Patient Privacy – Policy and Process
How The Allergy-Immunology Doctor uses your information to provide you with healthcare
This practice keeps medical records confidential and complies with the General Data Protection Regulation (GDPR) and Data Protection Act 2018.
We hold your medical record so that we can provide you with safe care and treatment.
We will also use your information so that this practice can check and review the quality of the care we provide. This helps us to improve our services to you.
The confidentiality of your information is very important to us and we comply with data protection legislations and medical confidentiality guidelines of our professional bodies (namely the General Medical Council).
- We will share relevant information from your medical record with other health care professionals when they provide you with care. For example, when you are referred to a consultant, or when we send details about your prescription to your chosen pharmacy, or you are referred to a laboratory for tests. We recommend that we share the care given to you here with your NHS GP; however, we will only do this with your consent and would provide you with copies of all correspondence.
- You have the right to object to information being shared for your own care. Please speak to the practice manager if you wish to object. You also have the right to have any mistakes or errors corrected.
Other important information about how your information is used to provide you with healthcare at The Allergy-Immunology Doctor Ltd
Registering for care at The Allergy-Immunology Doctor
All patients who receive care are registered on our computer system.
This database holds your name, address, date of birth, telephone number, e-mail address, confirmation that ID has been checked and your regular (NHS) GP recorded – you will be asked to indicate if you consent to The Allergy-Immunology Doctor sharing clinical information with your regular GP (please note you may change this decision at any time).
Personal data about you, including information about the care you receive, is held in the practice’s management system which maintains a cloud-based database. The information is only accessible to authorised practice members. The practice has a confidentiality policy that all staff adhere to.
The GDPR-compliant practice management platform FreddieMed will be used for booking appointments, video consultations and storage of patient files. FreddieMed is, under GDPR, classified as the data controller of patient data. That means that they had to build their technology using privacy by design principles and apply the strictest privacy settings by default. They use a variety of data access, communication and storage controls to ensure the safety of all data. These include encryption, server-side digital certificates, IP tracking, pseudonymization of medical information and two-factor authentication.
They also provide the patient with a data privacy notice explaining what data they store, what they do with it and on what legal basis. The patient can decide to share their record with their medical professionals through the patient portal. FreddieMed carry out due diligence on all medical professionals, including identity and professional registration with a government accredited agency, checks. All data is stored in the Amazon Web Services (AWS) data centre in Ireland. AWS’ cyber-security features apply to the database, the connection to AWS is encrypted, and encryption is used for non-pseudonymized data and pseudonymization with encrypted pseudonymization key where pseudonymization is possible. Pseudonymization is a process by which the identity of the data subject is removed from the subject’s medical information. Pseudonymization is recommended by the GDPR.
FreddieMed performs daily backups of their database, each kept for seven days.
Hard copy notes taken during the consultation only contain the patient’s code (not name), are scanned and uploaded on the platform, and the paper is destroyed in a cross-cut shredder. Any electronic copies are deleted from the computer using a digital shredding app.
When using FreddieMed, data is delivered to the user’s browser via encrypted connection using certificates. FreddieMed does not leave data on the device once the session is terminated.
FreddieMed have developed their own, internal communication system. This system is not connected to the network user for the transmission of emails.
What personal data do we hold apart from that collected when registering at The Allergy-Immunology Doctor?
As a medical practice we will hold medical records and information about you in order to treat you appropriately and in a timely manner.
To provide patients with a high standard of medical care, we need to hold personal information. This personal data can include:
- Past and current medical conditions; personal details such as age, address, telephone number, e-mail, next of kin, NHS GP (as outlined above in the ‘Registering for care’ section)
- X-rays and clinical photographs
- Information about your treatment that we have provided or proposed
- Notes of conversations or incidents that might occur for which a record needs to be kept
- Records of consent to treatment
- Any correspondence relating to you from yourself or other health care professionals
Why do we hold information about you?
We need to keep comprehensive and accurate personal data about patients to provide you with safe and appropriate medical care. We will ask you yearly to update your medical history and contact details.
Identifying patients who might be at risk of certain diseases
Appropriate medical information will be obtained to identify patients who might be at risk from certain diseases within the scope of the practice. This means we can offer patients additional care or support as early as possible.
Information which identifies you will only be seen by this practice. This information will also be anonymised for audit purposes to monitor and measure the quality of the care we deliver.
For more information, please speak to the Practice Manager.
Sometimes we need to share information so that other people, including healthcare staff, children or others with safeguarding needs, are protected from risk of harm. These circumstances are rare.
We do not need your consent or agreement to do this.
Please contact the Registered Manager to see our safeguarding policies for more information.
We are required by law to provide you with the following information about how we handle your information:
|Data Controller contact details||The Allergy-Immunology Doctor Ltd
2 Yarmouth Road
NR14 6SP United Kingdom
|ICO nominated contact details||Dr Anca-Liana Ciobotaru
|Purpose of the processing||– To give direct healthcare to individual patients. For example, when a patient agrees to a referral for direct care, such as to a hospital, relevant information about the patient will be shared with the other healthcare staff to enable them to give appropriate advice, investigations, treatments and/or care.
– To check and review the quality of care. (This is called audit and clinical governance.)
– To advise patients of changes to services or new services.
|Lawful basis for processing||These purposes are supported under the following sections of the GDPR:
– Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and
– Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…’
Healthcare staff will also respect and comply with their obligations under the common law duty of confidence.
|Recipient or categories of recipients of the processed data||
Disclosure of information
Disclosure will take place on a ‘need-to-know’ basis. Only those individuals or organisations who need to know to provide care for you will be given the information.
In very limited circumstances or when required by law or a court order, personal data may have to be disclosed to a third party not connected with your health care. The practice would take legal advice before disclosing data in these very limited circumstances and where possible you will be informed of these requests for disclosure.
|Requesting your consent under GDPR||
We will continue to obtain consent from you as a patient be it implied, verbal or written for the treatment or procedures undertaken at The Allergy-Immunology Doctor. This will be in line with the General Medical Council’s guidelines and will be recorded appropriately in your medical records.
In addition to this
|Collection of personal information when visiting our website||You can access most of the pages on our website without giving us your personal information although you may choose to do so, for example when you submit an enquiry or book an appointment. Users are requested not to send confidential details or debit/credit card numbers by e-mail unless specifically asked by us to do so.
When you submit personal information, you consent to our use of the information as set above under ‘Requesting your consent under GDPR’.
|Use of personal information||
We will use personal information given to us in accordance with these terms and conditions, and with any additional statements appearing on forms used for submitting personal information. We will not disclose personal information to any third parties without obtaining your prior consent, unless we are required by law to do so.
If you submit an enquiry, we will use your personal information to administer and respond to your enquiry. We will store securely the information you supply and our response. We may produce reports on enquiries to enable us to monitor and develop our service but reports will be based on anonymous data; we will not identify individuals in our reports.
If you comment or complain about our services, we may use your details to investigate your comments and we may use an anonymised form of your comments in our promotional materials, such as, but not limited to, our website.
|Right to object||– You have the right to object to information being shared between those who are providing you with direct care.
– This may affect the care you receive – please speak to the practice.
– You are not able to object when information is legitimately shared for safeguarding reasons.
– In appropriate circumstances it is a legal and professional requirement to share information for safeguarding reasons. This is to protect people from harm.
– The information will be shared with the appropriate local safeguarding services.
|Right to access and correct||– You have the right to access your medical record and have any errors or mistakes corrected. Please speak to a member of staff.
– We are not aware of any circumstances in which you will have the right to delete correct information from your medical record, although you are free to obtain your own legal advice if you believe there is no lawful purpose for which we hold the information and contact us if you hold a different view.
|Data we get from other organisations||
We may receive information about your health from other organisations who are involved in providing you with healthcare services following a referral from The Allergy-Immunology Doctor. For example, if you go to hospital for treatment or an operation, the hospital will send us a letter to let us know what happens. Or, if you undergo testing with one of the laboratories to which we referred you, we will receive a copy of your test results. This means your medical record at this practice is kept up-to date when you receive care or services from other parts of the health service.
Note: Although obliged to share patient information with your NHS GP (with your consent) currently independent doctors do not have access to care and treatment records you receive elsewhere (NHS or private).
|Retention period||Medical records will be kept in line with the law and national guidance. The Practice Manager will advise you as to how long hardcopy medical records are legally required to be kept by us; digital medical records will be stored indefinitely until government regulations change.|
|Access to your medical records||You have the right of access to the data that we hold about you and to receive a copy. Parents may access their child’s records if this is in the child’s best interests and not contrary to a competent child’s wishes. Formal applications for access must be in writing to the Practice Manager|
|If you do not agree||
If you do not wish personal data that we hold about you to be disclosed or used in the way that is described in this Code of Practice, please discuss the matter with your doctor. You have the right to object; however, this may affect our ability to provide you with medical care.
You have a right to withdraw your consent at any time, however this will not be retrospective.
|Cookies and Internet Protocol (IP) logging||
When you visit our website, our server will record your computer’s IP address (the unique numerical address given to every computer connected to the Internet) and the time and duration of your visit.
|Links||From time to time our website may contain links to other sites. We are not responsible for the content or privacy practices of third parties that run other websites.|
|Right to complain||
You have the right to complain to the Information Commissioner’s Office.
For further details about your rights under the Data Protection Act, please visit the Information Commissioners Office website: www.ico.org.uk
Telephone: 0303 123 1113.
E-mail online form: https://ico.org.uk/global/contact-us/email/
Write: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, England, UK.