Data Protection Privacy Notice

This privacy notice lets you know what happens to any personal data that you give to us, or any information that we may collect from you or about you from other organisations.

This privacy notice applies to personal information processed by or on behalf of Psychiatry-UK.

This Notice explains:

• Who we are and how we use your personal information
• What your rights are under Data Protection laws
• Why we need to use your personal information
• How we lawfully use your personal information
• Information on teams working within Psychiatry-UK who may need to use your personal information
• The use of third-party processors
• Where we store your electronic personal information
• Partner organisations who we may share personal information with
• When we can share personal information without consent
• How long we retain your personal information for
• How to raise an object/complaint
• Contact information for our Data Protection Officer, Patient Experience Team, and the Information Commissioner’s Office

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA18) became law on 25th May 2018. The GDPR is a single EU-wide regulation on the protection of confidential and sensitive information and the DPA18 implements the regulations into comprehensive UK legislation. Following the decision for the UK to leave the European Union and following the end of the transition period, since January 1^st, 2021, the UK has been subject to an Adequacy Agreement which will allow data to continue to be shared with European Union Countries without further safeguarding being necessary. This has allowed the European Commission suitable time to grant the UK with adequacy status, meaning The UK has met the required standards in ensuring data transfers to and from the UK are safe. All references to GDPR are now referred to as UK GDPR.

For the purpose of applicable Data Protection legislation, including UK GDPR and the Data Protection Act 2018, the organisation responsible for your personal data, and referred to as the Data Controller, is Psychiatry-UK, who are registered with the Information Commissioner’s Office with the registration number ZB515474.

This Notice describes how we collect, use, and process your personal data, and how in doing so, we comply with our legal obligations to you. Your privacy is important to us, and we are committed to protecting and safeguarding your data privacy rights.

We collect basic personal data about you, which includes name, address, telephone number, email address, date of birth, next of kin information, NHS number etc. This enables us to provide the appropriate treatment for you.

We will also collect sensitive confidential information known as “special category personal data,” in the form of health information, religious beliefs, (if required in a healthcare setting) ethnicity, sexuality, biometric data (if applicable) etc. and we may also receive this information about you from other health providers or third parties.

As an individual you have the following rights in relation to your personal information:

Right to be informed – as a data controller, we are required to inform individuals when their personal information is collected and about the intended purposes behind the processing of that information. This privacy notice ensures as an organisation we satisfy this right. We will ensure we update this notice on a regular basis to ensure you continue to be appropriately informed of how your personal information will be used.

Right to access your personal information– Everybody has the right to access their own personal information, as well as information relating to processing activities, and receive a copy of that information. This right is commonly referred to as a Subject Access Request (SAR).

We have recently launched a brand new Subject Access Request platform, accessible via the following link: https://psychuk.ams-sar.com which will allow patients to request their own personal information via a secure and accessible platform. Patients will have the ability to request, manage, and download documents. A full user guide is available via the link.

You can also make requests via any of the following methods:

By sending an email to:  health_records@psychiatry-uk.com, providing detail on what information you are requesting.

By Post to the following address: Psychiatry-UK, Health Records Department, 3b Fore Street, Camelford, Cornwall PL32 9PG, providing detail on what information you are requesting.

Verbally when engaged in a call or consultation with a member of our team.

There is no fee for a Subject Access Request, and you will receive your information within one calendar month from the date of request. For complex requests we are entitled to apply an extension of a further 2 months, but you will be informed of this as soon as possible to manage your expectations. To validate any request for information we will need to obtain proof of identity and in the case of third-party requests, the required authority to act must be provided before we can disclose any personal information.

For any help and support in relation to a Subject Access Request please contact the Health Records Team at health_records@psychiatry-uk.com

Please be mindful that when we release information to satisfy a Subject Access Request the information is for the personal use of the requestor only.  It is not to be shared with anybody else and not to be used inappropriately, for example posting onto social media sites.  Individuals can be subject to prosecution for posting information in the public domain as ruled by the High Court.

Right to rectification – The correction of personal data when incorrect, out of date or incomplete will be rectified by Psychiatry-UK without undue or excessive delay. If, however such requests are linked to legally significant matters, such as confirming legal identity, we may require proof of any alleged inaccuracy before we are able to rectify the information held. Please ensure when consulting with Psychiatry-UK we have the correct contact details for you at all times and be prepared to have personal information checked and verified at every appointment/telephone call.

Right to erasure – Under Article 17 of the UK GDPR individuals have the right to have personal data erased or deleted. This is also known as the ‘right to be forgotten.’ The right is not absolute and only applies in certain circumstances, for example when your personal data is no longer necessary for the purpose which it was originally collected or processed for, or if you wish to withdraw your consent after you have previously given your consent. If you wish to make a request to erase personal data, please email our Information Governance Team at information.governance@psychiatry-uk.com.

Right to restrict processing – Article 18 of the UK GDPR gives individuals the right to restrict the processing of their personal data in certain circumstances. This means that you can limit the way that the organisation uses your data. This is an alternative to requesting the erasure of your data.

Individuals have the right to restrict the processing of their personal data where they have a particular reason for wanting the restriction. If you wish to make a request to restrict the processing of personal data, please email our Information Governance Team at information.governance@psychiatry-uk.com.

Right to data portability – Under UK GDPR, individuals have the right to data portability in situations where the personal data that they have provided to Psychiatry-UK  is processed by automated means on the basis of consent, or where the personal information is necessary for the performance of a contract. Individuals are entitled to have their personal information transmitted directly from one data controller to another if it is technically feasible to do so. This means being in a structured, commonly used, and machine-readable format.

Right to object to processing – individuals have the right to object to the processing of their personal information on grounds relating to their particular situation and to data processed for direct marketing purposes, however if we can demonstrate compelling legitimate grounds to process the information then processing can continue. If we did not process any personal information about you and your health care needs it would be very difficult for us to care for and treat you. If you wish to object to the processing of personal data, please email our Information Governance Team at information.governance@psychiatry-uk.com.

Rights in relation to automated decision making and profiling – Automated individual decision-making is a decision made by automated means (i.e., a computer system) without any human intervention. If any of the processes we use rely on automated decision making, you do have the right to ask for a human to review any computer-generated decision at any point.

The healthcare professionals who provide you with care maintain records about your health and any treatment or care you have received previously. These records help to provide you with the best possible healthcare and treatment.

Psychiatry-UK is an online provider of services so is reliant upon electronic systems, although there may be times that a clinician records paper records which will then be uploaded into your record for completeness. We use a combination of working practices and technology to ensure that your information is kept confidential and secure.

Records about you may include the following information:

• Details about you, such as your address, your carer or legal representative and emergency contact details
• Any contact the organisation has had with you, such as appointments, virtual clinic visits, and emergency appointments
• Notes and reports about your health
• Details about your treatment and care
• Results of investigations such as laboratory tests, x-rays etc
• Relevant information from other health professionals, relatives or those who care for you
• Contact details (including email address, mobile telephone number and home telephone number)

To ensure you receive the best possible care, your records are used to facilitate the care you receive, including contacting you. Information held about you may be used to help protect the health of the public and to help us manage the services we provide. Some of your information will be used by our Risk, Assurance and Audit Team for clinical audit purposes to monitor the quality of the services we provide.

We need your personal and confidential information in order to provide you with healthcare services and under the UK GDPR we will be lawfully using your information in accordance with the following legal bases:

Article 6 (1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Article 6 (1)(c) processing is necessary for compliance with a legal obligation to which the controller is subject.

Article 9 (2)(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.

Psychiatry-UK may however choose an alternative legal basis dependent on the specific requirements and purpose of the data sharing, including:

• Consent – We would obtain freely given, specific, unambiguous, and explicit consent to process your personal data for certain purposes
• Contract – The processing is necessary for a contract we have or wish to enter into.
• Legal Obligation – The processing is necessary for us to comply with the law
• Vital Interest – The processing is necessary to protect someone’s life
• Public Interest – The processing is necessary to perform a task in the public interest or for official functions and the task or function has a clear basis in law

Also, if there is a safeguarding concern then data may be shared to protect the adult or child who safety is a concern to the healthcare professionals.

We have set out in the table below the conditions within UK GDPR that we rely on when we use your data:

This Privacy Notice applies to the personal information of service users and any personal information given to us about carers/family members etc.

The data received from either via a GP Referral, or through the self-referral route, will be used to create a record on our electronic patient record system, which is called MedQare.  Once the referral has been received and assessed for suitability, you will receive via email unique log-in details for MedQare.  All appointments and consultations will be facilitated through MedQare so it is imperative that you keep your unique and individual log in details safe.  Only clinicians directly involved in your care, and a small number of additional staff, such as audit staff and administration staff with a proven need, will be able to access your information.  The MedQare system operates under the most advanced security requirements so we can demonstrate to you, our patients, that confidentiality of patient data is central to all we do and of upmost importance.  MedQare was specifically developed for Psychiatry-UK by Software Solutions Southwest, who act as a data processor to support with any issues, and do not have any access to your patient data held in MedQare.

Psychiatry-UK would like to use your name, contact details, and email address to inform you of additional services, or provide information about your health to manage your healthcare needs. There may be occasions where authorised research facilities would like you to take part in research in regard to your particular health issues, to try and improve your health.

Your contact details may be used to invite you to receive further information about such research opportunities, but you must give your explicit consent to receive messages for research purposes. When using electronic methods to communicate with our patients, we ensure we abide by the requirements of the Privacy and Electronic Communication Regulations 2003 and review these regulations alongside the UK GDPR to ensure we are using your data appropriately when communicating with you.

Psychiatry-UK ask appropriately qualified clinicians to undertake necessary reviews to ensure patients are receiving safe and effective care, and as such may access personal data for this specific reason. Appropriate information sharing is an essential part of the provision of safe and effective care, and this includes information relating to patient’s medicines.

Patients may be put at risk if those who are providing their care do not have access to relevant, accurate and up-to-date information about them. Registered clinical professionals have both ethical and legal duties to protect patients’ personal information from inappropriate disclosure. The legal basis that allows us to do this is found in Article 6 (1) (e) of UK GDPR:

Article 6 (1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Article 6(1)(c) processing is necessary for compliance with a legal obligation to which the controller is subject.

Psychiatry-UK have a team of appropriately trained prescribers who will be responsible for ensuring any medication you are prescribed is suitable for your needs with the appropriate dosage prescribed. To enable us to do this role effectively and in line with current guidelines, we will require to obtain some additional information from you, including blood pressure, pulse reading and weight.

There may also be a requirement for ECG results or blood test results that have been carried out by your GP, to be shared with us. This information is required to ensure you are suitable for the proposed treatment. Only designated staff will have access to your information, and access will be granted on a case-by-case basis to ensure we have robust measures in place to limit the amount of staff who will access to your personal and special category data. The legal basis that allows us to do this is found in Article 6 (1) (e) of UK GDPR:

Article 6 (1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Article 6(1)(c) processing is necessary for compliance with a legal obligation to which the controller is subject.

Article 9 (2)(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.

Psychiatry-UK is dedicated to ensuring that the principles and duties of safeguarding adults and children are consistent and ethically and morally applied with the wellbeing of all patients being at the heart of what we do.

Our legal basis for processing information for safeguarding purposes, as stipulated in the UK GDPR is:

Article 6 (1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Article 6(1)(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person.

For the processing of special categories data, the basis is:

Article 9(2)(b) – ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law

Categories of personal information when handling safeguarding issues

The personal information collected by Psychiatry-UK staff in the event of a safeguarding situation, will be minimised to include only the personal information that is necessary in order to handle the situation in the most appropriate way. In addition to basic demographic and contact information, Psychiatry-UK will also share details of what the safeguarding concern is, which is likely to include special category information, such as health information, medication details if applicable and any additional information that has raised concern. Psychiatry-UK will either receive or collect information in the event that someone contacts the organisation with safeguarding concerns, or we believe there may be safeguarding concerns requiring us to make enquiries to relevant health and social care providers.

We may share information in the most appropriate way to ensure our duty of care as a healthcare provider is evidenced and to enable any investigations as required with other partner organisations such as local authorities, the police or healthcare professionals, it will be carried out in the most appropriate way.

In order to deliver the best possible services to you, Psychiatry-UK will share data (where required) with other organisations for example NHS bodies such as GP practices and hospitals. In addition, Psychiatry-UK will use carefully selected third-party service providers.

When we use a third-party service provider to process data on our behalf then we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately. Examples of functions that may be carried out by third parties include:

• Companies that provide IT services & support, including our core clinical systems; systems which manage patient facing services; data hosting service providers; systems which facilitate appointment bookings; document management services, translation and transcribing services etc.
• Payment providers

Further details regarding specific third-party processors can be supplied on request to Psychiatry-UK.

Psychiatry-UK is committed to protecting your privacy and will only use information collected lawfully in accordance with relevant legislation, regulations, and directives, including:

• Data Protection Act 2018
• The UK General Data Protection Regulations (UK GDPR)
• Human Rights Act 1998
• Common Law Duty of Confidentiality
• Health and Social Care Act 2012
• Records Management Code of Practice 2021
• Department of Health Publication “Information: To Share or Not to Share”

Every member of staff who works for Psychiatry-UK has a legal obligation to keep information about you confidential.

We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e., life or death situations), where the law requires information to be passed on and/or in accordance with the information sharing principle following Dame Fiona Caldicott’s information sharing review (“Information to share or not to share”) where “The duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework advocated by the Caldicott Principles. (https://www.ukcgc.uk/manual/principles)

One of our main philosophies is to respect the privacy of our patients, their families, and our staff and to maintain compliance with the UK GDPR and all UK specific Data Protection Requirements. Our policy is to ensure all personal data related to our patients will be protected.

All employees and sub-contractors engaged by Psychiatry-UK are asked to sign a confidentiality agreement. If a sub-contractor acts as a data processor for Psychiatry-UK an appropriate contract will be established for the processing of your personal information.

In certain circumstances you may have the right to withdraw your consent to the processing of data. Please contact us if you wish to withdraw your consent. In some circumstances we may need to store your data after your consent has been withdrawn to comply with a legislative requirement.

Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified. Sometimes your information may be requested to be used for research purposes but only where we have the required lawful basis to do so.

Staff employed by Psychiatry-UK but working overseas

There is no absolute barrier to staff members working overseas from a data protection perspective. However, various potential data protection issues and risks can arise where a worker works remotely from overseas, and where personal data is transferred between the organisation and the worker.  Every staff member who works overseas is directly employed by Psychiatry-UK and the ICO regards direct employment relationships with a UK based organisation as outside the scope of these specific requirements, but if the individual is a contractor or outsourced (including employed by an overseas subsidiary or agent), then the restrictions will apply.

The following three criteria must be met for the UK GDPR’s international data transfer rules to apply in respect of a data processing activity:

1. A controller or processor is subject to the UK GDPR.  Psychiatry-UK is the data controller responsible for all your data and we must ensure we apply all requirements of the UK GDPT – any staff member based overseas remains subject to the UK GDPR.
2. The controller or processor (exporter) discloses personal data (either by transmission or otherwise making such personal data available) to another controller, joint controller, or processor (importer).  Staff themselves are not data controllers and have to abide by strict codes of conduct in relation to the way they handle data.  All staff working overseas are required to ensure data is not localised in the foreign country (i.e., They use VPNs or remote access, etc. rather than data being stored on local computers).
3. The importer of the personal data is in a third country or is an international organisation (the importer does not need to be subject to the GDPR).

The ICO has recently confirmed that it does not regard sending data to an employee (or making data available to an employee) overseas as an international transfer.  In its updated guidance , it specifically sets out that “if you are sending personal data to someone employed by you or by your company or organisation, this is not a restricted transfer. The transfer restrictions only apply if you are sending personal data outside your company or organisation.”

We do keep up to date with countries who have met adequacy arrangements, and the UK has adequacy provisions within the following countries and territories:

The EU member states are Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden.  The EFTA states are Iceland, Norway, and Liechtenstein.

Adequacy is also in place with Gibraltar, The Republic of Korea, Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland, and Uruguay. In August 2021, the UK Government announced that it is working in partnership with a number of priority destinations which may be the subject of adequacy regulations in the future, including Australia, Brazil, Colombia, the Dubai International Financial Centre, India, Indonesia, Kenya and Singapore.  There is a list of appropriate safeguards in Article 46 of the UK GDPR that we must adhere to.

All our systems at PUK are UK-based and housed and stored in UK datacentres only – we store clinical information on our UK based MedQare Portal and our Microsoft platform which is hosted in the UK.  We do have some staff based overseas but every staff member based overseas must use PUK-encrypted laptops and ensure that all data is stored within our secure sites and are not permitted to download information to desktops.  We use several techniques to monitor that staff comply with this.  Our organisation was rigorously assessed to achieve Cyber Essential Plus accreditation, which focuses on the integrity and resilience of our IT systems and the assessors were satisfied with the steps taken to provide assurances on the safe use and storage of data, even if a staff member is based outside of the UK.  PUK has a general obligation to ensure that the data they handle is processed fairly, lawfully, and transparently. They are also required to ensure that data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures. These obligations apply irrespective of where in the world data is being processed.

All the personal information we hold is held electronically on our clinical system, a patient portal called MedQare, a system which is advocated and used by Psychiatry-UK and has robust security measures and assurances in place in relation to the way it handles personal confidential information.

Cloud Storage

The MedQare system is backed up to a cloud storage solution hosted by Amazon Web Services (AWS). All information backed up to the cloud storage solution will remain in the UK at all times and will be fully encrypted both in transit and at rest. Using a cloud storage solution will not change the control of access to your personal information and the hosted service provider will not have any access to the decryption keys. AWS is one of the world’s largest cloud companies, already supporting numerous clients (including the NHS), and it offers the very highest levels of security and support.

As stated in this Privacy Notice, we may have to share your information, subject to strict contracts and agreements, with any of the following organisations:

• NHS Trusts/Foundation Trusts  
• GP Practices  
• Integrated Care Boards (ICBs) who are responsible for commissioning health services within your local area 
• Other private sector providers, under contract and to meet lawful obligations
• Emergency services, if required to facilitate welfare/safeguarding checks  
• Social Care Services  
• Local Authorities  
• Education Services  
• Police & Judicial Services  
• Other ‘data processors’, which you will be informed of

You will be informed who your data will be shared with and in some cases asked for consent for this to happen when this is required.

There are times when we may be required by law to share your information without your consent, for example:

• Where we have an overarching lawful basis that allows us to share, for example for your direct health care needs. This includes sharing information with your GP if you have been referred under Right to Choose or through a contract your local NHS provider hold with us.  We are required to share information, including a copy of the assessment report, to update your GP on your referral, and this information is transmitted using encrypted email and is stored under strict security controls as part of your GP record.
• For private patients we are still required to share information with your GP if you have been diagnosed with a specific condition that must be recorded in your health record and if you have been prescribed medication as it is imperative that your GP record includes this to safeguard you and ensure an accurate updated list of medications is available to those involved in your direct care. If you have concerns about this you are advised to speak directly with the clinician involved in your care.
• Where there is a serious risk of harm or abuse to you or other people.
• Safeguarding matters and investigations.
• Where a serious crime, such as assault, is being investigated or where it could be prevented.
• Where a formal court order has been issued.
• Where there is a legal requirement, for example if you had committed a Road Traffic Offence.

Psychiatry-UK is committed to ensuring when required to share personal information we will endeavour to share only the minimal amount of information as is necessary for the given purpose.

Invoice validation

As Psychiatry-UK provides services for the NHS, if a patient is seen under a contract we hold with one of the NHS Integrated Care Boards (ICB), or through the Right to Choose initiative, the NHS is responsible for paying the invoice for those services.  As such, PUK is able to use Invoice Validation protocols to submit limited personal information to the ICBs. This will be in the form of your NHS Number and Date of Birth only. When dealing with the NHS, the approval to share such information was approved by the Secretary of State for Health via the Confidentiality Advisory Group (CAG) with a specific reference of 7-07(a-c)/2013 applied for invoice validation purposes.

The National Data Guardian outlined in the national review of data security, consent and opt-outs, that members of the public did not express a concern about their information being used for payment purposes.

When sending information to an ICB for invoice purposes, we will always use encrypted email to ensure enhanced security protocols are followed to ensure the confidentiality of your data.

When storing your personal information, we ensure, as required under UK Data Protection legislation, that we keep your information for the required timeframes and given the nature of the services we provide, we adhere to the NHS Records Management Code of Practice for Health and Social Care and national archives requirements. Adult Mental Health Records are required to be retained for a period of 20 years or 10 years after death with child records retained until the 25^th birthday (or 26^th birthday if young person was 17 years of age when treatment ended).

More information on the relevant retention periods can be found in the NHS Records Management Code of Practice 2021.

If, following the end of the retention period, any documents need to be securely disposed of, Psychiatry-UK will ensure they undertake key responsibilities in relation to their secure disposal, including:

• Ensuring that information held in manual form is destroyed using a cross-cut shredder or contracted to a reputable confidential waste company that complies with European Standard EN15713 and obtain certificates of destruction.
• Ensuring that electronic storage media used to store, or process information are destroyed or overwritten to national standards. All data which exists on our Microsoft platform is identified, categorised, assigned an owner and a retention period. An automation tool then identifies data which has exceeded it’s retention period, the owner is notified who reviews the data’s lifespan and either manually deletes if appropriate or extends the retention period if there is a valid reason.

As with all health and social care organisations, Psychiatry-UK are required to submit to the Data Security and Protection Toolkit (DSPT), an online assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 Data Security Standards.

All organisations that have access to NHS patient information and systems must use the DSPT to provide assurance that they are practicing good data security and that personal information is handled correctly. Psychiatry-UK submitted the year submission for the 2022/23 DSPT in June 2023 and achieved a Standards Exceeded Status.

Should you have any concerns about how your personal information is managed, please contact Psychiatry UK’s Data Protection Officer in the first instance:

Named Data Protection Officer: Mrs. Liz Griffiths

Post: Psychiatry-UK, 3b Fore Street, Camelford, Cornwall, PL32 9PG

 E-mail: dpo@psychiatry-uk.com

 If you have a complaint about other aspects of your care, please contact the Patient Experience Team using the below details:

E-mail: experience@psychiatry-uk.com

You also have the right to lodge a complaint with the UK’s independent authority on data protection issues, the Information Commissioner’s Office using the contact details below, and quoting the ICO registration number of: ZB515474.

Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Tel: 01625 545745

Website contact: https://ico.org.uk/