GDPR and Privacy Notice
24th May 2018
Plymouth Shoulder and Elbow is a subsidiary of Brinsden Surgical Services Ltd and Guyver Orthopaedic Services Ltd. This statement sets out how we handle your personal data, the lawful basis by which we process your data and the details of our data protection officer.
What personal data do we collect?
We collect and store the data that you provide when engaging our clinical services. The personal data includes your name, contact details and any third parties e.g. health insurance provider; the special category data includes general practitioner, health records and personal health status .
How we use your personal data?
We process your data to provide:
We also use your data:
How long do we keep your personal data?
We will keep your data for the period mandated by the Code of Practice for Health and Social Care 2016.
With whom do we share your personal data?
We may share your data within Plymouth Shoulder and Elbow and with any third parties involved in your healthcare pathway. We will also disclose or share your data if we are required to do so in order to comply with any legal obligations or for the purposes of fraud prevention.
The lawful basis for processing your data.
The lawful bases for Plymouth Shoulder and Elbow to process your personal data under Article 6 of GDPR are:
The lawful basis for Plymouth Shoulder and Elbow to process your special category data (Health) under Article 9 of GDPR is:
How we will contact you.
We will communicate with you via email, telephone, post and on occasion SMS. You may update your contact details at any time.
Processing data outside of the European Economic Area.
In some cases, we may process your data outside the European Economic Area (EEA) where countries may not have laws which protect your data to the same extent as in EEA. We are obliged to ensure that your data is processed securely and is protected against unauthorised access, loss or destruction, unlawful processing and any processing which is inconsistent with the purposes set out in this privacy notice.
Currently, we use Microsoft Office 365 e-mail protected by Azure Information Protection encryption software and store data on Dropbox using security standards underwritten by Privacy Shield certification. This complies with NHS Digital and NHS England guidance for the use of public cloud services (https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/nhs-and-social-care-data-off-shoring-and-the-use-of-public-cloud-services).
We will update this privacy notice from time to time to reflect any changes to our ways of working. Please contact our data protection officer if you would like more information about the safeguards we have in place.
By law you have a number of rights when it comes to your personal data.
Changes to our privacy notice
Any changes we may make to our privacy notice in the future will be posted on our website and, where appropriate, we will notify you by email.
Subject access requests
We are legally required to act upon requests and provide information free of charge with the exception of requests that are manifestly unfounded, excessive or repetitive. If we determine this to be the case we may charge a reasonable fee or refuse to act on the request. We will acknowledge your request and provide the information within 30 days of receiving the request. Please send your request to our data protection officer at the email address below with “Access Request” in the subject line.
Our data protection officer contact details
Our data protection officer is Paula German. If you have any queries, questions or concerns about your data; how we are handling it; wish to ask us not to process your data; or wish to ask us to erase your data, please contact firstname.lastname@example.org.