Patient Privacy Notice
This Privacy Notice sets out details of the information that Integrated Cardiology Solutions Ltd and the clinical staff responsible for your treatment may collect from you and how that information may be used. Please take your time to read this carefully.
This Privacy Notice:
- provides you with a detailed overview of how we will manage your data, from the point at which it is gathered and onwards.
- will give you all the details you need on how we use your information, and how we will comply with the law in doing so.
- sets out your rights in respect of your personal information, and how to exercise them. You can, for instance, seek access to your medical information, object to us using your information in particular ways and request rectification of any information which is inaccurate.
We are also open to improvement; if you have any feedback on this notice contact our Data Protection Officer with your thoughts.
In this Privacy Notice we use “we” or “us” or “our” or “ICS Ltd” to refer to Integrated Cardiology Service Ltd, who are the providers of The Community Cardiology Service, and the clinicians who provide your treatment .
ICS Ltd is a private limited company registered in England and Wales, company no. 9322006, Registered Office 2, Upperton Gardens, Eastbourne, BN21 2AH, and is the Data Controller using your personal information; we are registered with the Information Commissioner’s Office under registration reference: ZA222787.
The Data Protection Officer (“DPO”) helps ensure that the ICS Ltd comply with data protection law. The DPO can be contacted by:
- Telephone: 07870 248102
- Email: EHSCCG.CommunityCardiologyService@nhs.net
- Post: Data Protection Officer, ICS Ltd Herstmonceux Health Centre Hailsham Road, Herstmonceux, East Sussex BN27 4JX.
The confidentiality of your medical information is important to ICS Ltd. We make every effort to prevent unauthorised access to and use of information relating to your current or former physical and mental health. In doing so, ICS Ltd complies with UK data protection law, including the Data Protection Act 2018, and all applicable medical confidentiality guidelines issued by professional bodies including, but not limited to, the General Medical Council and the Nursing and Midwifery Council.
The Community Cardiology Service investigates and recommends follow up care for patients with suspected heart conditions.
Many of the tests needed for diagnosing heart conditions can be carried out at a community clinic. This saves patients from having to go to hospital unless absolutely necessary.
The clinics are run by GPs who specialise in Cardiology, along with Technical Assistants and Cardiac Physiologists, some of whom are employed by a supplier of diagnostic tests.
The team is supported by Cardiology Consultants based at the hospital.
For ease of reference, we refer to them simply as ‘clinicians’ throughout this Privacy Notice. Those clinicians make decisions about what information is collected about you, and may maintain their own set of medical records (including diagnostic tests and reports) in relation to their consultations with you and diagnostic tests carried out. They are a Data Controller in respect of your personal information which they hold within those records, meaning that they must comply with the data protection legislation and relevant guidance when handling your personal information.
To the extent relevant to their practice, you can expect clinicians to handle your information in line with this Privacy Notice. This includes using your personal information as set out in more detail below.
Clinicians who work with ICS Ltd are expected to handle your personal data in accordance with the principles set out within this Privacy Notice. This means that whenever they use your personal data, they will only do so as set out in this Privacy Notice.
What personal information do we collect?
Community Cardiology Service-related Personal Information
As a patient of The Community Cardiology Service, the personal information we hold about you on our own systems and in paper format may include the following:
- Name, date of birth, gender, and NHS number, contact details, such as postal address, email address and telephone number (including mobile number).
- Details of your GP and background referral details given to us by them.
- Appointment details at our Clinics including details of appointments you fail to keep.
- Undertakings made by you to us for the return of diagnostic equipment loaned to you.
- Details (numbers) of diagnostic tests carried out.
- Primary and detailed diagnoses.
This information is only shared with NHS England (specifically the for the purposes of fulfilling our contract with the NHS to provide The Community Cardiology Service) and is first used by them only to verify NHS numbers are correct against personal details, before being anonymized (all data which may identify you removed) before further processing.
Detailed NHS-Medical Record Information
Detailed records of your consultations, diagnostic tests and results, and recommendations or referrals made by our Clinicians – including all copies of letters to you, your GP, hospital-consultants, or other NHS Providers or Community Services are recorded only on your NHS medical record. We use the NHS-accredited EMIS system for this purpose.
This information can only be accessed by health professionals and their staff directly involved in your care, or our administration staff but only to the extent that they need to in order to manage or record results, correspondence, or notes relating to your referral to The Community Cardiology Service.
Organisations that have access to NHS patient data must provide assurances that they are practising good information governance and use the Department of Health’s Information Governance Toolkit to evidence this. More details of this can be found here: https://www.igt.hscic.gov.uk/about.aspx
We may contact you to ask you to participate in surveys regarding your treatment with ICS Ltd. The surveys will be sent post-treatment by mail or given to you at a Clinic. This is not a form of marketing and the surveys do not try to sell you any products or services; it is solely to gather information relating to your experience of ICS Ltd, for the purposes of improving the quality and safety of the services we offer to future patients. These surveys ask about your age, occupation, gender and ethnicity, but not your name, date of birth or NHS number. It is necessary for us to process your personal data in order to contact you with these surveys, on the basis of our appropriate business needs and to improve the quality of the healthcare services we offer. Participation in the surveys is entirely voluntary; you may decide not to complete the survey at all or complete only part of it.
These surveys are not a form of marketing. They are called Patient Reported Outcome Measures (“PROMs”). The results are shared with NHS England.
Who do we share your information with?
We may disclose your information to the third parties listed below for the purposes described in this Privacy Notice. This might include:
- A doctor, nurse, carer or any other healthcare professional involved in your treatment.
- Other members of support staff involved in the delivery of your care, like receptionists and technicians.
- Anyone that you ask us to communicate with or provide as an emergency contact, for example your next of kin or carer.
- NHS organisations, including NHS Resolution, NHS England, Department of Health.
- Your GP.
- Your dentist.
- Your clinician
- Our insurers, or our clinician’s insurers.
- Our regulators, the Care Quality Commission.
- The police and other third parties where reasonably necessary for the prevention or detection of crime.
How long do we keep personal information for?
We will only keep your personal information for as long as reasonably necessary to fulfil the relevant purposes set out in this Privacy Notice and in order to comply with our legal and regulatory obligations.
If you would like further information regarding the periods for which your personal information will be stored, please contact our DPO for further details.
International data transfers
We (or third parties acting on our behalf) may store or process information that we collect about you in countries outside the European Economic Area (“EEA”). Where we make a transfer of your personal information outside of the EEA we will take the required steps to ensure that your personal information is protected.
- To the extent that it is necessary to do so, ICS Ltd may transfer your personal data outside of the EEA to the United States to the following specific types of third party:
- Suppliers of medical devices e.g. heart monitoring equipment
We will only do so to the extent that it is relevant and necessary. The United States and the EEA have in place a framework, known as Privacy Shield, to facilitate compliance with data protection obligations when transferring personal data. Privacy Shield has been assessed by the EU Commission, and deemed to provide adequate protection to personal data.
Under data protection law you have certain rights in relation to the personal information that we hold about you. These include rights to know what information we hold about you and how it is used. You may exercise these rights at any time by contacting us using the details set out above at the top of the page.
There will not usually be a charge for handling a request to exercise your rights.
If we cannot comply with your request to exercise your rights we will usually tell you why.
There are some special rules about how these rights apply to health information as set out in legislation including the Data Protection Act (current and future), the General Data Protection Regulation as well as any secondary legislation which regulates the use of personal information.
If you make a large number of requests or it is clear that it is not reasonable for us to comply with a request then we do not have to respond. Alternatively, we can charge for responding.
Your rights include:
The right to access your personal information
You are usually entitled to a copy of the personal information we hold about you and details about how we use it.
Your information will usually be provided to you in writing, unless otherwise requested. If you have made the request electronically (e.g. by email) the information will be provided to you by electronic means where possible.
You are entitled to the following under data protection law.
Under Article 15(1) of the GDPR we must usually confirm whether we have personal information about you. If we do hold personal information about you we usually need to explain to you:
- The purposes for which we use your personal information
- The types of personal information we hold about you
- Who your personal information has been or will be shared with, including in particular organisations based outside the EEA.
- If your personal information leaves the EU, how we make sure that it is protected
- Where possible, the length of time we expect to hold your personal information. If that is not possible, the criteria we use to determine how long we hold your information for
- If the personal data we hold about you was not provided by you, details of the source of the information
- Whether we make any decisions about you solely by computer and if so details of how those decision are made and the impact they may have on you
- Your right to ask us to amend or delete your personal information
- Your right to ask us to restrict how your personal information is used or to object to our use of your personal information
- Your right to complain to the Information Commissioner’s Office
We also need to provide you with a copy of your personal data.
The right to rectification
We take reasonable steps to ensure that the information we hold about you is accurate and complete. However, if you do not believe this is the case, you can ask us to update or amend it.
The right to erasure (also known as the right to be forgotten)
We may update this Privacy Notice from time to time to ensure that it remains accurate, and the most up-to-date version can always be found at https://www.ICS Ltdhealthcare.com/legal/privacy-policy/. In the event that there are any material changes to the manner in which your personal information is to be used then we will provide you with an updated copy of this Privacy Notice.
In some circumstances, you have the right to request that we delete the personal information we hold about you. However, there are exceptions to this right and in certain circumstances we can refuse to delete the information in question. In particular, for example, we do not have to comply with your request if it is necessary to keep your information in order to perform tasks which are in the public interest, including public health, or for the purposes of establishing, exercise or defending legal claims.
The right to restriction of processing
In some circumstances, we must “pause” our use of your personal data if you ask us to. We do not have to comply with all requests to restrict our use of your personal information. In particular, for example, we do not have to comply with your request if it is necessary to keep your information in order to perform tasks which are in the public interest, including public health, or for the purposes of establishing, exercise or defending legal claims.
The right to data portability
In some circumstances, we must transfer personal information that you have provided to us to you or (if this is technically feasible another individual/ organisation of your choice. The information must be transferred in an electronic format.
The right to object to marketing
You can ask us to stop sending you marketing messages at any time and we must comply with your request. You can do this by contacting the DPO.
The right not to be subject to automatic decisions (ie decisions that are made about you by computer alone)
You have a right to not be subject to automatic decisions (ie decisions that are made about you by computer alone) that have a legal or other significant effect on you.
Please see the section entitled “What marketing activities do we carry out?” for detail about when we may make automatic decisions about you.
If you have been subject to an automated decision and do not agree with the outcome, you can challenge the decision. More about this is explained in the section entitled “What marketing activities do we carry out?”.
The right to withdraw consent
In some cases we need your consent in order for our use of your personal information to comply with data protection legislation.
We have explained in the section entitled “What are the purposes for which your information is used?” where we rely on your consent in this way. Where we do this, you have the right to withdraw your consent to further use of your personal information. You can do this by contacting ICS Ltd’s DPO whose details at the top of the page.
The right to complain to the Information Commissioner’s Office
You can complain to the Information Commissioner’s Office if you are unhappy with the way that we have dealt with a request from you to exercise any of these rights, or if you think we have not complied with our legal obligations.
More information can be found on the Information Commissioner’s Office website: https://ico.org.uk/
Making a complaint will not affect any other legal rights or remedies that you have.
National Data Opt-Out Programme
NHS Digital is currently developing a national programme which will go live on 25 May 2018, pursuant to which all patients will be able to log their preferences as to sharing of their personal information. All health and care organisations will be required to uphold patient choices, but only from March 2020. In the meantime you should make ICS Ltd aware directly of any uses of your data to which you object.
You will find details of our legal grounds for each of our processing purposes below. We have set out individually those purposes for which we will use your personal information, and under each one we set out the legal justifications, or grounds, which allow us to do so. You will note that we have set out a legal ground, as well as an ‘additional’ legal ground for special categories of personal information. This is because we have to demonstrate additional legal grounds where we are using information which relates to a person’s healthcare, as we will be the majority of the times we use your personal information.
We keep the records we have detailed in this privacy notice for the following purposes and on the following legal grounds:
Purpose 1: To provide you with healthcare and related services
- Providing you with healthcare and related services
Fulfilling our contract with you for the delivery of healthcare
Additional legal grounds for special categories of personal information:
- We need to use the data in order to provide healthcare services to you
Purpose 7: Complying with our legal or regulatory obligations, managing our business operations, and defending or exercising our legal rights
- The use is necessary in order for us to comply with our legal obligations
Additional legal ground for special categories of personal information:
- We need to use the data in order for others to provide informed healthcare services to you
- The use is necessary for reasons of the provision of health or social care or treatment or the management of health or social care systems
- The use is necessary for establishing, exercising or defending legal claims