As a Medical practitioner responsible for your treatment (and including my Practice manager and Financial/Clerical assistant) or as a medical expert required to produce a medical report at the request of an instructing solicitor, this Privacy Notice outlines the data we may process about you as data controller, in compliance with the General Data Protection Regulation (GDPR) and how that information may be used. Please read this Privacy Notice carefully.
Our ICO registration number is ZA117844
In the event that you have any queries, comments or concerns in respect of the manner in which I use, your personal information we process then you should contact my Practice Manager with any questions or requests at firstname.lastname@example.org or on 0161 728 5994.
We are committed to protecting your rights to privacy. They include:
Right to be informed about what we do with your personal data;
Right to have a copy of all the personal information we process about you;
Right to rectification of any inaccurate data we process, and to add to the information we hold about you if it is incomplete;
Right to be forgotten and your personal data destroyed;
Right to restrict the processing of your personal data;
Right to object to the processing we carry out based on our legitimate interest;
Your personal data
I am a Data Controller in respect of your personal information which I hold about you. This will mainly relate to your medical treatment. I must comply with the data protection legislation and relevant guidance when handling your personal information, and so must my Practice manager and administrative assistant who assists me in an administrative capacity. Your personal data may include any images taken in relation to your treatment which be managed in accordance with the law, this Privacy Notice but also all applicable professional standards including guidance from the General Medical Council. I also process the personal data of individuals who are obtaining legal advice or are engaged in a legal dispute, and also the personal data of witnesses and others with links to the issues in the case.
Should I provide your treatment from a Hospital it may be necessary for these facilities to also process your personal data as part of your investigations or treatment I provide you. I will do so in accordance with the law, the principles of this Privacy Notice. Should I provide a medical report from an instructing solicitor and, in due course, it may be necessary for an appointed medical report agency to also process your personal data. In the above case, they too will become a joint Data Controller in respect of your personal information and you will be provided with a copy of their Privacy Notice which sets out how they will manage that information.
Whenever I use your personal data, I will only do so as set out in this Privacy Notice. From time to time, I will process your personal information at a non-medical site.
What personal information do I process from patients and individuals who are obtaining legal advice or are engaged in a legal dispute ?
I will use “special categories of personal information about you, such as information relating to your physical and mental health.
If you provide personal information to me about other individuals (including medical or financial information) I will also process such information in accordance with this Privacy Notice though you should inform the individual about the contents of this Privacy Notice.
Should you amend data which I already hold about you then I will update our systems to reflect the amendments though will continue to store historical data.
As one of my patients or individual seeking legal advice or engaged in legal dispute, the personal information we process about you may include the following:
Contact details, such as postal address, email address and telephone number (including mobile number)
Financial information, such as credit card details used to pay us and insurance policy details
Emergency contact details, including next of kin
Background referral details
Special Categories Personal Information
I will hold information relating to your medical treatment, legal advice/dispute which is known as a special category of personal data under the law. This may include the following:
Details of your current or former physical or mental health, including information about any healthcare you have received from other healthcare providers such as GPs, dentists or hospitals (private and/or NHS), which may include details of clinic and hospital visits, as well as medicines administered. I will provide further details below on the manner in which I handle such information.
Details of services you have received from me
Details of your nationality, race and/or ethnicity
Details of your religion
Details of any genetic data or biometric data relating to you
Data concerning your sex life and/or sexual orientation
I make every effort to prevent unauthorised access to and use of information relating to your current or former physical and mental health (or indeed any of your personal information more generally). In doing so, I will comply with UK data protection law, including the Data Protection Act 2018 and all applicable medical confidentiality guidelines issued by professional bodies including, but not limited to, the General Medical Council.
How do I collect your information?
I may collect personal information from a number of different sources including, but not limited to:
Other hospitals, both NHS and private
Mental health providers
Commissioners of healthcare services
Other clinicians (including their medical secretaries)
Medical Report agencies
Directly from you
Information may be collected directly from you when:
You enter into a contract with me or another independent provider for the provision of healthcare services
You use those services
You complete enquiry forms on another independent provider website
You submit a query to me including by email
You correspond with me by letter, email or telephone.
From other healthcare organisations
My patients will usually receive healthcare from other organisations, and so in order to provide you with the best treatment possible I may have to collect personal information and Medical records from them about you from them which may include information about your diagnosis, clinic and hospital visits and medications.
These may include:
Medical records from your GP
Medical records from other clinicians (including their medical secretaries)
Medical records from the NHS or any private healthcare organisation
From third parties
As detailed in the previous section, it is often necessary to seek information from other healthcare organisations. I may also process information about you from third parties when:
You are referred to me for the provision of services including healthcare services
I liaise with your current or former employer, health professional or other treatment or benefit provider
I liaise with your family
I liaise with your insurance policy provider
I deal with experts (including medical experts) and other service providers about services you have received or are receiving from me
I deal with NHS health service bodies about services you have received or are receiving from us
I liaise with credit reference agencies
I liaise with debt collection agencies
I liaise with Government agencies, including the Ministry of Defence, the Home Office and HMRC
How will I communicate with you?
I may communicate with you in a range of ways, including by telephone, email, and / or post. If I contact you using the telephone number(s) which you have provided (landline and/or mobile), and you are not available which results in the call being directed I may leave a message on your voicemail and/or answerphone including only sufficient details to enable you to identify who the call is from, the reason for the call and how to call back.
to ensure that I provide you with timely updates and reminders in relation to your healthcare and/or legal dispute/advice (including basic administration information and appointment information (including reminders), where you have provided an email address I may communicate with you by unencrypted email
to provide you with your medical information (including test results and other clinical updates) and/or invoicing information, I may communicate with you by Egress encrypted email where you have provided me with your email address. The first time I send you any encrypted email requires validation, I will endeavour to contact you separately to ensure that you are able to access the encrypted email you are sent.
Please note that although providing your mobile number and email address and stating a preference to be communicated by a particular method will be taken as an affirmative confirmation that you are happy for us to contact you in that manner.
What are the purposes for which your information is used?
I may process your information for a number of different purposes. Each time I use your data I must have a legal justification to do so. The particular justification will depend on the purpose of the proposed use of your data. When the information that we process is classed as a “special category of personal information”, I must have a specific additional legal justification in order to use it as proposed.
Generally I will rely on the following legal justifications, or 'grounds':
Taking steps at your request, solicitors and/or medical report agency request so that you can enter into a contract with me to receive healthcare services or a medical report from us.
For the purposes of providing you with healthcare pursuant to a contract between you and I may require supporting nurse, carer or other healthcare professional providing services to you.
As I have an appropriate business need to process your personal information. I will rely on this for activities such as quality assurance, maintaining my business records, monitoring outcomes and responding to any complaints.
I have a legal or regulatory obligation to use such personal information.
I need to use such personal information to establish, exercise or defend my legal rights.
You have provided your consent to my use of your personal information.
For the purposes of providing a medical report the personal data are generally provided by the person instructing us in relation to the legal issues, who is usually a solicitor.
I process the data because it is in our legitimate interests as an expert witness to do so. I need to see and analyse documents containing this information in order to provide our expert advice.
In relation to any special category personal data, such as health records or information concerning, race, ethnic origin, or sex is, we rely on the legal claims basis for processing this data, in addition to our legitimate interest.
Note that failure to provide your information further to a contractual requirement with me may mean that I am unable to set you up as a patient or facilitate the provision of your healthcare or provide a medical report.
Appropriate business needs
One legal ground for processing personal data is where I do so in pursuit of legitimate interests and those interests are not overridden by your privacy rights. Where I refer to use for my appropriate business needs, I am are relying on this legal grounds
We also process personal data pursuant to our legitimate interests in running our business such as: Invoices and receipts, Accounts, VAT and tax returns, Insurance policies and related documents. As an employer, we process personal data further to contracts of employment with our employees. The information includes: Names, addresses and contact details, Pay and bank details, pay slips, Curricula vitae, contracts of employment, references and appraisals, Health information (in reliance on the occupational health exemption contained in the Data Protection Act 2018)
The right to object to other uses of your personal data
You have a range of rights in respect of your personal data. This includes the right to object to me using your personal information in a particular way (such as sharing that information with third parties), and I must stop using it in that way unless specific exceptions apply. This includes, for example, if it is necessary to defend a legal claim brought against me, or it is otherwise necessary for the purposes of your ongoing treatment.
My legal grounds for each of our processing purposes are set out below.
1: To set you up as my patient, including carrying out fraud, credit, anti-money laundering and other regulatory checks
I have to carry out necessary checks in order for you to become a patient. These include standard background checks, which I cannot perform without using your personal information. The legal ground for processing your data is to take the necessary steps so that you can enter into a contract with me for the delivery of healthcare. The processing special categories of personal information is necessary for reasons of substantial public interest, and it is also in my legitimate interests to do so.
2: To provide you with healthcare and related services
The reason you come to me is to provide you with healthcare, and so I have to use your personal information for that purpose. The legal ground for processing your data is to providing you with healthcare and related services and fulfil my contract with you for the delivery of healthcare. The processing of special categories of personal information is necessary in order to provide healthcare services to you and the use is necessary to protect your vital interests where you are physically or legally incapable of giving consent
3: For account settlement purposes
I will use your personal information in order to ensure that your account and billing is fully accurate and up-to-date. The legal ground for processing your data is to provide you healthcare and other related services, fulfilling my contract with you for the delivery of healthcare, my having an appropriate business need to use your information which does not overly prejudice you and having your consent. The processing of special categories of personal information is necessary in order to provide healthcare services to you, the use is necessary in order for me to establish, exercise or defend my legal rights and having your consent
4: Communicating with you and resolving any queries or complaints that you might have.
From time to time, patients may raise queries, or even complaints, with me and the healthcare facility, and I take those communications very seriously. It is important that I am able to resolve such matters fully and properly and so I, as well as the hospital or healthcare facility will need to use your personal information in order to do so. The legal ground for processing your data is to provide you with healthcare and other related services and having an appropriate business need to use your information which does not overly prejudice you. The processing of special categories of personal information is necessary for the provision of healthcare or treatment pursuant to a contract with a health professional and the use is necessary in order for me to establish, exercise or defend my legal rights
5: Communicating with any other individual that you ask us to update about your care and updating other healthcare professionals about your care.
In addition, other healthcare professionals, such as your GP or physiotherapist, may need to know about your treatment in order for them to provide you with safe and effective care, and so I may need to share your personal information with them. The legal ground for processing your data is to provide you with healthcare and other related services and that I have a legitimate interest in ensuring that other healthcare professionals who are routinely involved in your care have a full picture of your treatment. The processing of special categories of personal information is necessary in order to provide healthcare services to you, for reasons of substantial public interest under UK law and the use is necessary in order for me to establish, exercise or defend my legal rights
The Competition and Markets Authority Private Healthcare Market Investigation established the Private Healthcare Information Network (“PHIN”), as an organisation who will monitor outcomes of patients who receive private treatment. I am required to provide PHIN with information related to your treatment, including your NHS Number in England and Wales, the nature of your procedure, whether there were any complications such as infection or the need for readmission/admission to a NHS facility and also the feedback you provided as part of any PROMs surveys. PHIN will use your information in order to share it with the NHS, and track whether you have received any follow-up treatment.
6: Complying with our legal or regulatory obligations, and defending or exercising our legal rights
As a provider of healthcare, I am subject to a wide range of legal and regulatory responsibilities which is not possible to list fully here. I may be required by law or by regulators to provide personal information, and in which case I will have a legal responsibility to do so. From time to time, clinicians are unfortunately also the subject of legal actions or complaints. In order to fully investigate and respond to those actions, it is necessary to access your personal information. The legal ground for processing your data is in order for us to comply with our legal obligations. The processing of special categories of personal information is necessary in order for others to provide informed healthcare services to you, for reasons of the provision of health or social care or treatment or the management of health or social care systems and for establishing, exercising or defending legal claims.
I am also required by law to conduct audits of health records, including medical information, for quality assurance purposes. Your personal and medical information will be treated in accordance with guidance issued by the Care Quality Commission (England), Health Inspectorate Wales and Healthcare Improvement Scotland
7: Communicating with solicitors and medical report agencies
We process the personal data of individuals who are obtaining legal advice or are engaged in a legal dispute, and also the personal data of witnesses and others with links to the issues in the case. The legal ground for processing your data is because it is in our legitimate interests as an expert witness to do so. We need to see and analyse documents containing this information in order to provide our expert advice. The processing of special categories of personal information we rely on the legal claims basis for processing this data, in addition to our legitimate interest.
Disclosures to third parties:
I may disclose your information to the third parties listed below for the purposes described in this Privacy Notice. This might include:
A doctor, nurse, carer or any other healthcare professional involved in your treatment
Other members of support staff involved in the delivery of your care, like receptionists and porters
Anyone that you ask me to communicate with or provide as an emergency contact, for example your next of kin or carer
NHS organisations, including NHS Resolution, NHS England, Department of Health
Other private sector healthcare providers
Other clinicians (including their medical secretaries)
Third parties who assist in the administration of your healthcare, such as insurance companies
Private Healthcare Information Network
National and other professional research/audit programmes and registries, as detailed under purpose 4 above
Government bodies, including the Ministry of Defence, the Home Office and HMRC
Our regulators, like the Care Quality Commission, PHIN.
The police and other third parties where reasonably necessary for the prevention or detection of crime
Debt collection agencies
Credit referencing agencies
Our third party services providers such as IT suppliers, actuaries, auditors, lawyers, marketing agencies, document management providers and tax advisers
Selected third parties in connection with any sale, transfer or disposal of our business
I may also use your personal information to provide you with information about products or services which may be of interest to you where you have provided your consent for me to do so.
Those who have instructed us as an expert witness
Outsourced service providers such as photocopying companies and digital dictation services, pursuant to GDPR compliant written contracts
HMRC and the VAT Commissioner as they require
With others pursuant to a court order
I may communicate with these third parties in a variety of ways including, but not limited to, email, post, fax and telephone.
How long do I keep personal information for?
I will only keep your personal information for as long as reasonably necessary to fulfil the relevant purposes set out in this Privacy Notice and in order to comply with my legal and regulatory obligations.
Personal data in legal cases is retained, where necessary, for six years in compliance with our professional indemnity obligations. Where this is not necessary, it is destroyed on the conclusion of the case.
Administrative data is retained for up to six years as necessary, in the unlikely event there are queries from HMRC and the VAT commissioner. Where it is not necessary to retain the data for six years, it is destroyed as soon as possible.
Personal data relating to employees who have left our employment is also retained for up to six years as necessary. This is the time limit for bringing a breach of contract claim. In some case we destroy it as soon as the employee leaves.
International data transfers
I may store or process information that we collect about you in countries outside the European Economic Area ("EEA"). We will not transfer your personal information outside of the EEA
Under data protection law you have certain rights in relation to the personal information that I hold about you. These include rights to know what information I hold about you and how it is used. You may exercise these rights at any time by contacting me using the details provided at section 3 above.
There will not usually be a charge for handling a request to exercise your rights.
If I cannot comply with your request to exercise your rights we will usually tell you why.
There are some special rules about how these rights apply to health information as set out in legislation including the Data Protection Act (current and future), the General Data Protection Regulation as well as any secondary legislation which regulates the use of personal information.
If you make a large number of requests or it is clear that it is not reasonable for me to comply then we do not have to respond. Alternatively, I can charge for responding.
The right to access your personal information
You are usually entitled to a copy of the personal information I hold about you and details about how I use it.
Your information will usually be provided to you in writing, unless otherwise requested. If you have made the request electronically (e.g. by email) the information will be provided to you by electronic means where possible.
Please note that in some cases I may not be able to fully comply with your request, for example if your request involves the personal data of another person and it would not be fair to that person to provide it to you.
You are entitled to the following under data protection law.
Under Article 15(1) of the GDPR I must usually confirm whether I have personal information about you. If I do hold personal information about you I usually need to explain to you:
The purposes for which I use your personal information
The types of personal information I hold about you
Who your personal information has been or will be shared with, including in particular organisations based outside the EEA.
If your personal information leaves the EU, how I will make sure that it is protected
Where possible, the length of time I expect to hold your personal information. If that is not possible, the criteria I use to determine how long I hold your information for
If the personal data I hold about you was not provided by you, details of the source of the information
Whether I make any decisions about you solely by computer and if so details of how those decision are made and the impact they may have on you
Your right to ask me to amend or delete your personal information
Your right to ask me to restrict how your personal information is used or to object to my use of your personal information
Your right to complain to the Information Commissioner's Office
I also need to provide you with a copy of your personal data, provided specific exceptions and exemptions do not apply.
The right to rectification
I take reasonable steps to ensure that the information I hold about you is accurate and complete. However, if you do not believe this is the case, you can ask me to update or amend it.
The right to erasure (also known as the right to be forgotten)
I may update this Privacy Notice from time to time to ensure that it remains accurate, and the most up-to-date version can always be found at www.hipkneefoot.com. In the event that there are any material changes to the manner in which your personal information is to be used then I will provide you with an updated copy of this Privacy Notice.
In some circumstances, you have the right to request that I delete the personal information I hold about you. However, there are exceptions to this right and in certain circumstances I can refuse to delete the information in question. In particular, for example, I do not have to comply with your request if it is necessary to keep your information in order to perform tasks which are in the public interest, including public health, or for the purposes of establishing, exercising or defending legal claims.
The right to restriction of processing
In some circumstances, I must "pause" our use of your personal data if you ask me to do so, although I do not have to comply with all requests to restrict my use of your personal information. In particular, for example, I do not have to comply with your request if it is necessary to keep your information in order to perform tasks which are in the public interest, including public health, or for the purposes of establishing, exercise or defending legal claims.
The right to data portability
In some circumstances, I must transfer personal information that you have provided to you or (if this is technically feasible) another individual/ organisation of your choice. The information must be transferred in an electronic format.
The right to withdraw consent
In some cases I may need your consent in order for my use of your personal information to comply with data protection legislation. Where we do this, you have the right to withdraw your consent to further use of your personal information. You can do this by contacting me using the details provided at section 3 above.
The right to complain to the Information Commissioner's Office
You can complain to the Information Commissioner's Office if you are unhappy with the way that I have dealt with a request from you to exercise any of these rights, or if you think I have not complied with our legal obligations.
More information can be found on the Information Commissioner’s Office website: https://ico.org.uk/
Making a complaint will not affect any other legal rights or remedies that you have.
National Data Opt-Out Programme
NHS Digital is currently developing a national programme which will go live on 25 May 2018, pursuant to which all patients will be able to log their preferences as to sharing of their personal information. All health and care organisations will be required to uphold patient choices, but only from March 2020. You should make me aware directly of any uses of your data to which you object.
Updates to this Privacy Notice
I may update this Privacy Notice from time to time to ensure that it remains accurate. Should these changes result in any material difference to the manner in which I process your personal data then you will be provided with an updated copy of the Policy.
This Privacy Notice was created on 28 May 2018.