Privacy notice to our patients, users, suppliers, staff and any other individuals whom we have access to their personal data:
Privacy notice policy is to provide information about how the Centre will use or process personal data about individuals. Data Protection Law gives individuals rights to understand how their data is used.
CQC Registered manager and ultimately named individual are responsible for overall management of data
In order to carry out our duties towards our patients and individuals we need to process a wide range of personal data including medical records (past and current data) as part of our daily operation routine
We have a duty of care and have legal obligations towards all patients and visitors at the Centre. We share or refer patents personal data with Local Authority Designated Officer (LADO) or police if we believe it is necessary to report any concerns with regards to safeguarding.
We will not transfer your personal data with external organisations such as hospitals, GP, independent doctors without your written consent and request
We don’t discard, delete or remove your personal data without your consent
In accordance with Data Protection Law, some of the Centre’s processing activities are carried out on its behalf by third parties, such as IT systems, web developers or cloud storage providers. Wherever possible, this is subject to contractual assurances that personal data will be kept securely and only in accordance with Centre’s specific directions.
Legitimate interests are the most flexible lawful basis for processing, but we should not assume it will always be the most appropriate.
It is likely to be most appropriate where we use patients’ data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.
If we choose to rely on legitimate interests, we are taking on extra responsibility for considering and protecting people’s rights and interests.
There are three elements to the legitimate interest’s basis. It helps to think of this as a three-part test. We need to:
identify a legitimate interest;
show that the processing is necessary to achieve it; and Balance it against the individual’s interests, rights and freedoms.
The legitimate interests can be our own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.
The processing must be necessary. If we can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.
We must balance our interests against the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.
We should keep a record of our legitimate interests assessment (LIA) to help us demonstrate compliance if required.
We must include details of our legitimate interests in our privacy information.
As a healthcare provider we are obliged to hold medical records for 8 years and ultrasound images and reports for 25 years
Individuals have various rights under Data Protection Law to access and understand personal data about them held by the Centre and in some cases ask for it to be deleted or amended or have transferred to other or for the Centre to stop processing it, however this is subject to certain exemptions and limitations.
We are obliged to respond to your written request within 30 days if we were not able to provide the information and/or amendment should send you our written justification and notify you in writing.
Rules on subject access (SAR) are not the sole basis on which information requesters are handled and processed. Parents or guardians may not have statutory right to information, but they and other will often have a legitimate interest or expectation in receiving certain information about the child(ren) without their consent. The Centre may consider lawful grounds for sharing with or without reference to the child or legal guardian.
By law we are required to receive consent from individual as a mean to process personal data, any person may withdraw this consent at any time. However we keep the right to process your personal data based on lawful reason without your consent.
The Centre will endeavour to ensure that all personal data held in relation to an individual is as up to date and accurate as possible.
Individuals should notify the Centre of any significant changes to their personal information such as contact details
We will require written request from any person with regards to transferring data to another country outside the EU
Centre will not be able to take responsibility for any breach of data protection outside the EEA