GDPR and Privacy Notice

24^th May 2018

Plymouth Shoulder and Elbow is a subsidiary of Brinsden Surgical Services Ltd and Guyver Orthopaedic Services Ltd.  This statement sets out how we handle your personal data, the lawful basis by which we process your data and the details of our data protection officer.

What personal data do we collect?

We collect and store the data that you provide when engaging our clinical services. The personal data includes your name, contact details and any third parties e.g. health insurance provider; the special category data includes general practitioner, health records and personal health status .

How we use your personal data?

We process your data to provide:

• Healthcare services

We also use your data:

• To communicate with appropriate third parties e.g. healthcare providers. 
• To ensure that the information we hold is accurate and up to date. 
• To notify you about changes to our services.

How long do we keep your personal data?

We will keep your data for the period mandated by the Code of Practice for Health and Social Care 2016.

https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/codes-of-practice-for-handling-information-in-health-and-care/records-management-code-of-practice-for-health-and-social-care-2016

With whom do we share your personal data?

We may share your data within Plymouth Shoulder and Elbow and with any third parties involved in your healthcare pathway.  We will also disclose or share your data if we are required to do so in order to comply with any legal obligations or for the purposes of fraud prevention.

The lawful basis for processing your data.

The lawful bases for Plymouth Shoulder and Elbow to process your personal data under Article 6 of GDPR are:

• Contract – to fulfil our role in the doctor/patient relationship.
• Legal Obligation – to fulfil the duties of a doctor registered with the General Medical Council (https://www.gmc-uk.org/ethical-guidance/ethical-guidance-for-doctors/good-medical-practice/duties-of-a-doctor).
• Vital Interests – where personal data is relied upon to protect life. 
• Public Task – the provision of healthcare services.

The lawful basis for Plymouth Shoulder and Elbow to process your special category data (Health) under Article 9 of GDPR is:

• Necessity - processing is necessary for the purposes of medical diagnosis and the provision of health or social care.

How we will contact you.

We will communicate with you via email, telephone, post and on occasion SMS.  You may update your contact details at any time.

Processing data outside of the European Economic Area.

In some cases, we may process your data outside the European Economic Area (EEA) where countries may not have laws which protect your data to the same extent as in EEA. We are obliged to ensure that your data is processed securely and is protected against unauthorised access, loss or destruction, unlawful processing and any processing which is inconsistent with the purposes set out in this privacy notice.

Currently, we use Microsoft Office 365 e-mail protected by Azure Information Protection encryption software and store data on Dropbox using security standards underwritten by Privacy Shield certification.  This complies with NHS Digital and NHS England guidance for the use of public cloud services (https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/nhs-and-social-care-data-off-shoring-and-the-use-of-public-cloud-services). 

We will update this privacy notice from time to time to reflect any changes to our ways of working. Please contact our data protection officer if you would like more information about the safeguards we have in place.

Your rights

By law you have a number of rights when it comes to your personal data.

• The right to be informed - you have the right to be provided with clear, transparent and easily understandable information about how we use your data and your rights.
• The right of access - you have the right to obtain access to your data that we are processing and certain other information.
• The right to rectification - you are entitled to have your data corrected if it is inaccurate or incomplete.Please inform us of any data which you would like rectified and we will usually respond within a month of the request. We will pass on the changes to any third parties who need to change their records and let you know this has been done.
• The right to erasure - this is also known as ‘the right to be forgotten’ and enables you to request the deletion or removal of your data where there’s no compelling reason for us to keep using it. This is not a general right to erasure; there are exceptions but where possible we will comply with your request.
• The right to restrict processing - you have rights to ‘block’ or suppress further use of your data. When processing is restricted, we can still store your  data, but may not use it further. We keep lists of people who have asked for further use of their data to be ‘blocked’ to make sure the restriction is respected in future.
• The right to data portability - you have rights to obtain and reuse your data for your own purposes across different services. We will do our best to provide the information in an easy to read format.
• The right to object to processing - you have the right to ask us to stop processing your data however this may prevent us from fulfilling our contract with you.
• The right to lodge a complaint - you have the right to lodge a complaint about the way we handle or process your pdata with a supervisory authority. The supervisory authority for the UK is the Information Commissioner.

Changes to our privacy notice

Any changes we may make to our privacy notice in the future will be posted on our website and, where appropriate, we will notify you by email.

Subject access requests

We are legally required to act upon requests and provide information free of charge with the exception of requests that are manifestly unfounded, excessive or repetitive.  If we determine this to be the case we may charge a reasonable fee or refuse to act on the request.  We will acknowledge your request and provide the information within 30 days of receiving the request.  Please send your request to our data protection officer at the email address below with “Access Request” in the subject line.

Our data protection officer contact details

Our data protection officer is Mr Paul Guyver. If you have any queries, questions or concerns about your data; how we are handling it; wish to ask us not to process your data; or wish to ask us to erase your data, please contact paulguyver@plymouthshoulderandelbow.co.uk.