Following the introduction of the General Data Protection Regulations (GDPR) and the Data Protection Act 2018, we are required to explain how we collect and use your information, how it is stored and for how long.
What information do we collect about you?
Whenever you see one of our healthcare professionals they will make a record of your appointment. They will also make a record about what happened at your appointment and the support have been given.
This information is useful because it reminds them what you have told them in previous appointments and the advice they may have given you. It also helps if you are sent to see another service for further advice or treatments.
We make every effort to ensure that the information we collect is up to date and accurate. If you have any concerns about the accuracy of the information that we hold, then please speak to your healthcare professional in the first instance.
As well as information that you provide, we may also receive information about you from other organisations who are involved in your healthcare, for example you GP practice.
Why do we keep this information?
We need to keep this information in order for the healthcare professionals to see what advice, support or treatment you have had and to ensure that it is appropriate. We are also legally required to keep certain information about you. This information may also be used, in an anonymised form, for the purposes of service delivery and audits.
Why we collect information and how your information helps us is explained in our leaflet What happens to the information you collect about me.
Lawful basis for using your personal data
Where Bromley Healthcare is contracted either by Clinical Commissioning Groups (CCG) or local authority to provide Healthcare services, we will process your information under the Public Interest basis. However, in certain circumstances, e.g. Child safeguarding, then we will be processing information as a Legal obligation.
How long do you keep my information for?
Bromley healthcare keeps records in accordance with the Records Management Code of Practice for Health and Social Care 2016 retention schedules.
Do you share my Information?
As a Data Controller, Bromley Healthcare has a number of sharing agreements with other organisations to share information for the legitimate interest of providing direct care, or to protect the vital interests of individuals; in order to prevent serious harm either to them or others. Where we do share information with other organisations, we only share the minimum amount of information necessary.
We have teamed up with Guy’s and St Thomas’ NHS Foundation Trust, South London and Maudsley NHS Foundation Trust and Kings College Hospital NHS Foundation Trust to share information through the Local Care Record. This allows the clinicians who are treating you, to be able to view clinical information from the other organisations. If you do not want your information to be shared in this way, then please contact Guy’s Patient Advice and Liaison Service (PALS), who will be able to assist you.
We also have a sharing agreement with a number of GP practices within Bromley. This allows Bromley Healthcare and the GP practice, to be able to see what treatment is being carried out, or due to be carried out, by the other organisation.
We may also share information with professionals from other organisations, e.g. Local Council, where we are working with them to provide a service to you.
There may also be times when we have to share information with other organisations when there is a statutory duty to do so, e.g. a court order.
Who can see my information?
Only staff who are involved in your treatment can view your information. This may include staff who, in the course of their duties, provide administrative support to clinicians, e.g. writing letters or arranging appointments.
In addition to legal requirements, such as the Data Protection Act, all staff are subject to the Common Law Duty of Confidentiality and the NHS Confidentiality Code of Conduct.
You can request to see this information
To request a copy of your records, you will need to approach the organisation who made the notes in the first place. They are not all held in one place. So, for example, to see notes made by your Bromley Healthcare district nurse, please contact us. To see notes made by your GP, please contact your surgery, and to see notes made by your hospital consultant, please contact the hospital.
To protect your confidentiality there are a few steps to go through so that we know we are providing information to the right person and we don’t compromise your right to privacy.
If you would like to see your health care records from Bromley Healthcare services, please email: firstname.lastname@example.org or write to:
Access to Records
Bromley Healthcare CIC Ltd
1 Knoll Rise
Orpington BR6 0JA
Is my information held securely?
Under Data Protection legislation, information relating to an individuals’ health is classed as a ‘Special Category of personal data’ and as such require us to ensure that appropriate security is in place to protect your information. Where we provide information to other organisations, we will also ensure that they hold your information to the same standard of security. We do not hold or process patient information outside the UK.
Data Privacy Impact Assessments
In order to meet our requirements under the General Data Protection Regulations, Bromley Healthcare has, under certain circumstances to complete a Data Privacy Impact Assessments (DPIA). This is a process which helps assess privacy risks to individuals and identifies the legal basis for the collection, use and disclosure of information, known as processing. This helps us to ensure that the information we hold, or plan to hold, will be secure and lawful.
All new projects, initiatives and processes that involve using or sharing personal information require a Data Protection Impact Assessment to be completed at the initial stages and prior to any procurement decision being made. Once completed, all DPIA’s when are submitted to the Data Protection Officer and the Information Governance Steering Group for approval.
Objections and complaints
If you have a complaint about the way your personal data has been handled; believe it is inaccurate, held for too long or it is not secure you can contact our Data Protection Officer (DPO) who will investigate the matter. They can be contacted by e-mail at: email@example.com.
If you are not satisfied with the response or believe your data is not being processed in accordance with the law, you can complain to the Information Commissioner’s Office (ICO).
The ICO is the regulator for data protection and upholds information rights. More information is available on the ICO website ico.org.uk.