Patient Privacy Notice
This Privacy Notice sets out details of the information that Integrated Cardiology Solutions and the clinical staff responsible for your treatment may collect from you and how that information may be used. Please take your time to read this carefully.
This Privacy Notice:
- provides you with a detailed overview of how we will manage your data, from the point at which it is gathered and onwards.
- will give you all the details you need on how we use your information, and how we will comply with the law in doing so.
- sets out your rights in respect of your personal information, and how to exercise them. You can, for instance, seek access to your medical information, object to us using your information in particular ways and request rectification of any information which is inaccurate.
We are also open to improvement; if you have any feedback on this notice contact our Data Protection Officer with your thoughts.
We may update this Privacy Notice from time to time to ensure that it remains accurate, and the most up-to-date version can always be found on our website.
In this Privacy Notice we use “we” or “us” or “our” to refer to Integrated Cardiology Solutions Ltd, the provider of The Community Cardiology Service, and the clinicians who provide your treatment .
Integrated Cardiology Solutions is a private limited company registered in England and Wales, company no. 9322006, Registered Office 2, Upperton Gardens, Eastbourne, BN21 2AH, and is the Data Controller using your personal information; we are registered with the Information Commissioner’s Office under registration reference: ZA222787.
The Data Protection Officer (“DPO”) helps ensure that the Integrated Cardiology Solutions comply with data protection law. The DPO can be contacted by:
- Telephone: 0333 332 6946
- Email: ESXCCG.CommunityCardiologyService@nhs.net
- Post: Data Protection Officer, Integrated Cardiology Solutions Herstmonceux Health Centre Hailsham Road, Herstmonceux, East Sussex BN27 4JX.
The confidentiality of your medical information is important to Integrated Cardiology Solutions. We make every effort to prevent unauthorised access to and use of information relating to your current or former physical and mental health. In doing so, Integrated Cardiology Solutions complies with UK data protection law, including the Data Protection Act 2018, and all applicable medical confidentiality guidelines issued by professional bodies including, but not limited to, the General Medical Council and the Nursing and Midwifery Council.
Your personal data and clinical staff
The Community Cardiology Service investigates and recommends follow up care for patients with suspected heart conditions.
Many of the tests needed for diagnosing heart conditions can be carried out at a community clinic. This saves patients from having to go to hospital unless absolutely necessary.
The clinics are run by GPs who specialise in Cardiology, along with Cardiographers and Cardiac Physiologists, some of whom are employed by another healthcare organisation.
The team is supported by Cardiology Consultants based at the hospital.
For ease of reference, we refer to them simply as ‘clinicians’ throughout this Privacy Notice. Those clinicians make decisions about what information is collected about you, and may maintain their own set of medical records (including diagnostic tests and reports) in relation to their consultations with you and diagnostic tests carried out. They are a Data Controller in respect of your personal information which they hold within those records, meaning that they must comply with the data protection legislation and relevant guidance when handling your personal information.
To the extent relevant to their practice, you can expect clinicians to handle your information in line with this Privacy Notice. This includes using your personal information as set out in more detail below.
Clinicians who work with Integrated Cardiology Solutions are expected to handle your personal data in accordance with the principles set out within this Privacy Notice. This means that whenever they use your personal data, they will only do so as set out in this Privacy Notice.
What personal information do we collect?
Community Cardiology Service-related Personal Information
As a patient of The Community Cardiology Service, the personal information we hold about you on our own systems and in paper format may include the following:
- Name, date of birth, gender, and NHS number, contact details, such as postal address, email address and telephone number (including mobile number).
- Details of your GP and background referral details given to us by them.
- Appointment details at our clinics including details of appointments you fail to keep.
- Undertakings made by you to us for the return of diagnostic equipment loaned to you.
- Details (numbers) of diagnostic tests carried out.
- Primary and detailed diagnoses.
This information is only shared with NHS England (specifically the for the purposes of fulfilling our contract with the NHS to provide The Community Cardiology Service) and is first used by them only to verify NHS numbers are correct against personal details, before being anonymized (all data which may identify you removed) before further processing.
Detailed NHS-Medical Record Information
Detailed records of your consultations, diagnostic tests and results, and recommendations or referrals made by our Clinicians – including all copies of letters to you, your GP, hospital-consultants, or other NHS Providers or Community Services are recorded only on your NHS medical record. We use the NHS-accredited EMIS system for this purpose.
This information can only be accessed by health professionals and their staff directly involved in your care, or our administration staff but only to the extent that they need to in order to manage or record results, correspondence, or notes relating to your referral to The Community Cardiology Service.
Organisations that have access to NHS patient data must provide assurances that they are practising good information governance and use the Department of Health’s Information Governance Toolkit to evidence this. More details of this can be found at dsptoolkit.nhs.uk
We may contact you to ask you to participate in surveys regarding your treatment with Integrated Cardiology Solutions. The surveys will be sent post-treatment by mail or given to you at a Clinic. This is not a form of marketing and the surveys do not try to sell you any products or services; it is solely to gather information relating to your experience of Integrated Cardiology Solutions, for the purposes of improving the quality and safety of the services we offer to future patients. These surveys ask about your age, occupation, gender and ethnicity, but not your name, date of birth or NHS number. It is necessary for us to process your personal data in order to contact you with these surveys, on the basis of our appropriate business needs and to improve the quality of the healthcare services we offer. Participation in the surveys is entirely voluntary; you may decide not to complete the survey at all or complete only part of it.
These surveys are not a form of marketing. They are called Patient Reported Outcome Measures (“PROMs”). The results are shared with NHS England.
Who do we share your information with?
We may disclose your information to the third parties listed below for the purposes described in this Privacy Notice. This might include:
- A doctor, nurse, carer or any other healthcare professional involved in your treatment.
- Other members of support staff involved in the delivery of your care, like receptionists and technicians.
- Anyone that you ask us to communicate with or provide as an emergency contact, for example your next of kin or carer.
- NHS organisations, including NHS Resolution, NHS England, Department of Health.
- Your GP.
- Your dentist.
- Your clinician
- Our insurers, or our clinician’s insurers.
- Our regulators, the Care Quality Commission.
- The police and other third parties where reasonably necessary for the prevention or detection of crime.
How long do we keep personal information for?
We will only keep your personal information for as long as reasonably necessary to fulfil the relevant purposes set out in this Privacy Notice and in order to comply with our legal and regulatory obligations.
If you would like further information regarding the periods for which your personal information will be stored, please contact our DPO for further details.
International data transfers
We do not store or process information that we collect about you outside of the UK.
Under data protection law you have certain rights in relation to the personal information that we hold about you. These include rights to know what information we hold about you and how it is used. You may exercise these rights at any time by contacting us using the details set out above at the top of the page.
There will not usually be a charge for handling a request to exercise your rights.
If we cannot comply with your request to exercise your rights we will usually tell you why.
There are some special rules about how these rights apply to health information as set out in legislation including the Data Protection Act (current and future), the General Data Protection Regulation as well as any secondary legislation which regulates the use of personal information.
If you make a large number of requests or it is clear that it is not reasonable for us to comply with a request then we do not have to respond. Alternatively, we can charge for responding.
Your rights include:
The right to access your personal information
You are usually entitled to a copy of the personal information we hold about you and details about how we use it.
Your information will usually be provided to you in writing, unless otherwise requested. If you have made the request electronically (e.g. by email) the information will be provided to you by electronic means where possible.
You are entitled to the following under data protection law.
Under Article 15(1) of the GDPR we must usually confirm whether we have personal information about you. If we do hold personal information about you we usually need to explain to you:
- The purposes for which we use your personal information
- The types of personal information we hold about you
- Who your personal information has been or will be shared with
- If your personal information leaves the EU, how we make sure that it is protected
- Where possible, the length of time we expect to hold your personal information. If that is not possible, the criteria we use to determine how long we hold your information for
- If the personal data we hold about you was not provided by you, details of the source of the information
- Whether we make any decisions about you solely by computer and if so details of how those decision are made and the impact they may have on you
- Your right to ask us to amend or delete your personal information
- Your right to ask us to restrict how your personal information is used or to object to our use of your personal information
- Your right to complain to the Information Commissioner’s Office
We also need to provide you with a copy of your personal data.
The right to rectification and the right to erasure
We take reasonable steps to ensure that the information we hold about you is accurate and complete. If you do not believe this is the case, you can ask us to update, amend or erase it.
However, these rights are not automatic and in certain circumstances we can refuse to amend or delete the information in question. In particular, for example, we do not have to comply with your request if it is necessary to keep your information in order to perform tasks which are in the public interest, including public health, or for the purposes of establishing, exercise or defending legal claims.
The right to restriction of processing
In some circumstances, we must “pause” our use of your personal data if you ask us to. We do not have to comply with all requests to restrict our use of your personal information. In particular, for example, we do not have to comply with your request if it is necessary to keep your information in order to perform tasks which are in the public interest, including public health, or for the purposes of establishing, exercise or defending legal claims.
The right to data portability
In some circumstances, we must transfer personal information that you have provided to us to you or if this is technically feasible to another individual/ organisation of your choice. The information must be transferred in an electronic format.
The right to object to marketing
Integrated Cardiology solutions does not currently send out marketing information. However if this situation were to change you can ask us to stop sending you marketing messages at any time and we must comply with your request. You can do this by contacting the DPO via the channels listed at the beginning of this document.
The right to not be subject to automatic decisions
Integrated Cardiology Solutions does not make automatic decisions (that is decisions made by computers without any human input or moderation) that have a legal or other significant effect on you.
The right to complain to the Information Commissioner’s Office
You can complain to the Information Commissioner’s Office if you are unhappy with the way that we have dealt with a request from you to exercise any of these rights, or if you think we have not complied with our legal obligations.
More information can be found on the Information Commissioner’s Office website: ico.org.uk
Making a complaint will not affect any other legal rights or remedies that you have.
You will find details of our legal grounds for each of our processing purposes below. We have set out individually those purposes for which we will use your personal information, and under each one we set out the legal justifications, or grounds, which allow us to do so. You will note that we have set out a legal ground, as well as an ‘additional’ legal ground for special categories of personal information. This is because we have to demonstrate additional legal grounds where we are using information which relates to a person’s healthcare, as we will be the majority of the times we use your personal information.
We keep the records we have detailed in this privacy notice for the following purposes and on the following legal grounds:
Purpose 1: To provide you with healthcare and related services
- Providing you with healthcare and related services
- Fulfilling our contract with you for the delivery of healthcare
Additional legal grounds for special categories of personal information:
- We need to use the data in order to provide healthcare services to you
Purpose 2: Complying with our legal or regulatory obligations, managing our business operations, and defending or exercising our legal rights
- The use is necessary in order for us to comply with our legal obligations
Additional legal ground for special categories of personal information:
- We need to use the data in order for others to provide informed healthcare services to you
- The use is necessary for reasons of the provision of health or social care or treatment or the management of health or social care systems
- The use is necessary for establishing, exercising or defending legal claims
National Data Opt-Out Programme
The national data opt-out programme gives everyone in England a choice about whether their confidential patient information is used beyond their individual care. Individuals’ patient information helps improve healthcare and the NHS to plan services to ensure that the population’s needs are met.
Examples of ways your data could be used other than for providing direct care are:
- For planning new or improved health services in your area
- For research into new treatments
- For improving health education
If you don’t want your confidential patient information to be shared for anything other than your individual care, such as the examples above, then you can set your preferences via the National Data Opt-Out Programme. https://www.nhs.uk/your-nhs-data-matters/. There is also a helpline if you would prefer to do this by phone: 0300 303 5678
You will need your NHS number (this is a 10-digit number that you should be able to find on any document sent to you by the NHS; for example, a hospital referral letter or prescription) and an email address or phone number registered with an NHS service.
NB: If you opt out, your patient data will still be shared in order to provide direct care and you can also give your consent for it to be used for a specific purpose. But it will no longer be used for improving health and care services through research and planning. You can find out more here