Privacy notice
Use of your personal information
Dorking Healthcare Limited (DHC) is registered with the Information Commissioner’s
Office as a Data Controller, and our registration number can be found by searching
the ICO Register using this Link.
We aim to provide you with the highest quality health care. To do this, we must keep
records about you, your health and the care we have provided or plan to provide to
you. This Privacy Notice sets out how we will use your information.
The information which we collect about you
We will collect information which identifies you and information pertaining to your
physical, mental health or condition, including your;
• Name, date of birth, contact information
• Emergency contact details including next of kin
• Gender, nationality, race and/or ethnicity and religion
• Sex life and orsexual orientation
• Background referral details, diagnoses and appointments
• Referrals to other specialists and healthcare providers
• Tests carried out here and in other places
• Investigations and scans
• Allergies, medication, treatments and outcomes
• Previousillnesses and current health including details of any diagnoses,
consultations and investigations
• Notes made during consultations
• Correspondence between health professionals such as referrals and discharge
letters
• Results of tests and their interpretation
• Videotapes, audiotapes and photographs
• Reports written for third parties such as solicitors and insurance companies
We will collect information directly from you, for example, if you are referred to one
of ourservices and attend any appointments. We also receive information about you
from other organisations who are involved in providing you with health and social
care services.
Purposes for which your information will be used
Consent
All health and social care providers have a legal ‘duty to share’ under the Health and
Social Care (Safety and Quality) Act 2015. This requires health and adult social care
bodies to share information with others where this will facilitate care for an
individual. It makes it clear that, unless you object, information can be lawfully
shared for purposes likely to facilitate the provision of health services or adult social
care and are in an individual’s best interests.
DHC routinely shares confidential personal data with other health and social care
providers when they are involved in your care or treatment. We will also share
information with your GP. Sharing information in this way is considered to facilitate
care for individuals, and we rely on implied consent.
We will ask for your explicit consent before we use information which identifies you
for purposes that do not directly contribute to, or support the delivery of your care.
We will respect your decisions to restrict disclosure or use of information, unless in the
case of exceptional circumstances (see Objecting to Sharing section below)
Direct Care
All health care professionals who provide you with medical care will maintain a
record of your health and any treatment provided. We use relevant information
about you, including information about your health, to support the delivery of your
care and treatment.
Some components of direct care may be delivered by non-registered and non?regulated health and social care staff, for example a ‘system administrator’ scanning
a report onto our electronic record keeping system.
If you provide us with your mobile phone number, with your consent, we will use your
mobile phone number to send you text messages in relation to appointment
reminders & information about direct patient care. Please let a member of staff
know if you do not wish to receive text messages.
Where you have provided us with your email address, with your consent, we will use
this to send you information relating to your health and the services we provide. If
you do not wish to receive communications by email, please let us know.
If you are seen by a healthcare professional as part of the Extended Access Service,
we will share relevant information relating to your Extended Access appointment
with your GP.
In certain circumstances, we may be able to offer you a video consultation. We will
always obtain your permission before using remote consultation.
To reduce the chances ofspreading infectious diseases and reduce pressure on our
services at busy times, we may carry out consultations with you over the phone or
through video consultation, unlessthere is a clinical need for you to come in. This will
help minimise risk while continuing to ensure people get the care and advice they
need.
If you require a referral, for example to a specialist orto secondary care, we willshare
relevant information about you with these organisations. We can do this
electronically through our IT systems, secure email or by post.
There may be situations where the clinician treating you believes that your clinical
circumstances are exceptional and that you may receive benefit from a treatment or
service that isn’t routinely offered by the NHS. The clinician may, therefore, make an
Individual Funding Request to NHS England.
https://www.england.nhs.uk/contact-us/privacy-notice/how-we-use-your?information/our-services/individual-requests-for-funding/
We undertake risk stratification for preventative care purposes. This process enables
the identification and subsequent management of patients who have or may be at?risk of health conditions (such as diabetes) or who are most likely to need healthcare
services (such as people with frailty). Risk stratification tools used in the NHS help
determine a person’srisk ofsuffering a particular condition and enable usto focus on
preventing ill health before it develops. Information about you is collected from a
number ofsources including NHS Trusts, GP Federations and your GP Practice. A risk
score is then arrived at through an analysis of your de-identified information. This
can help us identify and offer you additional services to improve your health. If you
do not wish information about you to be included in any risk stratification
programmes, please let us know. We can add a code to your records that will stop
your information from being used for this purpose. Please be aware that this may
limit the ability of healthcare professionals to identify if you have or are at risk of
developing certain serious health conditions.
Vital Interests
There may be situations in which you are unable to provide your consent, for
example, you become seriously unwell, require emergency treatment or have an
accident requiring emergency treatment. In these situations, if you are unable to
give your consent, then we may use or share your information in order to protect your
vital interests.
Where appropriate, we will share information about your health needs with the
Ambulance Service and 111 Service. Information will only be shared with your consent
or where sharing information is considered to be in your best interests. The
information will be used to ensure clinicians have accessto the required information
to help make the best decision about your care needs as a result of a call to 999 or
111.
Recording Consultations
With your explicit consent, our Talking Therapies service may record consultations
which you have with our therapists or clinicians. This may be to support your care or
treatment or for supervision, quality assurance and development purposes.
All recordings will be held securely and will be securely destroyed when they are no
longer needed. We will always seek your permission before recording consultations
and your decision will not impact your individual care or treatment.
Complaints, Data Subject Rights Requests and othersimilarrequests
If you wish to exercise your rights under data protection law, we will process the
information to be able to consider the request and provide an appropriate response.
If you have instructed an individual or organisation to act on your behalf, we will
respond to them, providing we have your explicit consent.
In the unlikely event that DHC is subject to legal action or a complaint, we will need
to access relevant information in order to investigate and respond. We may also
need to share information with ourinsurance company and solicitorsto manage and
defend any claims.
Our lawful basis for processing your personal data for these purposes are;
• the processing is necessary to perform a task in the public interest or for
official function
• The processing is necessary for compliance with a legal obligation
• The processing is necessary for the establishment, exercise or defense of legal
claims
• The processing is necessary reasons ofsubstantial public interest
• The processing is necessary for the purposes of preventive or occupational
medicine, medical diagnosis, the provision of health or social care or
treatment orthe management of health orsocial care systems and services
Recipients of your information
Other healthcare organisations
We share information about your health with other organisations who are involved in
providing you with health and social care. For example, if you require further
investigation, treatment or surgery, we will send a referral to the relevant
organisation that can support your needs.
The data will be shared with healthcare professionals and support staff in this
organisation and at other hospitals, diagnostic and treatment centres who
contribute to your personal care. Acute trustsinclude but are not exclusive to: Surrey
and Sussex Healthcare NHS Trust, Epsom and St Helier Healthcare NHS Trust, St
George’s Hospital, Queen Victoria Hospital. Sub-contractors include but are not
exclusive to: Ramsay Healthcare Ashtead Hospital, Ramsay Healthcare North Downs
Hospital, Alliance Medical UK, Epsomedical Cobham Day Surgery, Global Diagnostics,
Spire Gatwick Park Hospital, Spire St. Anthony’s Hospital, Medical Imaging
Partnership, Wimbledon Neurocare and BMI Mount Alvernia Hospital. If you are
referred to any of these organisations, they will hold their own record of the care and
treatment which they provide to you.
Where required, we can arrange interpretation and translation services to ensure we
meet your language and communication requirements. We use a third party to
provide this service who are subject to contractual obligations of security and
confidentiality.
The Summary Care Record (SCR) is an electronic record which contains information
about the medicines you take, allergies you suffer from and any reactions to
medicines you have had. It is held on a national database by NHS England. The SCR
may be shared with other healthcare professionals and organisations involved with
your care. These professionals and organisations may also be able to update the
record in order to ensure you are provided with the best possible care.
Our lawful basis for processing your personal data for these purposes are;
• the processing is necessary for you to perform a task in the public interest or
for official function
• The processing is necessary for the purposes of preventive or occupational
medicine, medical diagnosis, the provision of health or social care or
treatment orthe management of health orsocial care systems and services
Sharing partners
We use SystmOne as the clinical records system for Outpatients. This provides a
shared record with GP practices who also use SystmOne. If you have not consented
for your GP record to be shared with other organisations, no information recorded
by your GP will be visible. If you have given consent for your GP record to be shared
with other organisations we will be able to see this information. Likewise,
information inputted directly into the system at DHC will be immediately visible to
your GP.
Visibility of your GP record provides our Outpatient clinicians with a more
comprehensive picture of your general health which assists with diagnosis and
treatment as an outpatient.
We have enabled integration between SystmOne and practices that use a different
medical record system, EMIS. This provides limited information from your GP
record including:
Current conditions
Current Medication
Current Allergies and Adverse Reactions
Last 3 Consultations conducted within the practice
This ensuresthat those involved in your care ortreatment can quickly, easily and
securely access the information they need, when they need it.
Friends, Families and carers
We willshare relevant information about you with these individuals where you have
provided your consent or where they are acting as your attorney, deputy or guardian.
We will retain certain information about these individuals such as their name and
contact details so that we can share information about your care, in ways that you
have agreed.
Local Authority Safeguarding Team
There may be legalsituationsin which we have to share your information in order to
maintain the safety of the individuals concerned. This includes both adult and child
safeguarding and in these situations identifiable information will be shared. There is
often a legal requirement to share this information without obtaining consent first.
Some members of society are recognised as needing protection, for example children
and vulnerable adults. If a person is identified as being at risk from harm we are
expected as professionals to do what we can to protect them. In addition we are
bound by certain specific laws that exist to protect individuals. This is called
“Safeguarding”.
Where there is a suspected or actualsafeguarding issue we willshare information
that we hold with other relevant agencies.
NHS Digital
NHS Digital is a national body which has legal responsibilities to collect information
about health and social care services.
It collects information from across the NHS in England and provides reports on how
the NHS is performing. These reports help to plan and improve services to patients
and allow our organisation to receive payment for the services which we deliver.
DHC must comply with the law and willsend data to NHS Digital, for example, when
it is told to do so by the Secretary of State for Health or NHS England under the
Health and Social Care Act 2012.
More information about NHS Digital and how it uses information can be found at:
https://digital.nhs.uk/data-and-information/keeping-data-safe-and?benefitting-the-public/how-we-look-after-your-health-and-care?information/understanding-the-health-and-care-information-we-collect
National Data Collections
DHC is contractually required to submit data to national data collections where the
collection is relevant to the services which we deliver. A list of approved collections
can be found at:
https://digital.nhs.uk/data-and-information/information?standards/information-standards-and-data-collections-including?extractions/publications-and-notifications/nhs-standard-contract-approved?collections
Secondary Use Services+
The Secondary Uses Services (SUS+) is a collection of health care data which is used
for planning health care, supporting payments, commissioning policy development
and research.
We are legally required under Section 259 of the Health and Social Care Act 2012 to
provide datasets as specified by NHS Digital.
https://digital.nhs.uk/data-and-information/keeping-data-safe-and?benefitting-the-public/gdpr/gdpr-register/secondary-uses-service-sus-data?gdpr-information
Regulatory bodies
We are legally required to support organisations with regulatory functions such as
the CQC and the ICO. Where appropriate, we may share information about you with
these organisations to evidence compliance or to report an adverse or unexpected
incident.
Public Health
Public health encompasses everything from national smoking and alcohol policies,
the management of epidemics such as flu, the control of large scale infections such
as TB and Hepatitis B to local outbreaks of food poisoning or Measles. Certain
illnesses are also notifiable; the doctors treating the patient are required by law to
inform the Public Health Authorities, forinstance Scarlet Fever. The law requires usto
share data for national public health reasons, to prevent the spread of infectious
diseases or other diseases which threaten the health of the population.
We will report the relevant information to local health protection teams or Public
Health England.
For more information about Public Health England and disease reporting see:
https://www.gov.uk/guidance/notifiable-diseases-and-causative-organisms?how-to-report
Third party service providers
In order to deliver the best possible service, DHC will use carefully selected third
party service providers. When we use a third party service provider to process data
on our behalf, we will always have an appropriate agreement in place to ensure
that they keep the data secure and that they do not use or share the information
other than in accordance with our instructions.
Examples of functions that may be carried out by third parties include companies
that provide;
• IT services and support, including our clinicalsystems;
• Systems which manage patient facing services (e.g. our website);
• Data hosting service providers;
• Systems which facilitate appointment bookings, electronic prescription
services;
• Document management service; and
• Interpretation services.
Objecting to Sharing
You have the right to object to information being shared between those who are
providing you with direct care. This may affect the care you receive so please speak
to a member of the team if you have any concerns about the ways in which your
information is shared.
Sharing without your consent
There are exceptions to the duty of confidence that may make the use or disclosure
of confidential information without consent appropriate. These situations are rare
but could include:
• Sharing your name, address and other demographic information with NHS
Digital asthisis necessary if you wish to be registered to receive NHS care;
• Sharing required in the public interest or to protect the public in order to
prevent and support detection, investigation and punishment of a serious
crime or to prevent abuse/serious harm;
• Legal disclosures for example where we have received a court order;
• Where we are required to support organisations with regulatory functions
such as the CQC or the ICO.
National data opt-out
The national data opt-out is a service that allows patients to opt out of their
confidential patient information being used forresearch and planning. To find out
more orto register your choice to opt out, please visit https://www.nhs.uk/your-nhs?data-matters/
On this web page you will:
• See what is meant by confidential patient information
• Find examples of when confidential patient information is used for individual
care and examples of when it is used for purposes beyond individual care
• Find out more about the benefits of sharing data
• Understand more about who uses the data
• Find out how your data is protected
• Be able to access the system to view,set or change your opt-outsetting
• Find the contact telephone number if you want to know any more or to
set/change your opt-out by phone
• See the situations where the opt-out will not apply
Retention
All records held by DHC will be kept for the duration specified by national guidance
from NHS Digital, Health and Social Care Records Code of Practice. Once
information that we hold has been identified for destruction it will be disposed of in
the most appropriate way forthe type of information it is. Personal confidential and
commercially confidential information will be disposed of by approved and secure
confidential waste procedures.
Securing your information
We use various companies and sub-contractors to support our services. These
organisations are trusted partners and whom we authorise to use your information in
line with our specific instructions.
We require these third parties to provide assurance that they meet the requirements
of data protection law and we ensure written contracts are in place where access is
provided to your personal data.
We use technical and organisational controlsto protect yourinformation. We will
only use information that identifies you where it is necessary and then only the
minimum amount of information that is necessary to achieve the purpose will be
collected and used.
Access to your information is restricted to individuals on a strict “need-to-know”
basis i.e. only individuals supporting the provision of your healthcare can view your
information.
Anyone we share your information with, and all DHC staff, are legally, contractually
and/or professionally bound to keep yourinformation confidential and secure. We
undertake regular auditing to check that information is being handled to the
necessary standard.
Ourstaff receive regular training to ensure they understand how to comply with data
protection and confidentiality requirements.
We use secure electronic systems to store your information and where we hold paper
records, they will be protected from unauthorised access and confidentially
destroyed where appropriate.
Your Rights
You have various rights available to you under data protection law. These are set
out below;
Your right of access: You have the right to ask usfor copies of your personal
information
Your right to rectification: You have the right to ask usto rectify information you
think is inaccurate or complete information which you think is incomplete
Your right to be informed: you have the right to be told about the collection and use
of your information
Your right to restriction of processing: In certain circumstances, you have the right to
ask us to restrict the processing of your information
Your right to object to processing: In certain circumstances, you have the right to
object to the processing of your personal data
Your right to object : Article 21 of the UK GDPR, you have the right to object to the
processing of your personal data at any time. This effectively allows you to stop or
prevent an organisation from processing your personal data. For more information
on ‘Your right to object’, click here.
Your right to erasure: In certain circumstances, you have the right to request that we
erase your personal data. This does not apply to records regarding your medical care
as we are required by law to keep these records.
Requests can be made verbally or in writing although we may ask you to complete a
form in order that we can ensure that you have the correct information that you
require. You will also need to confirm your identity.
Please be aware that in certain situations, we are able to charge a reasonable fee
for responding to your request. We will inform you where this applies.
For more information on the ICO guidelines, click here.
When does the right to erasure not apply?
For more information on the ICO guidelines, click here.
Change of Details
It is important that you tell us if any of your contact details such as your name or
address have changed, especially if any of your other contact details are incorrect. It
is important that we are made aware of any changes immediately in order that no
information is shared in error.
Data Protection Officer
You can contact our DPO as follows:
Leon Palmer-Wilson, Governance and Compliance Manager
By email: patientfeedback.dhc@nhs.net
By post:
Dorking Healthcare Limited
Holmhurst Medical Centre
12 Thornton Side
Redhill
RH1 2NP
Please mark all correspondence “Private and Confidential - For the Attention of
Dorking Healthcare’s Data Protection Officer”.
Complaining to the ICO
You have the right to complain to the Information Commissioner’s Office, you can
use this link https://ico.org.uk/global/contact-us/ or call their helpline Tel: 0303 123
1113
As a partner within the East Surrey Place Partnership and Surrey Downs Health and
Care Partnership, the place privacy notices relevant to Dorking Healthcare Ltd are
now available via the following links
https://www.eastsurrey-alliance.org/privacy-notice-east-surrey
https://www.surreydowns-hcp.org/privacy-notice-surrey-downs-health-and-care?partnership
We will keep our Privacy Notice underregularreview. This notice waslast reviewed in September 2023.