Coronavirus (COVID-19) – update to our Patient and Public Privacy Notice
The health and social care system are facing significant pressures due to the Covid-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking, and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.
In light of the current pandemic, we wish to make our service users and the wider public aware as to how it will be using personal data concerning those in our care. We are publishing this update to our existing Privacy Notice on a temporary basis whilst the current outbreak is ongoing.
Coronavirus (COVID-19) – who we will share information with:
Information about Service Users coronavirus (COVID-19) status may be shared with NHS and other partners involved in their care and treatment, along with:
Public Health England
the Department of Health
and other government departments where it’s legally required, or where it’s necessary for the protection of public health or management of the outbreak.
We may also use the details we have for you to send you urgent updates by phone, text, or email, or by post if necessary, as required.
The lawful basis is GDPR Article 6(1)(c), compliance with a legal obligation, or Article 6(1)(e), that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority (the provision of statutory health care services).
The exemptions in GDPR Article 9(1)(g) and 9(2)(h) will be applied, that processing is necessary for matters of substantial public interest or for the management of health care systems. The conditions in paragraphs 2 (management of health care systems), 3 (public health) and 6 (statutory and government purposes) of schedule 1 of the Data Protection Act 2018 are engaged.
In addition, existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law, the Secretary of State has required NHS Digital, NHS England and Improvement, Arm’s Length Bodies (such as Public Health England), local authorities, health organisations and GPs to share confidential patient information to respond to the Covid-19 outbreak.
Any information used or shared during the Covid-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data.
What information do we collect from you?
Records which the Dementia Resource Community Ltd may hold about you may include the following:
Details about you, such as your address and next of kin
Any contact we have had with you, such as appointments, clinic visits, emergency appointments, etc
Notes and reports about your health
Details about your treatment and care
Results of investigations, such as laboratory tests, x-rays, etc
Relevant information from other health professionals, relatives or those who care for you.
During this period of emergency, we may offer you a consultation via telephone or videoconferencing. By accepting the invitation and entering the consultation you are consenting to this. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation
We will also be required to share personal/confidential Service User information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak.
National Data Opt-Outs
During this period of emergency, opt-outs will not generally apply to the data used to support the Covid-19 outbreak, due to the public interest in sharing information. This includes National Data Opt-outs. However, in relation to the Summary Care Record, existing choices will be respected.
Where data is used and shared under these laws your right to have personal data erased will also not apply. It may also take us longer to respond to Subject Access requests, Freedom of Information requests.
As part of its response to the wider outbreak the Dementia Resource Community Ltd will continue to comply with all its other obligations concerning the processing of your data in accordance with the Data Protection Act 2018 and GDPR.
How we manage and protect information about you?
The Dementia Resource Community Ltd collects information about you to help us give you the best possible care. Our aim is to maintain full and accurate records of the care we provide for you and keep this information confidential and secure.
This privacy notice has been updated to reflect some of the changes in data protection legislation brought about by the General Data Protection Regulation (GDPR) 2016 and the Data Protection Act 2018. It also tells you how you can access information relating to your healthcare.
What information do we collect?
We collect information about you such as your name, address, NHS number, GP and contact details (including your email address and mobile number where you have provided these) alongside any health-related information required for the delivery of health care services, for example:
Details and records of treatment and care, including notes and reports about your physical or mental health.
Results of X-rays, blood tests and diagnosis.
Information on medication or any allergies.
Any other relevant contact details, for example a family member.
We may also collect personal sensitive information such as your ethnicity, religion, sexuality, and any criminal convictions (where relevant) so that we can build up a complete picture of you to enable our staff to provide you with the best care possible and to effectively deliver your treatment and care needs.
We may also receive written or electronic information about you from other health and social care providers in order to support the care you receive from us. This will enable us to provide the appropriate care and treatment that you need. We also collect information to monitor our compliance with our legal obligations relating to equality and diversity.
This information may be recorded in writing (i.e., in your nursing notes), or electronically on a computer or other electronic device, or a mixture of both. To assist with the delivery of care, we are moving towards wholly electronic Service User records.
The Dementia Resource Community Ltd utilises telephone call recording system which stores telephone records for a period of 90 days; these records include the caller ID, recipient ID, date, time and duration of the call and a digital recording of the conversation all which can only be accessed in the event of a serious investigation in relation to our service provision. Such Data remains confidential and is subject to the same data protection safeguards as other records maintained.
Our staff may check your details with you to ensure that our records are accurate. To assist with this, it is important that you notify us of any changes to your personal details (e.g., address, contact number, next of kin).
Who processes your information?
Cathrina Moore is the data controller in respect of your personal data for the provision of health care services. This means that the Dementia Resource Community Ltd determines the purposes for which, and the way your personal data may be processed in line with GDPR to deliver our services. As we work in collaboration with partner organisations it should be noted we have data sharing agreements in place to ensure your Data is always managed appropriately. Nursing notes and assessments are not routinely shared given the nature of the support we provide. We also request your consent for external referrals to other health and social care organisations. Your information is confidential, but if there is a safeguarding concern, sharing it may be justified.
On what basis are we entitled to process your information?
As a health care provider, we need information form you to carryout assessments, you must provide consent for this information to be held. You do have the right to say “no” to our use of your information, but this could have an impact on our ability to provide you with care and support.
We may have a legitimate business interest to provide your information to a third party, such as our solicitors or other professional advisers in defence of any legal claim against the Dementia Resource Community Ltd.
We may also need to provide your records or information to a third party where this is a legal obligation or regulatory requirement on us to do so, such as for the purposes of a review of Service User care being undertaken by the Care Quality Commission or other external regulatory body, or for the prevention and detection of crime or fraud.
How do we use the information we collect to help you?
We may use the information we collect to help us provide services to you in the following ways:
Your information may also be used to help us:
Review the care we provide to ensure it is of the highest standard.
Audit our accounts and services.
Prepare statistics or other performance data on the quality of care being delivered by the Dementia Resource Community Ltd.
Review the performance of contracts we have any other care providers.
Investigate incidents, complaints or legal claims.
Conduct health research and development.
Make sure our services can meet Service Users needs in the future.
Teach and train healthcare professionals.
Contact you for your participation with satisfaction surveys, service users experience groups and health research and development projects.
To monitor how we manage our budgets as a non-profit organisation.
We may also need to share your information with other non-healthcare organisations, where it is required in compliance with legal duties. For example, where you are receiving care from a local authority, we would need to share your information with a social worker to support the provision of your care. Other occasions where we may need to share your information include:
Reporting some infectious diseases.
To help prevent, detect, or prosecute serious crime.
If a court orders us to do so.
When you have expressly agreed
If there is an overriding concern that you may be putting either yourself, another person (including a health or social care professional) or a child at risk of harm.
Where we share information with non-healthcare organisations, we may request that they enter into an information sharing agreement to ensure that the information we share with them is handled appropriately and complies with relevant legislation. The information from your Service User record will only be used for purposes that benefit your care. In all cases where we must pass on health care related information, we will only share the minimum amount of information required. Anyone who receives information from us also has a legal duty to keep it confidential.
For any transfer of data outside the UK / EEA, we will make sure that appropriate safeguards are in place to ensure an appropriate level of protection of your data prior to any transfer. Any such transfer will need to be approved by the Dementia resource Community Ltd.’s Data Protection Officer.
If you need further information on how we might share your data, please email our Data Protection Officer at the contact details below.
Mrs. C. Moore, Dementia Resource Community Ltd, The Chapel House, Chapel House Lane, Puddington, Cheshire CH64 5SW
If we need to use your personal information for any reasons beyond those stated above, we will discuss this with you and ask for your explicit consent. The Data Protection Act 2018 gives you certain rights, including the right to:
We will always try to keep your information confidential and only share information when necessary. We have procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
How You Can Access Your Information
You have the right to apply for access to the information we hold about you, free of charge, whether it is stored electronically or on paper. This is known as a Subject Access Request (SAR). We have a duty to provide your information in a format that is accessible to you (e.g., large print or Braille) and in a way that you can understand, explaining any abbreviations where necessary.
Your request must be made in writing and we may ask you to provide proof of identity before we can disclose personal information. Please click here for further information on making a Subject Access Request. Any request for a SAR should be emailed to firstname.lastname@example.org Please include the words “Subject Access Request” in the subject line of your email.
In certain circumstances your right to see some details in your health records may be restricted, for example if the information refers to someone else who hasn’t given their permission or could cause physical or mental harm to you or someone else (including any health or social care professional) were it to be disclosed; or if the information is being used to detect or prevent crime.
What if I object to your processing of my information?
After having viewed your records, if you believe any information is inaccurate or incorrect, please inform us of this in writing and we will take steps to rectify any inaccuracies as quickly as possible and within one month maximum.
You can also ask us to erase personal data where this is inaccurate; however, this does not apply to data which is being processed for the purposes of delivering healthcare.
How We Keep Your Information Safe
We are committed to keeping your information secure and have operational policies and procedures in place to protect your information whether it is in hard copy or electronic format. We protect your information in the following ways:
Training – Staff are trained to understand their duty of confidentiality and their responsibilities regarding the security of patient information both on our premises and when out in the community. Staff are also obliged to undertake online training in data security and confidentiality on an annual basis to demonstrate that they understand and are complying with Dementia Resource Community Ltd.’s policies on confidentiality.
Access controls – Any member of staff being given access to systems holding Service User information will need a special access organisation login details, along with a username and password. Employee access is dependent upon role.
Audit trails – We keep a electronic record systems of anyone who has accessed a health record or added notes to it.
Investigation – If you believe your information is being viewed inappropriately, we will investigate and report our findings to you. If we find that someone has deliberately accessed records about you without permission or good reason, we will tell you and take action. This can include disciplinary action or bringing criminal charges.
Records Management – All Service Users healthcare records are stored confidentially in secure locations.
Legislation – There are laws in place to protect your information, including the General Data Protection Regulation 2016 and the Data Protection Act 2018) and the Human Rights Act 1998. There is also a common law duty of confidentiality. Under the NHS Code of Conduct on Confidentiality all staff are required to protect information and only share what is necessary and proportionate and take steps to protect your confidentiality.
Data Protection Officer (“DPO”) – Dementia Resource Community Ltd is required to appoint a Data Protection Officer, whose role it is to ensure that the organisation has in place appropriate mechanisms and procedures to protect your information and to ensure that personal data is processed lawfully within the Service.
The DPO is Mrs Cathrina Moore, who may be contacted at the following details:
Post: Mrs Cathrina Moore, The Chapel House, Chapel House Lane, Puddington, Cheshire. CH64 5SW
Information Commissioner’s Office
To get further advice or to report a concern directly to the UK’s information regulatory authority you can do this by contacting:
Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF Tel: 0303 123 1113.