Personal data is an increasing concern for individuals and it is understandable that service users are interested in how companies look after their data and privacy. Allied Health Professional Suffolk (AHPS) not only provides care for your well-being; we aim to apply that same level of care to your data and privacy.
This privacy notice covers how AHP Suffolk:
· Transfer; and,
· Store your data.
Categories of personal information
AHP Suffolk will process two categories of personal information about you:
· Personal Data and
· Special Category Data (Health Data)
In this Privacy Notice we use the terms;
“Personal Data” for Personal data “Special Category Data” for Special Category Data “Data” for both categories
This Privacy Notice applies to anyone whose data we process, including our service users and visitors to our website, but does not apply to:
· Our employees (handling of their personal data is governed by our employee handbook);
We may change this Privacy Notice from time to time, so please check back regularly to keep informed of any updates. This version of the Privacy Notice was updated on 2nd July 2018.
Firstly, some information about us;
In this Privacy Notice, we use the terms “we”, “us”, and “our” (and other similar terms) to refer to the Allied Health Professional Suffolk (AHPS) who act as a data controller responsible for your personal data.
Allied Health Professionals Suffolk is a community interest company registered in England and Wales. Registered number: 7542222. VAT No. 175110141. Registered office: The Lodge, Hartismere Hospital, Castleton Way, Eye, Suffolk IP23 7BH
Your Data Protection Officer
Data Protection Officer: Dwayne Johnson-Clarke
Privacy queries: firstname.lastname@example.org
Our commitment to you
AHP Suffolk is committed to protecting and respecting your privacy. Any decision we make regarding data will have considered the 6 data principles, more information on these can be found on the ICO website
Information we may hold on you
Personal data means any information about you from which you can be identified. The data we collect depends on the nature of the services we are providing but can include:
· Basic details such as name, address and contact details;
· Details of contact we have had with you throughout your treatment with us;
· Professional information (such as job title, qualifications, previous experience and NI number);
· Details of the services you have accessed;
· Treatment notes and reports about your health and any treatment you have received;
· Your feedback and treatment outcome information;
· Information surrounding complaints and incidents which may have arisen;
· Recordings of calls, inbound and outbound;
· Any other personal data we collect in the course of providing our services or in the course of operating our business.
Your data may be collected:
· From you in person (e.g. at an appointment with one of our clinicians, or at an event);
· By telephone;
· By correspondence (including post, text, email or otherwise);
· Via our website or online portals (e.g. when submitting an enquiry on our contact form);
· Via CCTV footage collected by us and/or our buildings’ landlords;
· From third parties, such as :
· Instructions received from your solicitor, or another instructing party;
· Your doctor, or other previous healthcare providers;
· Your employer;
· Other companies who have obtained your permission to share information about you, have an identified lawful basis for doing so and who are responsible for the costs of the treatment.
We will share your data with carefully selected third parties when:
· You specifically request it, or a disclosure is required in order for us to provide our services and/or fulfil our contractual obligations to you;
· We are under a legal or regulatory duty to disclose your information; or,
· As a result of any changes in business ownership or organisation.
AHP Suffolk may share your personal information, where required and to the extent permitted and on which we have a lawful basis, with:
· Any member of our group (which means our holding company and our subsidiaries, including our group service company File Dynamics Limited).
· Any 3rd party who provides your treatment (where we do, we will ensure that they process information in accordance with our confidentiality and security requirements).
· Solicitors, Insurers, or any other instructing party;
· Our auditors, including external accreditation bodies;
· Law enforcement agencies and regulators (e.g. CQC);
· Public bodies;
· Our external service suppliers who provide business support services (including IT, security, building maintenance, archiving, data storage);
· Analytics and search engine providers who assist in improving our website; and,
· Any other third party you may ask us to share your data with.
Where our professional duties of confidence as medical clinicians require that we seek your consent before sharing your personal data with a third party, we will do so. Such consent has a different legal basis to consent for the purposes of EU/UK privacy law and seeking consent further to our professional duties will not therefore affect the basis of processing in privacy law. The processing under privacy EU/UK privacy law will be on the bases as set out above.
AHP Suffolk will not transfer any of your data outside of the European Union.
AHP Suffolk has in place physical, electronic and operational procedures intended to safeguard and secure the information we collect. These measures are updated as necessary and audited on a regular basis. All the data we process is done so by our staff in the UK and kept on UK only servers.
How long we retain your data for will vary from matter to matter but will be determined in accordance will the following criteria:
· The length of time necessary to complete our contract with you;
· Any time limits for establishing or defending legal claims or responding to complaints/incidents;
· Any period necessary to comply with our legal obligations under EU/UK law; and,
· Any periods for retention that is recommended by regulators or professional bodies.
AHPS provide healthcare services; as such there is a legal and regulatory obligation for records to be kept for a minimum period of time.
We will typically keep your data for a period of 8 years, after which time it will be destroyed, if it is no longer required for the lawful purposes for which it was obtained. Closed files are archived after 6 months resulting in restricted access and additional security.
A cookie is a harmless piece of information that a website transfers to the cookie file of the browser on your computer's hard drive. On visiting the website, a cookie will be placed on your computer automatically by the website.
Most browsers accept cookies automatically but you have the ability to accept/decline cookies by altering the settings in your browser. If you decline/disable cookies, you may not be able to use all the interactive features of the website or the website may not be available to you.
You have the right to obtain confirmation from us as to whether we are processing your personal data and, if we are, to request a copy of the personal data we hold about you. This is known as a ‘subject access request’.
If you wish to make a subject access request, please request this as email@example.com
You also have the right to ask that we update any information we hold about you that may be incorrect. It is important that the information we hold about you is accurate and up to date. If any of your personal information changes please let us know.
In certain circumstances, you have the right to request that we restrict the way in which we process your data, or that we erase all personal information that we hold about you.
You have the right to object to certain types of processing.
We will try our best to comply with any request to restrict, object or erase your data, however processing of some data may still be required for legitimate business purposes or to comply with legal obligations. Please note that if you want us to restrict or stop processing your data this may prevent us from providing our services to you.
You have the right to request that we send a copy of your data, that you have provided to us, to another organisation for your own purposes (e.g. if you wish to change service provider). This data must be provided in a structured and usable format. This right only applies to
personal data processed by way of consent or in pursuant to our contract with you. If you wish us to transfer your personal data please let us know.
You will not have to pay a fee to access your personal data or to exercise any of your other rights. However, we may charge a reasonable fee should your request be clearly unfounded, repetitive or excessive. In order to prevent unauthorised access to information we may ask for proof of identity. We will do our best to respond to your request within one month, however, if that is not possible due to the number or complexity of requests we will notify you and keep you updated.
For further information on your rights, please visit ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/individuals-rights/
If you wish to raise a query on how we have handled your personal data you can contact our Data Protection Officer on the details above.
You have the right to raise a concern at any time to the Information Commissioner’s Office (“ICO”) who is the UK supervisory authority for data protection issues. For more information on submitting a concern, or the data protection regime in general, please visit the ICO’s website.