In the course of our work, we need to handle personal information about you so that we can provide services for you. This privacy notice sets out how we look after that information.
If we ask you for personal information, we promise to:
- let you know why we need it and what we will use it for;
- only ask for what we need and not collect excessive or irrelevant information.
When handling your personal information, we promise to:
- protect it appropriately and make sure nobody has access to it who shouldn’t;
- where appropriate, let you know if we need to share it with other organisations and if you can say no to this;
- consider privacy risks if we plan to use your personal information in new ways;
- only keep for as long as we need to or are required to by law;
- not make it available for commercial use (such as marketing) without your express permission (we do not usually make any information available for commercial use).
In order to keep your information up-to-date and reliable, we ask you to:
- give us accurate information;
- tell us as soon as possible of any changes such as a change of address.
If you’d like more information on:
- what information we hold about you and how to ask us to correct any mistakes;
- agreements we may have with other organisations for sharing information;
- instructions to staff on how to look after your information;
- how we check information is accurate;
- or to make a complaint about how we have handled your personal information;
then please write to us at the following address:
Dr Robert Bryan Beattie, Owner, Director and Data Protection Officer, Innermost Healthcare, Ash Tree Private Medical Clinic, Ash Tree Court, 3 Woodsy Close, Cardiff Gate Business Park, CF23 8RW
For more information and independent advice about data protection and privacy, you can visit the Information Commissioner’s Office Website https://ico.org.uk/ You can also make a complaint directly to them. They have a helpline for you to contact for more information on how to do this – 0303 123 1113.
Our Lawful Basis for Processing Data
Purpose 1: Provision of Direct Medical Care
Explicit consent under the GDPR is distinct from implied consent for sharing for direct care purposes under the common law duty of confidentiality. The GDPR creates a lawful basis for processing special category health data when it is for the provision of direct care that does not require explicit consent. Innermost Healthcare has established both a lawful basis for processing and a special category condition for processing.
Our lawful basis for processing health data for direct care is that processing is ‘necessary… in the exercise of official authority vested in the controller’ (Article 6(1)(e)). We also include that ‘processing is necessary for compliance with a legal obligation to which the controller is subject’ (Article 6(1)(c).
Our special category condition for processing for direct care is that processing is ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…’ (Article 9(2)(h)).
When relying on Articles 6(1)(e) and 9(2)(h) to share data for the provision of direct care, consent under GDPR is not needed. However, in addition to the GDPR, we must also satisfy the common law duty of confidentiality. In order to satisfy the common law data we are able to continue to rely on implied consent to share confidential health data for the provision of direct care. The most common example of when consent can be implied is when a patient agrees to a referral from one healthcare professional to another. In these circumstances, when the patient agrees to the referral this implies their consent for sharing relevant information to support the referral (unless the patient objects). The referral information can then be disclosed under GDPR using articles 6(1)(e) and 9(2)(h) above.
Purpose 2: Other than Direct Medical Care
2a Legal Requirements to Disclose
Where there is a legal requirement to disclose, for example, a direction under the Health and Social Care Act 2012 or disclosures under public health legislation, our lawful basis for processing is ‘… for compliance with a legal obligation…’ (Article 6(1)(c)).
In the majority of cases, our most appropriate special category condition for processing in the face of a legal requirement to disclose will remain as: ‘…for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and services…’ (Article 9(2)(h)).
2b Medical Research
When processing data for medical research our Article 6 lawful basis is 6(1)(e) ‘… for the performance of a task in the public interest…’ The special category condition is Article 9(2)(j) ‘…research purposes…’.
Reliance on this Article 6 lawful basis and Article 9 condition means that explicit consent is not required for GDPR purposes but common law will still require this explicit consent.
2c Requests from a Third Party (for example Solicitor, Insurance Company or Employer)
Where there is a request for personal confidential data from an insurance company, solicitor, financial controllers or employer (or similar third party) our lawful basis and lawful condition for processing will be explicit consent under both Articles 6(1)(a) and Article 9(1)(a).