Oxford GI is committed to safeguarding your personal information and respecting your privacy. We comply fully with the General Data Protection Regulation (GDPR) and with all applicable clinical confidentiality guidelines including the Caldicott Guidelines and those published from time to time by the General Medical Council and the Nursing and Midwifery Council.
We have implemented this privacy notice to inform you, as current or prospective patients or customers, of the types of data we process about you. We also include within this notice the reasons for processing your data, the lawful basis that permits us to process it, how long we keep your data for and your rights regarding your data. Please read this statement carefully.
Under GDPR, all personal data obtained and held by us must be processed according to a set of core principles. In accordance with these principles, we will ensure that:
· processing is fair, lawful and transparent
· data is collected for specific, explicit, and legitimate purposes
· data collected is adequate, relevant and limited to what is necessary for the purposes of processing
· data is kept accurate and up to date. Data which is found to be inaccurate will be rectified or erased without delay
· data is not kept for longer than is necessary for its given purpose
· data is processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisation measures
· we comply with the relevant GDPR procedures for international transferring of personal data
The data controller is Oxford GI LLP, registered company number SO301272. Our practice address is the Manor Hospital, Beech Road, Oxford, OX3 7RP.
This policy is for patients and customers. If you are an employee or prospective employee, we will provide separate privacy policies.
Under the GDPR, you have the following rights:
· The right to be informed – we will not use your data in any way that is not in accordance with this policy unless we inform you and seek your explicit consent.
· The right of access – you may make a ‘Subject Access Request’ to obtain a copy of any information that we hold about you, and we must provide this to you within 30 days of your request. We ask that you make any requests for health data in writing, to our office, and we may seek to verify your identity in order to protect your data.
· The right to rectification - you have the right to have the personal data we hold about you corrected if it is factually inaccurate. It is important to understand that this right does not extend to matters of opinion, such as medical diagnoses. Please contact us to let us know if your personal data, especially contact information, has changed.
· The right to erase or ‘the right to be forgotten’ – though this may not apply to health data, which we may be required to retain.
· The right to restrict processing – we will only process your data as absolutely necessary and in accordance with this policy.
· The right to data portability – you may obtain the data we hold about you for your own purposes for use across different services. We will work with you to find the best way to transfer your personal data from one IT environment to another in a safe and secure way.
· The right to object – you have the right to object to direct marketing. This right may not apply to other uses of your data as we may have an obligation to continue processing.
If you want to exercise your rights in respect of your personal data, please contact our office. In order to protect your privacy, we may ask you to prove your identity before we take any steps in response to such a request.
What personal data do we collect from you?
Personal data means information that can or has the potential to identify you as an individual.
We may hold and use personal data about you as a customer, a patient or in another capacity, for example, when you telephone us, visit our website, complete a form, access our services or speak to us in person. Depending on our relationship with you, we may hold ‘special category’ data relating to your health.
Personal data we collect from you may include the following:
· information that you provide when you enquire or become a patient which may include name, address, contact details (including email address and phone number)
· information about any health insurance policies that you tell us about
· details of referrals and related medical correspondence
· quotes and other related correspondence
· details of any treatment, tests or services you have received from us or which have been received from a third party and referred on to us
· information obtained from customer surveys that you have taken part in
· recordings of telephone calls we receive or make
· notes, results and reports about your health and any treatment and care you have received or need, including hospital/clinic visits and medicines
· any patient feedback that you give us
· information about complaints and incidents
· financial information which you provide when you make a payment to us (but we do not store credit card information)
· the name and contact details, including phone number, of your next of kin
The data that we request from you may include special category data. Special category data including any information about:
· sex life
· sexual orientation
· ethnic origin
· genetic and biometric data.
We will only collect special category data from you if it is relevant to your medical treatment.
When do we collect personal data about you?
We may collect personal data about you if you:
· enquire about any of our services or treatments
· register to be a customer or patient with us or book to receive any of our services or treatments
· fill in a form or survey for us
· participate in a marketing activity
· make an enquiry through our website
· contact us, for example by email, telephone or social media
In the interests of training and continually improving our services, calls to Oxford GI may be monitored or recorded.
What personal data we may receive from third parties and other sources?
Under certain circumstances we may collect personal data about you from third parties:
· We may be given your information by another health practitioner who feels you would benefit from our services. We would expect them to have informed you that they have done so.
· We carry out work on behalf of the NHS and for the continuity of your care we may be passed medical information, usually in the form of a referral, for the purposes of your treatment with Oxford GI or with a consultant.
· We may request information from the NHS, but only about any tests or treatments that are directly relevant to your treatment.
· Your insurance company or solicitor may pass on your personal details to us, which may include data regarding your health or other special category data as well as your contact details, in order to get in touch with you to arrange an appointment or collect further information from you.
How do we use your personal data?
Information related to your health will only be disclosed to those clinical or administrative staff involved with your treatment or care, or for the purpose of clinical audits.
We may use your personal data (and your health data, but only where necessary) to:
· Enable us to carry out our obligations to you arising from any contract we enter into with you including relating to the provision by us of services or treatments to you and related matter such as billing, accounting and audit, credit or other payment card verification and anti-fraud screening
· Provide you with information, products or services that you request from us
· Allow you to participate in interactive features of our services, when you choose to do so
· Notify you about changes to our products or services
· Respond to requests where we have a legal or regulatory obligation to do so
· Check the accuracy of information about you and the quality of your treatment or care, including auditing medical and billing information for insurance claims as well as part of any claims or litigation process
· Assess the quality or type of care you have received and investigate any concerns or complaints you raise
· To conduct and analyse market research
· To ensure that content from any of our websites is presented in the most effective manner for you and for your computer.
Disclosure of your personal data
Where necessary, and only as far as necessary, we may disclose your personal data and/or special category data to certain third party organisations that we use to support the delivery of our services. This may include the following:
· Specialist medical professionals (such as independent consultants or practitioners, diagnostic services or our employees) as we think necessary for your treatment, after you have discussed this with your doctor or nurse, or if you have requested a referral. This will not happen without your knowledge and consent.
· Your GP. You can ask us not to do this, and we will respect that request if we are legally permitted to do so, but you should be aware that it could be potentially dangerous and/or detrimental to your health to deny your GP full information about your medical history, and we strongly advise against it
· The NHS. If you are referred to us for treatment by the NHS, we will share the details of your treatment with the part of the NHS that referred you to us, as necessary to perform, process and report back on that treatment. We may share your private tests or treatments with your NHS consultant at your written request.
· Your insurer, if they are paying for all or part of your treatment. We provide only the information to which they are entitled. If you raise a complaint or a claim we may be required to share personal data with your medical insurer for the purposes of investigating any complaint/claim.
· Medical regulators. We may be requested, and sometimes required, to share certain information (including personal data and special category data) about you and your care with medical regulators such as the General Medical Council or the Nursing and Midwifery Council, for example if you make a complaint, or the conduct of a medical professional involved in your treatment is alleged to have fallen below the appropriate standards and the regulator wishes to investigate. We will ensure that we do so within the framework of the law and with due respect for your privacy.
· Your legal representative, should you make a written request to us to provide this information to them.
· Our indemnity providers and their legal representatives, in the event of any litigious claim by you.
· In an emergency and if you are incapacitated, we may also process your personal data (including special category personal data) or make personal data available to third parties on the basis of protecting your vital interest (i.e. your life or your health).
· To monitor the outcome of your treatment by us and any treatment associated with your care, including any NHS treatment carried out by us.
· To participate in national audits to help ensure that patients are getting the best outcomes. The highest standards of confidentiality will be applied to your personal data in accordance with the GDPR and clinical confidentiality guidelines. Any publishing of this data will be in anonymised, statistical form. Anonymous or aggregated data may be used by us, or disclosed to others, for research or statistical purposes.
· Business partners, suppliers and sub-contractors for the performance of any contract we enter into with you.
· Organisations providing IT systems support and hosting in relation to the IT systems on which your information is stored.
· Third party debt collectors for the purposes of debt collection.
· Delivery companies for the purposes of transportation.
· Third party service providers for the purposes of storage of information and confidential destruction.
· Third parties in the event that we sell or buy any business or assets or where we are required bylaw to do so.
The security of your personal data
We protect your personal data by having in place organisational and technical security measures to prevent it being subject to unauthorised access, loss, destruction or damage. All information you provide to us is stored securely and we conduct audits to ensure the ongoing security of our systems.
Any payment transactions will be processed securely by third party payment processors. Where we have given you (or where you have chosen) a password that enables you to access certain parts ofour website or secure emails, you are responsible for keeping that password confidential. We ask you not to share a password with anyone.
Health information is processed by a third party provider which ensures a high level of security and is registered with the Information Commissioner’s Office (ICO). We ensure that this provider operates under contractual restrictions with regard to confidentiality and security, in addition to their obligations under General Data Protection Regulations.
The transmission of information via the internet cannot be guaranteed as completely secure. However, we ensure that any information which contains personal information is via an encrypted connection. Once we have received your information, we will use strict procedures and security features for prevention of unauthorised access.
At your request, we may occasionally transfer personal information to you via non-encrypted email, or you may choose to transfer information to us via email. Unencrypted email is not a secure method of information transmission; if you choose to send or receive such information via email, we will ask you to tell us in writing that you accept this risk, and any information sent by you, or from us to you at your request, is transferred at your own risk.
Personal data will be held only for as long as is necessary in accordance with the purpose for which it was collected, in accordance with applicable laws and guidelines.Your personal data will not be transferred to destinations outside the European Economic Area ("EEA").
We will not contact you for marketing purposes.
We may contact you occasionally with information or questionnaires from professional bodies that may be directly relevant to the treatment you have had or to your situation. This may be, for example, a health questionnaire from a national medical body to assess the safety and efficacy of an operation or test, or a questionnaire from a regulatory body about the performance of your insurance company or hospital. Information that you give to external bodies will be given directly to them and will not be seen or processed by us.
We may contact you to request feedback about your treatment or appointment in order to help to improve our services in future. This feedback is optional and will be treated confidentially. It will not be passed to the medical practitioner who treated you, unless you request that it is. We may use anonymous quotes on our website if you consent to this by ticking the box.
We will not use your personal or health data for research without your explicit consent. We may write to you to ask if you would like to participate in research. We will only follow this up if you respond to your letter and would like to participate. If you do not wish to participate this will not affect any medical treatment or care that you receive.
Some hospital premises are surveyed by CCTV for the purposes of security. Images and videos may be retained for a limited period by the hospital.
Cookies are small pieces of text sent to your browser when you visit a site. They allow us to remember certain information you provide as you move between pages. As well as making our website operative correctly, they may also remember your settings during and between visits and improve the way the website works.
If you want to know more about cookies and how to manage them on your device we would recommend the guidance given by the Information Commissioner’s Office at: https://ico.org.uk/your-data-matters/online/cookies/
If you are not satisfied with how we handle your request, you can contact the Information Commissioner’s Office on 0303 123 1113 or visit their website (http://www.ico.org.uk).
Oxford GI is completely owned and run as a Limited Liability Partnership by the clinicians involved.