Patient Data Privacy Notice

Author: Jill Forbes, Clinical Services Manager

Version : 1.1

Date Issued: 15.03.23

Status: Final

Approved

Lead Director: Max Groome

Document Class: Notice

Target Audience

Patients, Directors, Business Manager, All Clinicians with Practicing Privileges, All TCH Employees

Distribution List: Patients; Directors; Business Manger; All Clinicians with Practicing Privileges; All TCH Employees

Distribution Method:

e-mail

Issue Date: 15.03.23

Review Date: February 2026

Consulted with the following:

Directors

Business Manager

Contact responsible for implementation and monitoring compliance:

Business Manager

Clinical Services Manager

Education and Training will be provided by:

Clinical Services Manager

Business Manager

Tayside Complete Health Patient Data Privacy Notice V1.1 March 2023

3

Introduction

This privacy notice sets out the basis on which any personal data Tayside Complete Health (TCH) collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.

For the purpose of this privacy notice, the Data Protection Legislation shall mean any data protection or privacy legislation from time to time in force in the UK including the Data Protection Act 2018 and the UK General Data Protection Regulation

The Information We Collect From You

Records which TCH may hold about you may include the following: • Details about you, such as your address and next of kin • Any contact TCH has had with you, such as appointments, clinic visits, procedures etc. • Notes and reports about your health • Details about your treatment and care • Results of investigations, such as laboratory tests, scans, etc • Relevant information from other health professionals who care for you Why We Collect Information From You The primary purposes for collecting information are for the provision of healthcare services, and our statutory duty to maintain an accurate, complete and contemporaneous record in respect of each service user, including a record of the care and treatment provided and of decisions taken in relation to the care and treatment provided. In addition to routine correspondence relating to treatment and appointments, your contact details (including address, phone number or email address) may also be used to contact you by email, post, SMS or an interactive voice phone call, to obtain feedback on your experience in using TCH services In addition, we have a statutory duty under the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 to assess and monitor the quality of the experience of service users. Your responses to our patient satisfaction surveys will be anonymous and will not be traced back to you. Responses to other surveys will also be anonymous unless it is made clear to you that this is not the case, when we will only proceed with your specific consent. Your contact details may also be used to set up video-conferencing services. Pseudonymised aggregated patient data, from which you cannot be individually identified, may be used for service and cost planning to make the best possible use of resources, evaluate clinical practice and compare different ways of working, in order to evaluate how effective and efficient it is in delivering care to patients.

Who Might We Share Your Information With

TCH works with other health care organisations to improve care for patients, and where appropriate will share your information with other organisations or professionals involved in your care, so that you receive good quality care.

Tayside Complete Health Patient Data Privacy Notice V1.1 March 2023

4

Information kept by TCH will be made available to your GP, unless you have not given your consent for us to do so. There are exceptional circumstances whereby TCH may share information about you without your knowledge, for example, in an emergency, where there is a need to communicate urgent information or if information is required by law (such as a court order). We will only consider sharing information with other organisations or professionals where we consider it an important part of delivering effective care. Accessing Information About You

Where appropriate TCH will access your medical records from other organisations or professionals involved in your care where we consider it an important part of delivering effective care. However, you have a right to object to your information being accessed. Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed. Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement. You have a choice, called the National Data Opt-Out, about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care. How Long Your Information is Stored There is a requirement for TCH to hold a record of your information for a set length of time (which varies according to the type of information that it is). You can find further information on the rules that TCH must follow in line with the Information Governance Alliance, Records Management Code of Practice for Health and Social Care 2016. How Your Information is stored

Your health records are stored electronically. All information you provide to us is stored on secure servers and GDPR compliant data processors only.

Where We have given you (or where you have chosen) a password which enables you to access certain parts of Our Site(s), you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access. How We Use Your Information The ways in which we use your information are governed by law. The principal legislation that applies is the EU General Data Protection Regulation (GDPR), which came into force on 25 May 2018 and has been incorporated into the Data Protection Act 2018. We are required to identify the legal basis under GDPR for processing your information.

Tayside Complete Health Patient Data Privacy Notice V1.1 March 2023

5

In addition, confidential information about you that you give to our staff to enable them to provide your care is governed by the common law duty of confidentiality, as described in our Information Governance policy. Medical Insurance Providers Where treatment is covered through by medical insurance providers TCH will share information with the health insurance provider for the following purposes: • To pre-authorise treatment • To invoice them for services • To assist them when they are investigating a complaint Your Rights The Data Protection Act gives you certain rights in respect of the information we hold about you: • Request a copy of information that we hold about you • Object to TCH using your personal data • Request to have your personal data rectified • Request to have your personal data erased TCH may refuse your request (in full or in part) where there is a legal basis to refuse and you will be notified of this. Where we have asked for your consent to collect and use your information, you have the right to withdraw that consent at any time. Requests to have Personal Data Rectified You are entitled to have personal data rectified if it is inaccurate or incomplete. TCH will respond within 30 calendar days. However, TCH may extend this period up to 60 calendar days for complex requests. TCH may refuse the request if it believes the information is accurate/complete or there is a legal basis to refuse and you will be notified of this. You have the right to complain to the Information Commissioner’s Office and to seek correction by order of a Court. Requests to Have Your Personal Data Erased This is more commonly known as the ‘right to be forgotten’. You may request to have your data erased where: • It no longer needs to be kept by TCH (it has surpassed the minimum retention period) • Where you withdraw your consent or object to the use of your data and there is no requirement for TCH to retain the data • It has been used unlawfully TCH may refuse your request (in full or part) where there is a legal basis to refuse and you will be notified of this. What to do if you have Concerns about the use of your Information

Tayside Complete Health Patient Data Privacy Notice V1.1 March 2023

6

The Business Manager and the Clinical Services Manager for TCH have a responsibility to ensure that the principles in this Policy are implemented effectively. If you have a concern you can email or telephone the Clinical Services Manager or Business Manager at TCH