This privacy notice lets you know what happens to any personal data that you give to us, or any information that we may collect from you or about you from other organisations. This privacy notice will apply to all sites controlled by Psychiatry-UK/ The HLP Group (hereby referred to as “The Group”), including Psychiatry-UK, HLP-Me, HLP-U and MedQare.
This privacy notice applies to personal information processed by or on behalf of the Group.
This Notice explains:
- Who we are and how we use your personal information
- What your rights are under Data Protection laws
- Why we need to use your personal information
- How we lawfully use your personal information
- Information on teams working within the Group who may need to use your personal information
- The use of third-party processors
- Where we store your electronic personal information
- Partner organisations who we may share personal information with
- When we can share personal information without consent
- How long we retain your personal information for
- How to raise an object/complaint
- Contact information for our Data Protection Officer, Patient Experience Team, and the Information Commissioner’s Office
The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA18) became law on 25th May 2018. The GDPR is a single EU-wide regulation on the protection of confidential and sensitive information and the DPA18 implements the regulations into comprehensive UK legislation. Following the decision for the UK to leave the European Union and following the end of the transition period, since January 1st, 2021, the UK has been subject to an Adequacy Agreement which will allow data to continue to be shared with European Union Countries without further safeguarding being necessary. This has allowed the European Commission suitable time to grant the UK with adequacy status, meaning The UK has met the required standards in ensuring data transfers to and from the UK are safe. All references to GDPR are now referred to as UK GDPR.
For the purpose of applicable Data Protection legislation, including UK GDPR and the Data Protection Act 2018, the organisation responsible for your personal data, and referred to as the Data Controller, is The HLP Group/Psychiatry-UK.
This Notice describes how we collect, use, and process your personal data, and how in doing so, we comply with our legal obligations to you. Your privacy is important to us, and we are committed to protecting and safeguarding your data privacy rights.
We collect basic personal data about you, which includes name, address, telephone number, email address, date of birth, next of kin information, NHS number etc. This enables us to provide the appropriate treatment for you.
We will also collect sensitive confidential information known as “special category personal data,” in the form of health information, religious beliefs, (if required in a healthcare setting) ethnicity, sexuality, biometric data (if applicable) etc. and we may also receive this information about you from other health providers or third parties.
As an individual you have the following rights in relation to your personal information:
Right to be informed – as a data controller, we are required to inform individuals when their personal information is collected and about the intended purposes behind the processing of that information. This privacy notice ensures as an organisation we satisfy this right. We will ensure we update this notice on a regular basis to ensure you continue to be appropriately informed of how your personal information will be used.
Right to access your personal information– you can request access to and/or copies of the personal data we hold about you, free of charge (subject to exemptions). We will aim to provide your information within one calendar month as required by the Data Protection Act 2018 and will notify you if this is not possible for whatever reason. Requests can be made verbally or in writing, but we do ask that you provide us with adequate information to process your request, such as providing full name, address, date of birth, NHS number and details of your request and, where necessary, any documents to verify your identity.
On processing a request there may be occasions when information may be withheld if we as an organisation believe that releasing the information to you could cause serious harm or distress. Information may also be withheld if another person (i.e., a third party) is identified in the record, and they do not want their information disclosed to you. However, if the other person mentioned in your records was acting in their professional capacity in caring for you, in normal circumstances they could not prevent you from having access to that information.
How to access your personal information
To request a copy or request access to information we hold about you please use one of the following contact methods:
Post: Health Records Department, Trewalder Chapel, Trewalder, Cornwall PL33 9ET
Email : health_records@psychiatry-uk.com
Right to rectification – The correction of personal data when incorrect, out of date or incomplete will be rectified by Psychiatry-UK/HLP Group without undue or excessive delay. If, however such requests are linked to legally significant matters, such as confirming legal identity, we may require proof of any alleged inaccuracy before we are able to rectify the information held. Please ensure when consulting with Psychiatry-UK/HLP Group we have the correct contact details for you at all times and be prepared to have personal information checked and verified at every appointment/telephone call.
Right to erasure – Under Article 17 of the UK GDPR individuals have the right to have personal data erased or deleted. This is also known as the ‘right to be forgotten.’ The right is not absolute and only applies in certain circumstances, for example when your personal data is no longer necessary for the purpose which it was originally collected or processed for, or if you wish to withdraw your consent after you have previously given your consent.
Right to restrict processing – Article 18 of the UK GDPR gives individuals the right to restrict the processing of their personal data in certain circumstances. This means that you can limit the way that the organisation uses your data. This is an alternative to requesting the erasure of your data.
Individuals have the right to restrict the processing of their personal data where they have a particular reason for wanting the restriction.
Right to data portability – Under UK GDPR, individuals have the right to data portability in situations where the personal data that they have provided to the Group is processed by automated means on the basis of consent, or where the personal information is necessary for the performance of a contract. Individuals are entitled to have their personal information transmitted directly from one data controller to another if it is technically feasible to do so. This means being in a structured, commonly used, and machine-readable format.
Right to object to processing – individuals have the right to object to the processing of their personal information on grounds relating to their particular situation and to data processed for direct marketing purposes, however if we can demonstrate compelling legitimate grounds to process the information then processing can continue. If we did not process any personal information about you and your health care needs it would be very difficult for us to care for and treat you.
Rights in relation to automated decision making and profiling – Automated individual decision-making is a decision made by automated means (i.e., a computer system) without any human intervention. If any of the processes we use rely on automated decision making, you do have the right to ask for a human to review any computer-generated decision at any point.
The healthcare professionals who provide you with care maintain records about your health and any treatment or care you have received previously. These records help to provide you with the best possible healthcare and treatment.
Psychiatry-UK/HLP Group is an online provider of services so is reliant upon electronic systems, although there may be times that a clinician records paper records which will then be uploaded into your record for completeness. We use a combination of working practices and technology to ensure that your information is kept confidential and secure.
Records about you may include the following information:
- Details about you, such as your address, your carer or legal representative and emergency contact details
- Any contact the organisation has had with you, such as appointments, virtual clinic visits, and emergency appointments
- Notes and reports about your health
- Details about your treatment and care
- Results of investigations such as laboratory tests, x-rays etc
- Relevant information from other health professionals, relatives or those who care for you
- Contact details (including email address, mobile telephone number and home telephone number)
To ensure you receive the best possible care, your records are used to facilitate the care you receive, including contacting you. Information held about you may be used to help protect the health of the public and to help us manage the services we provide. Some of your information will be used by our Risk, Assurance and Audit Team for clinical audit purposes to monitor the quality of the services we provide.
We need your personal and confidential information in order to provide you with healthcare services and under the UK GDPR we will be lawfully using your information in accordance with the following legal bases:
Article 6 (1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Article 9 (2) (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.
The Group may however choose an alternative legal basis dependent on the specific requirements and purpose of the data sharing, including:
- Consent – We would obtain freely given, specific, unambiguous, and explicit consent to process your personal data for certain purposes
- Contract – The processing is necessary for a contract we have or wish to enter into.
- Legal Obligation – The processing is necessary for us to comply with the law
- Vital Interest – The processing is necessary to protect someone’s life
- Public Interest – The processing is necessary to perform a task in the public interest or for official functions and the task or function has a clear basis in law
Also, if there is a safeguarding concern then data may be shared to protect the adult or child who safety is a concern to the healthcare professionals.
We have set out in the table below the conditions within UK GDPR that we rely on when we use your data:
| Purpose | Article 6 condition | Article 9 condition |
|---|---|---|
| All Patients | ||
| Cooperate with regulators, e.g. the Care Quality Commission | Article 6(1)(e) – public task Article 6(1)(c) – compliance with a legal obligation | Article 9(2)(g) – substantial public interest |
| Compliance with legal obligations, e.g. a court order requiring us to release information | Article 6(1)(c) – compliance with a legal obligation | Article 9(2)(f) – establishment, exercise or defence of legal claims Article 9(2)(g) – substantial public interest |
| Dealing with disputes, for example if you make a legal claim against one of our clinicians | Article 6(1)(f) – legitimate interests (we have a legitimate interest in being able to deal with disputes and legal claims) | Article 9(2)(f) – establishment, exercise or defence of legal claims |
| Dealing with any risk to public health | Article 6(1)(e) - public task Article 6(1)(c) – compliance with a legal obligation | Article 9(2)(h) – healthcare and social care purposes Article 9(2)(i) – public health |
| NHS Patients | ||
| Providing you with our services | Article 6(1)(e) - public task | Article 9(2)(h) – healthcare and social care purposes |
| Helping to maintain the quality of and improve our services | Article 6(1)(e) - public task Article c(1)(f) – legitimate interests (we have a legitimate interest in maintaining and improving the quality of our services) | Article 9(2)(h) – healthcare and social care purposes |
| Providing information back to your NHS GP surgery | Article 6(1)(e) - public task | Article 9(2)(h) – healthcare and social care purposes |
| Helping other organisations delivering NHS or social care to provide you with services. | Article 6(1)(e) - public task | Article 9(2)(h) – healthcare and social care purposes |
| Letting you know more about our services and offers, including those from relevant third parties | Article 6(1)(a) - consent | Article 9(2)(a) – consent |
| Planning and research purposes | Article 6(1)(a) - consent | Article 9(2)(a) – consent |
| Private Patients | ||
| Providing you with our services | Article 6(1)(b) – performance of a contract | Article 9(2)(h) – healthcare and social care purposes |
| Helping maintain the quality of and improve our services | Article 6(1)(f) – legitimate interests (we have a legitimate interest in maintaining and improving the quality of our services) | Article 9(2)(h) – healthcare and social care purposes |
| Carrying out credit checks using our own – or third-party providers | Article 6(1)(b) – performance of a contract | No special category data used |
| Obtaining payment from you for our services | Article 6(1)(b) – performance of a contract | No special category data used |
| Letting you know more about our services and offers, including those from relevant third parties | Article 6(1)(a) - consent | Article 9(2)(a) – consent |
| Planning and research purposes | Article 6(1)(a) - consent | Article 9(2)(a) – consent |
This Privacy Notice applies to the personal information of service users and any personal information given to us about carers/family members etc.
The data received from either via a GP Referral, or through the self-referral route, will be used to create a record on our electronic patient record system, which is called MedQare. Once the referral has been received and assessed for suitability, you will receive via email unique log-in details for MedQare.
All appointments and consultations will be facilitated through MedQare so it is imperative that you keep your unique and individual log in details safe. Only clinicians directly involved in your care, and a small number of additional staff, such as audit staff and administration staff with a proven need, will be able to access your information.
The MedQare system operates under the most advanced security requirements so we can demonstrate to you, our patients, that confidentiality of patient data is central to all we do and of upmost importance. MedQare was specifically developed for Psychiatry-UK/HLP Group by Software Solutions Southwest, who act as a data processor to support with any issues, and do not have any access to your patient data held in MedQare.
Psychiatry-UK/HLP Group would like to use your name, contact details, and email address to inform you of additional services, or provide information about your health to manage your healthcare needs. There may be occasions where authorised research facilities would like you to take part in research in regard to your particular health issues, to try and improve your health.
Your contact details may be used to invite you to receive further information about such research opportunities, but you must give your explicit consent to receive messages for research purposes. When using electronic methods to communicate with our patients, we ensure we abide by the requirements of the Privacy and Electronic Communication Regulations 2003 and review these regulations alongside the UK GDPR to ensure we are using your data appropriately when communicating with you.
Psychiatry-UK/HLP Group ask appropriately qualified clinicians to undertake necessary reviews to ensure patients are receiving safe and effective care, and as such may access personal data for this specific reason. Appropriate information sharing is an essential part of the provision of safe and effective care, and this includes information relating to patient’s medicines.
Patients may be put at risk if those who are providing their care do not have access to relevant, accurate and up-to-date information about them. Registered clinical professionals have both ethical and legal duties to protect patients’ personal information from inappropriate disclosure. The legal basis that allows us to do this is found in Article 6 (1) (e) of UK GDPR:
Article 6 (1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Psychiatry-UK/HLP Group have a team of appropriately trained prescribers who will be responsible for ensuring any medication you are prescribed is suitable for your needs with the appropriate dosage prescribed. To enable us to do this role effectively and in line with current guidelines, we will require to obtain some additional information from you, including blood pressure, pulse reading and weight.
There may also be a requirement for ECG results or blood test results that have been carried out by your GP, to be shared with us. This information is required to ensure you are suitable for the proposed treatment. Only designated staff will have access to your information, and access will be granted on a case-by-case basis to ensure we have robust measures in place to limit the amount of staff who will access to your personal and special category data. The legal basis that allows us to do this is found in Article 6 (1) (e) of UK GDPR:
Article 6 (1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Article 9 (2) (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.
Psychiatry-UK/HLP Group is dedicated to ensuring that the principles and duties of safeguarding adults and children are consistent and ethically and morally applied with the wellbeing of all patients being at the heart of what we do.
Our legal basis for processing information for safeguarding purposes, as stipulated in the UK GDPR is:
Article 6 (1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
For the processing of special categories data, the basis is:
Article 9(2)(b) – ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law
Categories of personal information when handling safeguarding issues
The personal information collected by Psychiatry-UK/HLP Group staff in the event of a safeguarding situation, will be minimised to include only the personal information that is necessary in order to handle the situation in the most appropriate way. In addition to basic demographic and contact information, the Group will also share details of what the safeguarding concern is, which is likely to include special category information, such as health information, medication details if applicable and any additional information that has raised concern. The Group will either receive or collect information in the event that someone contacts the organisation with safeguarding concerns, or we believe there may be safeguarding concerns requiring us to make enquiries to relevant health and social care providers.
We may share information in the most appropriate way to ensure our duty of care as a healthcare provider is evidenced and to enable any investigations as required with other partner organisations such as local authorities, the police or healthcare professionals, it will be carried out in the most appropriate way.
In order to deliver the best possible services to you, Psychiatry-UIK/HLP Group will share data (where required) with other organisations for example NHS bodies such as GP practices and hospitals. In addition, Psychiatry-UK/HLP Group will use carefully selected third-party service providers.
When we use a third-party service provider to process data on our behalf then we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately. Examples of functions that may be carried out by third parties include:
- Companies that provide IT services & support, including our core clinical systems; systems which manage patient facing services; data hosting service providers; systems which facilitate appointment bookings; document management services, translation services etc.
- Payment providers
Further details regarding specific third-party processors can be supplied on request to Psychiatry-UK/HLP Group.
Psychiatry-UK/HLP Group are committed to protecting your privacy and will only use information collected lawfully in accordance with relevant legislation, regulations, and directives, including:
- Data Protection Act 2018
- The UK General Data Protection Regulations (UK GDPR)
- Human Rights Act 1998
- Common Law Duty of Confidentiality
- Health and Social Care Act 2012
- Records Management Code of Practice 2021
- Department of Health Publication “Information: To Share or Not to Share”
Every member of staff who works for Psychiatry-UK/HLP Group has a legal obligation to keep information about you confidential.
We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e., life or death situations), where the law requires information to be passed on and/or in accordance with the information sharing principle following Dame Fiona Caldicott’s information sharing review (“Information to share or not to share”) where “The duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework advocated by the Caldicott Principles. (https://www.ukcgc.uk/manual/principles)
One of our main philosophies is to respect the privacy of our patients, their families, and our staff and to maintain compliance with the UK GDPR and all UK specific Data Protection Requirements. Our policy is to ensure all personal data related to our patients will be protected.
All employees and sub-contractors engaged by Psychiatry-UK/HLP Group are asked to sign a confidentiality agreement. If a sub-contractor acts as a data processor for Psychiatry-UK/HLP Group an appropriate contract will be established for the processing of your personal information.
In certain circumstances you may have the right to withdraw your consent to the processing of data. Please contact us if you wish to withdraw your consent. In some circumstances we may need to store your data after your consent has been withdrawn to comply with a legislative requirement.
Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified. Sometimes your information may be requested to be used for research purposes but only where we have the required lawful basis to do so.
All the personal information we hold is held electronically on our clinical system, a patient portal called MedQare, a system which is advocated and used by Psychiatry-UK/HLP Group and has robust security measures and assurances in place in relation to the way it handles personal confidential information.
Cloud Storage
The MedQare system is backed up to a cloud storage solution hosted by Amazon Web Services (AWS). All information backed up to the cloud storage solution will remain in the UK at all times and will be fully encrypted both in transit and at rest. Using a cloud storage solution will not change the control of access to your personal information and the hosted service provider will not have any access to the decryption keys. AWS is one of the world’s largest cloud companies, already supporting numerous clients (including the NHS), and it offers the very highest levels of security and support.
As stated in this Privacy Notice, we may have to share your information, subject to strict contracts and agreements, with any of the following organisations:
- NHS Trusts/Foundation Trusts
- GP Practices
- Integrated Care Partnerships (ICPs)
- Private Sector Providers
- Voluntary Sector Providers
- Ambulance Trusts
- Social Care Services
- Local Authorities
- Education Services
- Fire and Rescue Services
- Police & Judicial Services
- Other ‘data processors,’ which you will be informed of.
You will be informed who your data will be shared with and in some cases asked for consent for this to happen when this is required.
There are times when we may be required by law to share your information without your consent, for example:
- Where we have an overarching lawful basis that allows us to share, for example for your direct health care needs.
- Where there is a serious risk of harm or abuse to you or other people.
- Safeguarding matters and investigations.
- Where a serious crime, such as assault, is being investigated or where it could be prevented.
- Where a formal court order has been issued.
- Where there is a legal requirement, for example if you had committed a Road Traffic Offence.
Psychiatry-UK/HLP Group is committed to ensuring when required to share personal information we will endeavour to share only the minimal amount of information as is necessary for the given purpose.
When storing your personal information, we ensure, as required under UK Data Protection legislation, that we keep your information for the required timeframes and given the nature of the services we provide, we adhere to the NHS Records Management Code of Practice for Health and Social Care and national archives requirements.
More information on the relevant retention periods can be found in the NHS Records Management Code of Practice 2021.
If, following the end of the retention period, any documents need to be securely disposed of, Psychiatry-UK/HLP Group will ensure they undertake key responsibilities in relation to their secure disposal, including:
- Ensuring that information held in manual form is destroyed using a cross-cut shredder or contracted to a reputable confidential waste company that complies with European Standard EN15713 and obtain certificates of destruction.
- Ensuring that electronic storage media used to store, or process information are destroyed or overwritten to national standards.
As with all health and social care organisations, Psychiatry-UK/HLP Group are required to submit to the Data Security and Protection Toolkit (DSPT), an online assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 Data Security Standards.
All organisations that have access to NHS patient information and systems must use the DSPT to provide assurance that they are practicing good data security and that personal information is handled correctly. Psychiatry-UK submitted the year submission for the 2021/22 DSPT in June 2022 and achieved a Standards Exceeded Status.
Should you have any concerns about how your personal information is managed, please contact Psychiatry UK/HLP Group’s Data Protection Officer in the first instance:
Named Data Protection Officer: Mrs. Liz Griffiths
Post: Psychiatry-UK, Trewalder Chapel, Trewalder, Cornwall PL33 9ET
E-mail: dpo@psychiatry-uk.com
If you have a complaint about other aspects of your care, please contact the Patient Experience Team using the below details:
E-mail: experience@psychiatry-uk.com
You also have the right to lodge a complaint with the UK’s independent authority on data protection issues, the Information Commissioner’s Office using the contact details below, and quoting the ICO registration number of:
Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Tel: 01625 545745
Website contact: https://ico.org.uk/