significant time. Examples of the reason for this could be, to protect, defend or exercise their legal rights rights or for archiving and historical purposes.
8. Data Security and Breaches
We and your Treatment Provider has put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we and your Treatment Provider limit access to your personal data to those employees, agents, staff, contractors and other third parties who have a business need to know. They will only process your personal data on your Treatment Providers instructions and they are subject to a duty of confidentiality.
We and your Treatment Provider have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
If there is a security breach, or a suspected security breach your Treatment Provider will inform you of the breach or suspected breach immediately it is known to them and report it to the appropriate regulatory body.
Once such a breach is discovered we will use all reasonable business measures to correct the breach and prevent any further breaches and recover or delete any lost in formation.
9 Your Legal Rights
Under certain circumstances, you have rights under data protection laws ( General Data Protection Regulations ) in relation to your personal data. Specifically, you have the right to:
● Request access to your personal data;
● Request correction of your personal data;
● Request erasure of your personal data;
● Object to processing of your personal data;
● Request restriction of processing your personal data;
● Request transfer of your personal data;
● Right to withdraw consent;
If you wish to exercise any of the rights set out above, please contact your Treatment Provider.
Request access to your personal data (commonly known as a “data subject access request”) from your Treatment Provider
This enables you to receive a copy of the personal data held about you and to check that your Treatment Provider are lawfully processing it.
Request correction of the personal data that your Treatment Provider holds about you.
This enables you to have any incomplete or inaccurate data held about you corrected, though your Treatment Provider may need to verify the accuracy of the new data you provide. We ask that you update your Treatment Provider with any changes to your personal information.
Request erasure of your personal data.
This enables you to ask your Treatment Provider to delete or remove personal data where there is no good reason for them continuing to process it. You also have the right to ask your Treatment Provider to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we or your Treatment Provider may have processed your information unlawfully or where we or your Treatment Provider are required to erase your personal data to comply with local law. Note, however, that your Treatment Provider may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Object to processing of your personal data
Where your Treatment Provider is relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. In some cases, your Treatment Provider may demonstrate they have compelling legitimate grounds to process your information which override your rights and freedoms.
Request restriction of processing of your personal data.
This enables you to ask your Treatment Provider to suspend the processing of your personal data in the following scenarios:
● If you want to establish the data’s accuracy.
● Where your Treatment Providers use of the data is unlawful but you do not want them to erase it.
● Where you need your Treatment Provider to hold the data even if they no longer require it as you need it to establish, exercise or defend legal claims.
● You have objected to Your Treatment Provider’s use of your data but they need to verify whether they have overriding legitimate grounds to use it.
Request the transfer of your personal data to you or to a third party. Your Treatment Provider will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for your Treatment Provider to use or where they used the information to perform a contract with you.
Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, your Treatment Provider may not be able to provide certain products or services to you. Your Treatment Provider will advise you if this is the case at the time you withdraw your consent.
NO FEE USUALLY REQUIRED
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, your Treatment Provider may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, Your Treatment Provider could refuse to comply with your request in these circumstances.
WHAT YOUR TREATMENT PROVIDER MAY NEED FROM YOU
Your Treatment Provider may need to request specific information from you to help them confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. Your Treatment Provider may also contact you to ask you for further information in relation to your request to speed up their response.
TIME LIMIT TO RESPOND
Your Treatment Provider will try to respond to all legitimate requests within one month. Occasionally it could take them longer than a month if your request is particularly complex or you have made a number of requests. In this case, they will notify you and keep you updated.
Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
10. International Transfers of Personal data
Your personal data will not be transferred to or stored outside of England.
11. Changes to this Policy
We will, from time to time, make changes to this policy. This may be to ensure that we continue to be in line with the legal requirements and any regulatory changes made in law. We may also change our practices to better serve our, your Treatment Provider's, and your needs. We will revise the, “last updated’” date at the top of this notice and will, if such changes are material, post a prominent notice of the changes on the website.
We request that you read this policy from time to time and keep your personal information up to date at all times.