beetroot & THERAPYAUDIT Limited
How We Handle Your Data Securely and Safely
1 Why we process personal data
Any personal data we process reflects the varied nature of our role. For example:
- We host and/or maintain digital health systems that help our customers to provide care and advice to people about their health
- We work on behalf of healthcare organisations and charities to ensure that doctors, nurses and other health and care professionals have the information they need to provide care to the people
- We analyse information to provide reports and inform our clinician and commissioning customers
All of the above activity may require processing of personal data. This access is controlled – not all of the people working for us need access to all the information we hold and we only allow access to personal data where it is required for somebody to do their job. We take this seriously and all of our employees are required to be trained on the appropriate use of personal data. Inappropriate access to such information can result in disciplinary action, including dismissal.
2 Types of personal data
In order to provide our services, we collect and/or process a range of personal information. We do not collect or process all of this personal data about all people all of the time. We only collect and /or process the personal data necessary for the particular task that we have been asked to carry out by our customers, or we are carrying out for marketing and communication purposes. Where possible, your information will be pseudonymised (replacing identifiers with codes or ‘keys’) or anonymised (meaning individuals cannot be identified); for example when reports are produced and/or when questionnaires are sent to people and they submit them back to us.
All personal health data stored in our services’ databases is stored within NHS-secure locations, either local hospital Trust and/or the NHS HSCN private network. We do not collect or hold any personal health data in our databases outside the NHS, other than collecting and holding anonymised data in our public-facing Rackspace server with appropriate Information Governance approval from relevant customers.
All of this information is stored and used on behalf of our customer organisations. And in our internal systems. It includes:
- Contact details, including names, aliases, addresses, postcodes, telephone numbers and email addresses
- Identifying details, including date of birth and reference numbers such as NHS numbers
- Information about peoples’ health and wellbeing including medical history and genetic data.
- Workplace, education or financial information
- Information about patients’ family, dependents or personal circumstances (so that professionals know who they can speak to about their care)
- Private and subjective data including religion, gender and sexual orientation.
- Online identifiers including IP addresses and cookie identifiers (collected when you visit websites we are responsible for)
3 How we use personal data
We process your personal data for purposes directly connected with ensuring that we support doctors, nurses and other clinical professionals, helping them provide high quality health care to patients in hospitals, GP practices and across the community. This includes:
- Providing you with information on behalf of your healthcare provider that either you have requested or that your healthcare provider deems is of value to you
- Collecting information from you regarding your health through questionnaires at the specific request of your healthcare provider (Personalised Stratified Follow Up)
- Handling your enquiries, complaints or concerns
- Providing access to certain areas of our websites
- Informing you of services which may be of relevance to you
- Auditing and improving our IT systems and websites
- Facilitating stakeholder engagement such as focus groups or surveys
We also process your personal data if you request further information about our services from our public-facing websites.
4 How we obtain your information
We may collect your personal data from a variety of sources, including (but not limited to):
- Information provided by other NHS organisations
- Information provided by non-NHS organisations (e.g., Local Authorities)
- Other sources of UK wide information (e.g., NHS Digital and Office of National Statistics).
- Information provided by you directly to us
5 The lawful basis for what we do
Data protection legislation requires us to tell you the lawful basis for processing personal data in the way we do. Further information is available from the website of the Information Commissioner’s Office. Click here for more information.
We generally rely on the following legal provisions:
- The provision of care: the processing is required for the purposes of health or social care or treatment or the management of health or social care systems.
Our services always ensure our customers ask your permission to use your information. Permission is also sought from you when you complete requests for information from our public-facing websites.
6 Who your information is shared with
Personal data is only shared with other organisations where it is necessary to do so. Owing to the range of services we provide information is shared with a variety of organisations and agencies including:
- NHS organisations in England, Scotland, Northern Ireland and Wales such as Trusts, Health Boards, GPs and Pharmacists
- Other care providing organisations, such as local authorities
- Third sector organisations including charities
We will share personal data if we are required to do so by law – for example, by court order or to prevent fraud or other crimes.
We may use ‘cloud’ services, which means your personal data may be stored outside of the United Kingdom. If this occurs, we are obliged to verify that appropriate safeguards are implemented with a view to protecting your data in accordance with applicable laws. Please use the contact details below if you want more information about the safeguards that are currently in place.
We will not:
- sell or rent your personal data to third parties
- share your personal data with commercial companies for marketing purposes
7 How long we keep your information
We keep personal data for as long as we need to in order to fulfil the purpose(s) for which it was collected and to comply with our legal and regulatory obligations. If the data relates to personal health, we are expected by our customers to ensure the data is available for 8 years. If it is data that we store for non-personal health reasons it will be deleted immediately on request.
8 Security and storage of information
We recognise that your personal data is very valuable and so we take its security very seriously. We have set up systems and processes to prevent unauthorised access or disclosure of your data through the use of:
- Auditing – we keep records of those who access personal information
- Access controls – members of staff are provided with their own username and password to access your information
- Electronic records management – all healthcare records are stored confidentially and in secure locations
- Computer controls – We have complex security controls to ensure our computers cannot be accessed by those not authorised to do so – such as hackers
- Encryption – computer devices that hold personal information such as laptops are encrypted in case the device storing the data is lost or stolen
All THERAPYAUDIT staff must complete Information Governance training. This training makes staff aware of the importance of confidentiality and security of your personal data and makes clear that they are personally responsible for the security of any information, which they are processing. This training must be completed every two years. We also make sure that any third parties we deal with keep all personal data they process on our behalf safe and secure.
9 Your rights
Data Protection legislation provides various individual rights for data subjects including:
- Right to be informed
- Right to access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Rights in relation to automated decision making and profiling
Not all of these rights are absolute, which means we often have to balance your wishes against other requirements. For example, it is unlikely that a request from an individual to delete their entire health record would be agreed. We are always guided by our clinical customers and their data security advisors when considering requests for deletion of data. This may be because there are other legal reasons that such records need to be kept and, if future treatment is required, the individual could be at risk of harm as a result of information not being available. Some rights are unlikely to apply in the context of the work we do, for example, the right to erasure and right to portability. For an explanation of all your rights please see the ICO’s guidance, which you can access here. If you wish to exercise any of these rights or have any queries or concerns regarding our processing of your personal data, please contact us using the contact details provided below.
10 Our websites
Our public-facing websites use SSL encryption to secure any data you may submit to us in a contact form or request for information.
Cookies are small files that websites put on your computer hard disk drive when you visit. Cookies pass information back to websites each time you visit. They are used to uniquely identify web browsers, track user trends and store information about user preferences. You can restrict/disable cookies on your browser; please note that some website features may not function properly without cookies
Use of search engine technology
Our website may contain search facilities. Search queries and results may be logged anonymously to help us improve our website and search functionality. No identifiable personal information will be collected by us.
11 Purpose and legal basis for processing
The purpose for implementing all of the above is to maintain and monitor the performance of our websites and to constantly aim to improve the sites and the services it offers to our users. The legal basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests.
12 Links to other websites
Our websites and websites hosted by us may contain links to other websites. This policy only applies to the Informatics Service and does not cover other organisations websites. These organisations should have their own terms and conditions.
13 Changes to this policy
14 Contact us
Please contact the Data Protection Officer for further information regarding this policy, including how to exercise your rights:
Data Protection Officer
Unit 4 Century House
Cambridge CB24 4QG
15 Right of complaint
You have the right to lodge a complaint in relation to this privacy notice or our processing activities with the Information Commissioner’s Office, which you can do through the website or their telephone helpline.