Privacy Policy | Montrose Health Group

Privacy notice

What is a privacy notice?

Any questions about this policy please address them to sg@montrosehealthgroup.com

This is a statement made by Montrose health Group Ltd to our patients, service users, visitors, carers and the public that describes how we collect, use, retain and disclose personal information which we hold. It is sometimes also referred to as a privacy statement, fair processing statement or privacy policy.

This privacy notice is part of our commitment to ensure that we process your personal information or data fairly and lawfully and forms part of our accountability and transparency to you under the General Data Protection Regulation (2016) (GDPR) and the Data Protection Act (2018) (DPA).

We will collect, store and use personal data about you to provide you with healthcare services. Your personal data will also be used to plan our services and to make sure those services are as good as they can be.

We are the data controller, and our registered address is:

Contact for the data controller and data protection officer

Address

370 Omega Court

Cemetery Road

Sheffield

S11 8FT

Our Montrose Health Group Ltd | ICO

Clinic@montrosehealthgroup.com

We take our duty to protect your personal data and maintain confidentiality very seriously. We are committed to taking all reasonable measures to ensure the security of the personal data we are responsible for, whether this is computerised or in paper form.

At board level we have a senior information risk owner (SIRO) who is accountable for the management of all the Organisation information assets and a Caldicott guardian who is responsible for the management of patient data and patient confidentiality. We have a data protection officer (DPO) who ensures the organisation is accountable and compliant with the GDPR and DPA.

What information do we collect about you?

The health professionals caring for your keep records about your health, treatment and care you receive with the NHS. The information in the record may come from you, other care providers like a GP, Social Care or Hospital. The maintenance of these records will ensure that you receive the best possible care. They may be written down on paper or held on a computer and include:

• basic personal details about you such as your name, address, date of birth, next of kin etc

• contacts we have had with you such as appointments or clinic visits

• notes and reports about your health, treatment and care

• results of x-rays, scans and laboratory tests

• relevant information from people who care for you and know you well, such as health professionals, relatives and carers

It is essential that your details are accurate and up to date. Always check that your personal details are correct when you visit us, and please inform us of any changes as soon as possible.

We will use the mobile phone number you have provided us with to send appointments and reminders to you via SMS messaging unless you ask us not to.

Montrose also collects information to provide secondary (non-core) services, such as maintenance of facilities including the car park, fundraising and marketing. If your information will be used for any secondary service, you will be notified of these. Under the data protection legislation, generally the processing is necessary for the purposes of legitimate interests pursued by the data controller, where the legitimate interests are supporting the running of the day-to-day operations of the organisation.

Our website utilises a standard technology called cookies to collect information about how our website is used and to record your preferences in order to give you the information you need during your visit. Information gathered through cookies allows us to monitor website traffic and to personalise the content of the site for you.

Web server log files

IP addresses are used by your computer, mobile device or smartphone, every time you are connected to the internet. Your IP address is a number that is used by computers on the network to identify your computer or mobile device. IP addresses are automatically collected by our web servers so that data (such as the web pages you request) can be sent to you. Web server log files are used to record information about our site, such as system errors. Log files do not contain any personal information or information about which other sites you have visited.

Why do we collect this information about you?

Your information is used to guide and record the care you receive and is vital in helping us to:

• have all the information necessary for assessing your needs and for making decisions with you about your care

• have details of our contact with you, such as referrals and appointments and can see the services you have received

• can assess the quality of care we give you

• can properly investigate if you and your family have a concern or a complaint about your healthcare

Professionals involved in your care will also have accurate and up-to-date information and this accurate information about you is also available if you:

• move to another area

• need to use another service

• see a different healthcare professional

Your information will also be used to help manage the NHS and protect the health of the public by being used to:

• review the care we provide to ensure it is of the highest standard and quality

• protect the health of the general public

• manage the health service

• ensure our services can meet patient needs in the future

• investigate patient queries, complaints and legal claims

• ensure the health care providers receive payment for the care you receive

• prepare statistics on NHS performance

• audit NHS accounts and services

• undertake health research and development

• help train and educate healthcare professionals

For these purposes we use the minimum amount of information necessary.

What our lawful basis is for processing your information under data protection legislation?

For healthcare purposes:

• article 6(1)(e), public task: the processing is necessary to perform a task in the public interest, or our official functions, which have a clear basis in law

• article 9(2)(h), processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services’

•

How we use your personal information?

Your information will also be used to help manage the NHS and protect the health of the public by used to:

• review the care we provide to ensure it is of the highest standard and quality

• protect the health of the general public

• manage the health service

• ensure our services can meet patient needs in the future

• investigate patient queries, complaints and legal claims

• ensure the healthcare providers receive payment for the care you receive

• prepare statistics on NHS performance

• audit NHS account and services

• undertake health research and development

• help train and educate healthcare professionals

Who do we share your personal information with?

Everyone working in Montrose and with the NHS has a legal duty to keep information about you confidential. Similarly, anyone who receives information from us has a legal duty to keep it confidential.

Legal reasons to share information

A person’s right to confidentiality is not absolute and there may be other circumstances when we must share information from your patient record with other agencies. In these rare circumstances we are not required to have your consent. Examples of this are:

• if there is a concern that you are putting yourself at risk of serious harm

• if there is concern that you are putting another person at risk of serious harm

• if there is concern that you are putting a child at risk of harm

• if we have been instructed to do so by a court

• if the information is essential for the investigation of a serious crime

• if you are subject to the Mental Health Act (1983), there are circumstances in which your ‘nearest relative’ must receive information even if you object

• if your information falls within a category that needs to be notified for public health or other legal reasons, such as certain infectious diseases

Health and social care professionals

You may receive care from other organisations, for example, social care services; other NHS trusts, etc, and therefore Montrose may need to share information to ensure consistent and appropriate care and support is provided. This is only shared if there is a genuine need to share or we have patient consent to do so.

We share information with the following partner organisations:

• other NHS trusts and hospitals involved in your care

• local authorities

• the Yorkshire and Humber care record (YHCR) which supports the delivery of integrated care by providing health and social care professionals with a single point of access to information about a service user, collected from their separate medical and care records. The sharing of this information is to ensure the provision of efficient joined-up services; designed to give the best care and outcomes to an individual based on their personal needs and circumstances

• NHS digital how we look after your health and care information on behalf of NHS England assess the effectiveness of the care provided by publicly-funded services, we share information such as referrals, assessments,diagnoses, activities (for example, taking a blood pressure test) and in some cases, your answers to questionnaires on a regular basis to meet our NHS contract obligations. You have the right to object to us sharing your information to NHS digital, this will not affect your care in any way. For information about how you can opt out of sharing your data for research and development purposes only. For more information, please visit your NHS data matters

• NHS England, the lead of the National Health Service (NHS) in England

• Care Quality Commission (CQC), the independent regulator of health and adult social care in England

• general practitioners (GPs)

• ambulance services

You may be receiving care from other people as well as the NHS, for example social care services. We may need to share some information about you with them so we can all work together for your benefit if they have a genuine need for it.

Therefore, we may also share your information, subject to strict agreement about how it will be used, with:

• social care services

• education services

• local authorities

• voluntary and private sector providers working with the NHS

We will not disclose your information to any other third parties unless:

• we have your permission

• we have an appropriate legal basis to do so

• we have good reason to believe that failing to share the information will put you or someone else at risk of serious harm or abuse

• we hold information that is essential to prevent, detect, investigate or punish a serious crime

We would never share your personal information for marketing or insurance purposes.

Do we use any data processors?

Communications and engagement

Purpose for processing

Montrose offers various services to the public giving them the opportunity to engage with us. This could be providing people with the latest news and information fromMontrose opportunities, events and details on how to get involved and surveys.

We have to hold the details of the people who have requested the service in order to provide it. However, we only use these details to provide the service the person has requested and for other closely related purposes. For example, we might use information about people who have requested a publication to carry out a survey to find out if they are happy with the level of service they received or if the information is useful to them. We will never ask you to provide any personal data in response to a survey. Any personal data received in responses is removed before responses are collated, analysed or disseminated.

When people do subscribe to our services, they can cancel their subscription at any time and are given an easy way of doing this. Personal data collected for the above purposes is only processed with the explicit consent of the data subject unless it becomes apparent that we are required to process the personal data due to statutory obligations such as investigating a complaint.

Lawful basis

Article 6(1)(a), the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

Sources of the data

The personal data is provided by data subjects when signing up to receive one of our newsletters or interest in an engagement event, either via our website or by completing one of our sign-up forms at one of the stakeholder events that we hold from time to time.

Categories of personal data

We only require you to provide us with your name and email address or residential address so that we can send you our publications. Information regarding your gender, sexual orientation, marital status and disabilities is collected so that we can ensure that our patient involvement groups are representative of the population we serve. We may also use it to send you targeted information or news. However, it is not mandatory to provide this information.

Invoice validation

Purpose for processing

Invoice validation is an important process. It involves using your NHS number to see who is responsible for your care, in order for us to invoice the correct commissioners to recover the income back for the care that has taken place.

Lawful basis

Article 6(1)(e), processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Sources of the data

We are the provider who submit invoices to NHS Shared Business Services for the Commissioners for validation and payment.

Categories of personal data

The data required for effective invoice validation can be found in appendix B, of Who pays? Information governance advice for invoice validation.

Recipients of personal data

Commissioners who Montrose has invoiced for the charges related to your care.Montrose only shares personal data via NHSE England’s published list of accredited commissioner emails addressed. This data includes your NHS number and GP code at the time the service was accessed.

Safeguarding concerns and reviews

Purposes for processing

We are dedicated in ensuring that the principles and duties of safeguarding adults and children are holistically, consistently and thoroughly applied with the wellbeing of all, at the heart of what we do.

Lawful basis

• Article 6(1)(e), “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.”

• Article 9(2)(g), “processing is necessary for reasons of substantial public interest, which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.”

Some article 9 conditions require a corresponding schedule 1 condition from the DPA 2018 for special category data. See Data Protection Act (2018) part 2, paragraph 18: Safeguarding of children and of individuals at risk.

Categories of personal data

The data collected by Montrose staff including hosted bodies, in the event of a safeguarding situation will be as much personal information as is necessary or possible to obtain in order to handle the situation. In addition to some basic demographics and contact details, this is likely to be special category information (such as health information).

Sources of the data

Montrose will either receive or collect information when someone contacts the organisation with safeguarding concerns or we believe there may be safeguarding concerns.

Recipients of personal data

The information is used by Montrose when handling a safeguarding incident or concern. We may share information accordingly to ensure duty of care and investigation as required with other partners such as local authorities, the police, care homes, healthcare professional (for example, their GP or mental health team).

Quality

Purposes for processing

Montrose have a statutory duty to the improvement of quality and delivery of services, therefore use incident events, investigations, evidence and reports relating to incidents under various policy and procedural structures.

Lawful basis

Article 6(1)(e),“processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.”

Article 9(2)(h), “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.”

Categories of personal data

NHS Number and other personal details, including relevant healthcare records and information about the concerns, including others involved or impacted by the event are used by Montrose to facilitate concerns or incident investigations.

Recipient of personal data

Information relating to outcomes will be sent back to the relevant providers.

QbTest

QbTest is an objective test that measures core ADHD symptoms: activity, attention and impulsivity. The test results are instantly analysed and presented in a report that compares a patient’s results with a group of people of the same age and gender who do not have ADHD. It is the most advanced ADHD management system, designed for more accurate diagnosis and treatment follow up.

Semble

Semble is out clinical patient system, all patient data inputted is on a secure platformwhich has two factor authorisation - Secure Healthcare Data Management All data is held on UK or European servers. It is fully complaint with DSPT assurance can be found here Semble Trust Center | Powered by SafeBase.

What are your legal rights?

We will ensure that your rights are respected. You have:

The right to be informed

Individuals have the right to be informed of how their data will be used. This applies to both patient and staff data.

The right of access

Individuals have the right to access their personal data, and this is commonly referred to as a subject access request. Individuals can make a subject access request verbally or in writing, and we have one month to respond to a request.

This is a free service, although there are specified examples where a fee may be applicable, such as, where the request is “manifestly unfounded” or “excessive”; or if an individual requests further copies of their data following a request. We can charge a reasonable fee covering our admin costs. Information on how to make a request can be made via clinic@montrosehealthgroup.com

The right to rectification

Individuals have the right to have inaccurate personal data rectified or completed.

The right to erasure

This is often referred to as the right to be forgotten and is not absolute. The right does not apply to special category data if processing is necessary for the provision of health or social care; or for the management of health or social care systems or services.

The right to restrict processing

Individuals have the right to require organisations to restrict processing where:

• accuracy is contested by the individual

• processing is unlawful and the subject opposes erasure

• the organisation no longer needs the data, but the subject requires it to be kept for legal claims

• the individual has objected, pending verification of legitimate grounds

The right to data portability

Individuals have the right to receive personal data about them in a “commonly used and machine readable format”. This right is only available where the processing is based on consent and the processing is automated.

Please note that this is not the legal basis for the majority of our processing, therefore in regard to most of the data held by Montrose, this right does not apply.

The right to object

Individuals have the right to object to:

• processing based on legitimate interests or the performance of a task in the public interest or exercise of official authority (including profiling)

• direct marketing (including profiling)

• processing for purposes of scientific or historical research and statistics

Rights in relation to automated decision-making and profiling

When making a decision solely by automated means without any human involvement, this is known as automated individual decision-making; and any automated processing to evaluate certain things about an individual is known as profiling, although it can also be part the same process.

We can only carry out solely automated decision-making that has legal (or similarly significant) effects on you, where the decision is either:

• necessary for the entry into or performance of a contract

• authorised by Union or Member state law applicable to the controller

• based on your explicit consent

If so, we must ensure we give you information about the processing and introduce simple ways for you to request human intervention or challenge a decision. We must also carry out regular checks to make sure that our systems are working as intended.

How can you access your personal information?

You have a right to see the information we hold about you, both on paper orelectronic, except for information that:

• has been provided about you by someone else if they haven’t given permission for you to see it

• relates to criminal offences

• is being used to detect or prevent crime

• could cause physical or mental harm to you or someone else

Your request must be made in writing and we will request proof of identity before we can disclose personal information

If you would like to request a copy of your records, please contact the Information Governance team at Montrose Health Group

Do we send your data to other countries?

Sometimes your data may be processed outside the UK, in most circumstances it will remain within the European Economic Area (EEA) and will have the same protection as if processed within this country. When this is outside the EEA we will identify the data protections in place prior to transfer.

How do we keep your information safe?

We are committed to keeping your information secure and have operational policies and procedures in place to protect your information whether it is in a hardcopy or electronic format:

• Montrose is registered with the information commissioner’s office (ICO)

• all of the information systems used by Montrose are implemented with robust information security safeguards to protect the confidentiality, integrity and availability of your personal information

• we have very strict rules about who can and cannot use our computers. We also put restrictions in place as to which records staff can access

• our computers and networks are protected against hackers and unauthorised access.

• any information about you that is sent electronically to another healthcare provider or service is sent securely (encrypted)

• every time someone accesses your information an audit trail is created.

• all employees and our partner organisations are legally bound to respect your confidentiality; all staff must comply with our security operating procedures. Any breach of these is treated seriously, and could result in disciplinary action, including dismissal

• all Montrose employees are required to undertake annual training in data security and protection

• if staff would like a student, volunteer to be present they will always ask for your permission before that meeting or episode of care. The treatment or care you receive will not be affected if you refuse to have a student present during your episode of care

How long do we keep your information?

All records held by are subject to, and kept in line with the retention periods in, the Records Management Code of Practice for Health and Social Care Act (2021). The Code sets out best practice guidance on how long we should keep your patient information before we are able to review and securely dispose of it.

Notification

The Data Protection Act (2018) requires organisations to notify with the information commissioner to describe the purpose for which they process personal information. These details are publicly available from the Information Commissioners Office.

How do you make a complaint?

If you are not happy about how your data or request has been handled, please:

• speak to your health professional, consultant, clinic team etc

• should you have any further queries about the uses of your information, please email Montrose data protection officer at je@montrosehealthgroup.com

• contact Sg@montrosehealthgroup.com if it relates to a complaint

• to get further advice or report a concern directly to the information commissioners office (ICO), the UK’s independent authority, you can visit the Information Commissioners Office complaints or call them on 0303 123 1113

Data protection impact assessments

Data protection law introduced a new obligation to do a data protection impact assessment (DPIA) before carrying out types of processing likely to result in high risk to individuals’ interests. A DPIA is a process to help identify and minimize the data protection risks which requires the processing of personal data. It is also good practice to do a DPIA for any other major project which requires the processing of personal data.

The protection legislation supports your right to have your privacy respected and your data protected. It gives you easier access to the personal information that Montrose holds about you, if you wish to check or change it. It is designed to give you confidence that this information is accurate, up to date and well managed.

Version 1.1 ( Feb 26)