|
Privacy Policy
There are new data protection rules in the EU that come into force on 25th May 2018. This has meant that we have reviewed and updated our privacy policy and security practices to comply with the new rules.
Our privacy policy can be downloaded or viewed below. Please note that we require your consent to share your personal information with your insurance company in order to invoice them directly for your treatment. If you do not consent to this, you will need to settle our invoices yourself and recover the costs from your insurance company. 
| ||||
Dr
Victoria Cook – Private Practice Privacy Policy
Version 1.0
May 2018
1.
Who we are
This policy relates to the private medical practice of Dr Victoria Cook, based at the BMI Bishops Wood Hospital in Northwood. The policy covers Dr Victoria Cook and support staff (e.g. medical secretaries) employed or retained by the practice.
Please note that your data may also be held by other organisations related to your care, for example your insurance company or the Bishops Wood Hospital. These organisations will have their own privacy and data protection notices.
2.
Privacy Policy – The Simple Version
We promise
· To keep your data safe and secure
· To retain your medical records for a period based on NHS recommendations.
· Not to sell your data or use it for marketing purposes
We may share your data with other organisations for the following reasons.
· With other medical professionals, directly related to your medical care. This may include: -
o Referral letters to other medical professionals,
o Reports on your consultation and/or treatment to your GP
o Requests for tests or imaging
· With your medical insurance company (or their designated intermediary) to meet their requirements in processing your claim. In this case we require your explicit consent, obtained through our patient registration form. Please note the following: -
o You may withdraw your consent for this at any time by a request made in writing.
o If you do not give (or later withdraw) your consent, we will not be able to pass on any information on to your insurance company. In this case you will need to pay our invoices yourself and submit them to your insurance company for reimbursement.
· With debt recovery agencies in the event of a failure to pay an invoice after 30 days.
3.
Privacy Notice – The Full Legal Version
The EU’s General Data Protection Regulation (GPDR) applies in the UK from 25th May 2018. The following sub-sections set out your rights under the new law and provide the data protection information required by the GDPR.
3.1
Data Controller Contact Details
The practice Data Controller & Data Protection Officer is Mike Gadsdon, he can be contacted via the practice e-mail admin@gynconsult.co.uk with ‘FAO: Data Controller’ in the subject line.
3.2
Purpose, Lawful Basis & Legitimate Interest
The GDPR says that we can only use your personal information if we have a lawful reason for doing so. The GDPR defines several reasons, but those relevant in our case are: -
· To fulfil a contract we have with you,
· When it is in our legitimate interest, or
· When it is our legal duty,
· When you consent
The table below lists the ways in which we use your personal information and which of the reasons applies in each case. Where one of the reasons is our legitimate interests, these are also explained.
|
Use of Personal Information |
GDPR Reasons |
Detailed Reasons & Legitimate Interests |
|
To manage our relationship with you |
Fulfilling contracts Our legitimate interests |
·
We need to be
able to contact you for administrative reasons or to discuss your treatment
or test results. ·
It is in our
legitimate interests to be able to contact you for the purposes of invoicing
or chasing unpaid accounts. |
|
To manage your medical records |
Fulfilling contracts Our legal duty Our legitimate interests |
·
The General
Medical Council makes it the duty of a doctor to make and maintain accurate medical
records (Good Medical Practice, Articles 19-21) ·
Accurate medical
records are necessary to provide safe and correct care for you. ·
It is in our
legitimate interest to hold clinical records for legal medical protection
reasons. |
|
To manage & provide your direct
clinical care |
Fulfilling contracts Our legal duty |
·
The General
Medical Council makes it the duty of a doctor to share information required
for your treatment (Good Medical Practice, Articles 16 & 44). ·
In
order to meet your clinical care
needs, we may need to use your data to request tests, imaging or other
medical intervention. ·
If you require a
procedure, we may need to use your data to organise this with other medical
professionals and the Hospital. |
|
To report on your treatment to your GP
or refer to another medical professional. |
Fulfilling contracts Our legal duty |
·
The General
Medical Council makes it the duty of a doctor to share information when
referring to other health care providers (Good Medical Practice, Article 44). ·
We will use your
data to inform your GP of the results of your consultation or treatment to
ensure that your GP medical records are kept up to date. ·
We may use your
data to refer you to another medical professional for further treatment. |
|
To assist in your relationship with
your medical insurance company |
Consent |
·
We will use your
data to report on consultations and treatments received as required by your
insurance company and to secure payment of your account. Data may be shared
either directly with the insurance company or via an intermediary as required
by the insurance company. |
|
To manage non-payment of your account |
Fulfilling contracts Our legitimate interests |
·
It is in our
legitimate interest to share contact and outstanding invoice information with
debt recovery agencies in the case of non-payment of your account. |
3.3
Categories of Personal Information
We use the following categories of personal data: -
· Contact – Where you live and how to contact you
· Transactional – Details on invoices issued to you and payments received
· Insurance – Details on your medical insurance company and policy number
· Communications – Records of letters sent to you, your GP and other medical professionals in relation to your care.
· Medical – Your medical records, consisting of notes made by Dr Cook, referral letters, test results, imaging and other medical information collected during your treatment.
The GDPR identifies special category data which is particularly sensitive. Special category data includes data related to
· Health
· Genetics
· Sex life
· Sexual orientation
Personal data relating to Health will always be included in your medical records. Data relating to the other special categories listed above may also be included in your medical records.
The GPDR permits processing of special category data for the purposes of medical diagnosis and the provision of health care (under Article 9(2)-h). We process your special category data on this basis.
3.4
Source of Personal Information
We collect personal information about you from the following sources
· From you
o When booking appointments, especially for a first appointment
o When you communicate with Dr Cook or our medical secretaries
o During your consultations
o In our patient registration form
· Generated by us
o Medical notes on your consultation and treatments
o Invoices issued for treatments
o Payments received
o Referral letters to other medical professionals
o Letters to your GP
o Requests for medical tests, imaging or other interventions
· From your medical insurance company
· From the BMI Bishops Wood Hospital
· From your GP or other referring medical professional
· From providers of medical tests, imaging or other interventions
3.5
Recipients of Personal Information
We may share personal information about you with the following organisations
· Your GP
· Your medical insurance company (if you are funded from medical insurance) – only if you consent
· An intermediary company (e.g. HealthCode) if this is what your medical insurance company requires - only if you consent
· Other medical professionals
· Providers of medical tests, imaging or other interventions
· Debt recovery agencies (only in cases of non-payment of invoices)
3.6
Third Country Transfer
We use an EU (but not UK) based cloud storage provider to store some of your personal data. However, all such data is encrypted prior to transfer and the cloud storage company does not have access to the encryption keys. Consequently, your data is accessible only to practice staff.
3.7
Data Retention Period
We follow the NHS recommended minimum retention of hospital records. This is 8 years after the conclusion of treatment for adults. In the case of children, records are retained until the patient is age 25 or 26 if the person was age 17 at the time of treatment.
For medical records relating to cancer treatment or diagnosis, the minimum retention period is longer – records are kept until 8 years after death or for 30 years.
These are minimum retention periods, records will be assessed after this period but may be retained for longer if there are good reasons for this.
3.8
Automated Decision Making
We do not use personal information for any automated processing or decision making.
3.9
If You Choose Not to Provide Personal Information
We will be unable to provide any consultation or treatment in the event that you choose not to provide any personal information.
3.10
Your Rights Under the GDPR
The GDPR provides a set of rights relating to your personal data. These are outlined below: -
· The right to be informed – your right to be informed is met by this privacy notice.
· The right of access – you have a right to request a copy of your personal information.
· The right to rectification – you have the right to ask us to correct inaccurate or incomplete data that we have for you.
· The right to erasure – you have a right to have your personal information erased, however this right is not absolute and applies only in some circumstances.
· The right to restrict processing – you have the right to block or suppress processing of data (but not its storage), however this right is not absolute and applies only in some circumstances.
· The right to data portability – you have the right to obtain your personal data in a portable data format, this right is limited to certain data types.
o In particular, it does not cover your medical records as these are not held in electronic form.
· The right to object – you have the right to object to data processing based on legitimate interests.
o If you object, we must stop processing your personal data unless
§ We can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual, or
§ The processing is for the establishment, exercise or defence of legal claims
· Rights in relation to automated decision making and profiling – not applicable as we perform no such processing.
· You also have the right to withdraw consent
Please contact the Data Controller (see contact details in section 3.1) if you wish to exercise or discuss your rights under GDPR.