Privacy Notice & Terms Of Use

Summary

Keeping your personal data safe is very important to us. Your personal data is stored in our secure clinical systems, and only those who are involved in delivering your care have access to your personal data.

We may share information about you with other General Practices (GPs), NHS acute or mental health Trusts, community health providers, pharmacists, ambulance services, social services, and NHS commissioning organisations who are directly involved in providing or funding your care needs. Your data will not be shared with anyone else, unless we are obliged by law.

We will never share your personal information with marketing and advertising companies.

We hold your information securely in the UK at all times. Your information is not shared anywhere outside the UK.

We will only share personal information about you with medical research organisations with your explicit consent, and you have the right withdraw your consent at any time.

A full list of the organisations we share information with, and why, is provided in the later section of this Privacy Notice.

Who we are

Throughout this Privacy Notice you will see references to “Cressex Health Centre”. This is the brand name under which a number of affiliated companies provide and support the provision of primary healthcare services across England. Dashwood PCN is one of those affiliated companies. A full list of all the companies can be found under the title “Entities and data protection registration numbers”.

What we do

At Cressex Health Centre, we are experts in working with complex health systems to provide the very best healthcare service to our patients and services users, and to transform their quality of healthcare experience. We are part of a healthcare family with over years’ experience of delivering high quality healthcare in the most simple and seamless way to our patients and service users, and we are committed to protecting and respecting their privacy.

We respect your right with regards to privacy and data protection when you communicate with us through our websites, events, telephone, or attend any of our face-to-face consultation services.

Your personal data is stored in our secure clinical systems, only those who are involved in delivering your care have access to your personal data. Your data will not be shared with anyone else, unless we are obliged by law.

Sharing your personal information

We will never share your personal information with marketing and advertising companies.

We hold your information securely in the UK at all times. Your information is not shared anywhere outside the UK.

We will only share personal information about you with medical research organisations with your explicit consent, and you have the right withdraw your consent at any time.

A full list of the organisations we share information with, and why, is provided in the later section of this Privacy Notice.

What is this Privacy Notice about?

A privacy notice is a statement that describes how an organisation collects, use, retain and disclose personal data, or special categories of personal data. Different organisations sometimes use different terms, and it can be referred to as a privacy statement, a fair processing notice or a privacy policy.

Being transparent and providing accessible information to individuals about how an organisation will use their personal information is a key element of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. To ensure that we process your personal data fairly, lawfully and transparently we are required by law to provide you with the following information:

What information we collect and process about you
How we process your personal data
The purpose of processing
Recipients or categories recipients of your personal data
The identity of our Data Protection Officer
How long we retain personal information about you
The lawful bases for processing
Your rights – to view, request access copies of your personal information, or object to the processing of your personal information.

What we process your personal information for

We process personal information about you in a number of ways. These include:

Primary uses – we process personal information concerning your health to enable our registered and regulated healthcare professionals who are directly involved in your care to provide you with the best possible direct care delivery. Personal information concerning your health or social care is also made available to other health or social care provider organisations who are involved in your health or social care needs to enable them to make the best-informed decision about you when you use their service.
Secondary uses – We process your personal information for purposes of beyond direct care in the following ways:
Reviewing the care we provide through clinical audit.
Investigating your queries, complaints and legal claims.
Ensuring we are reimbursed correctly for the healthcare you receive.
Preparing statistics on NHS performance.
Auditing NHS accounts and services.
Undertaking health research, and development (with your explicit consent, and you have the right choose whether or not to be involved).
For business intelligence and analytical services to enable us to predict future trends and plan our services.
Training and educating our healthcare professionals (with your explicit consent, and you have the right choose whether or not to be involved).

Our Data Protection Officer

If you have any questions or concerns regarding how your data is being processed, please write to our Data Protection Officer who can be contact at:

Data Protection Officer

Cressex Health Centre
Hanover house, Coronation Road
Cressex Buisness Park, High Wycombe
Buckinghamshire
HP12 3PP

Email: [email protected]

Organisations we share your personal information with

We will never share your personal information with marketing and advertising companies.

We hold your information securely in the UK at all times. Your information is not shared anywhere outside the UK.

Included below is a table of the organisations we share information about you for the purposes of direct and indirect care, split into the following categories:

Details of data linkage with other datasets

Data may be de-identified and linked so that it can be used to improve health care and development and monitor NHS performance. Where data is used for statistical purposes, stringent measures are taken to ensure individual patients cannot be identified.

When analysing current health services and proposals for developing future services it is sometimes necessary to link separate individual datasets to be able to produce a comprehensive evaluation. This may involve linking primary care GP data with other data such as secondary uses service (SUS) data (inpatient, outpatient and A&E). In some cases, there may also be a need to link local datasets which could include a range of acute-based services such as radiology, physiotherapy, audiology etc, as well as mental health and community-based services such as Improving Access to Psychological Therapies (IAPT), community nursing, podiatry etc. When carrying out this analysis, the linkage of these datasets is always done using a unique identifier that does not reveal a person’s identity.

Clinical Commissioning Groups within our geographical areas are responsible for processing de-identified and linked data under this category, on our behalf. We ensure that the Processor is legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.

Data retention period

All records held by Cressex Health Centre will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care 2020 and supplemented by our Records Management Standards.

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for. To determine the appropriate retention period for personal data, the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements have all been considered.

What safeguards are in place to ensure data that identifies me is secure?

We only use information that may identify you in accordance with UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. These legislations require us to process your data only if there is a lawful basis for doing so and that any processing must be fair, lawful and transparent.

We also ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only, protect personal and confidential information held on equipment such as laptops with encryption (which masks data so that unauthorised users cannot see or make sense of it).

Our appropriate technical and security measures include:

The ability to ensure ongoing confidentiality, integrity, availability and resilience of our systems.
The ability to quickly restore availability and access to personal information in the event of a physical or technical incident; and
A process regularly testing, assessing and evaluating the effectiveness of security measures, and ensure they comply with the concept of privacy by design and default;
Encryption; Firewalls / VPN; Password protected files; Restricted Access Folders and System Audit.

What are your general rights?

Where information from which you can be identified is held, you have the:

Right of access to view or request copies of the record
Right to rectification of inaccurate personal data or special categories of personal data
Right to restriction of the processing of your data where accuracy of the data is contested, processing is unlawful or where we no longer need the data for the purposes of the processing
Right not to be subject to any automated individual decision-making
Right to data portability by requesting the data which you provided to us (not data generated by us) in a structured, commonly used machine-readable format. Your right to portability shall apply only where:
- data is processed by automated means, and
- you provided consent to the processing or,
- the processing is necessary for the fulfilment of a contract.

Right to object

In line with the Data Protection Legislation, you do not have the right to object to the processing of your personal information where:

The purpose of the processing is for direct provision of care or safeguarding concerns. As a primary care and community health provider, we have legitimate compelling grounds under the Health and Social Care Act 2012 to process your personal information for the purposes of direct care delivery, and to prevent an individual from harm, or to prevent a serious crime. This include personal information concerning your health which we share with other GP Practices, NHS acute or mental health Trusts, social services, community health providers and pharmacists who are also involved in your care.
The processing is necessary for compliance with a legal obligation to which we are subject. This includes information we share with statutory organisations, law enforcement and regulatory bodies such as NHS Digital (statutory data collection), NHS Counter Fraud, the Police, Courts of Justice, HMRC and DVLA.

You do not have the right to object to the processing of your personal information for risk stratification for indirect care purpose such as understanding the local population needs and plan for future requirement.

You have the right to opt-out of:

COVID-19 Privacy Notice

Introduction

This notice describes how we may use your information to protect you and others during the Covid-19 (Coronavirus) outbreak. It supplements our main Privacy Notice.

In the current emergency it has become even more important to share health and care information quickly across relevant organisations, to deliver care to individuals, support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. The health and social care system is facing significant extra pressures due to the Covid-19 outbreak.

Existing law allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. The Secretary of State requires NHS Digital; NHS England and NHS Improvement; Arm’s Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the Covid-19 outbreak. Any arrangements put in place specifically to use or share information during the Covid-19 are temporary and will be limited to the period of the outbreak unless there is another existing legal basis that covers the use and sharing of that data.

During the COVID-19 outbreak Clinical Commissioning Groups (CCGs) and NHS Digital will not process any new requests to opt-out of local data sharing arrangements such as the Integrated Health and Care Record Programme.

All opt-out requests currently submitted will be held until the outbreak ceases at which point, the request to opt-out will be processed.

It may take us longer to respond to Subject Access Requests and Freedom of Information requests whilst we focus our efforts on responding to the outbreak.

In order to look after your health and care needs, we may share your confidential patient information including health and care records with clinical and non-clinical staff in other health and care providers, for example, neighbouring GP practices, hospitals and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email.

We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance, such as Public Health England, for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. During this period of emergency, you may be offered a consultation via telephone or videoconferencing. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.

We may amend this privacy notice at any time so please review it frequently. The date at the top of this page will be amended each time this notice is updated.

Purpose of the processing of your data

The purpose of the envisaged temporary Covid-19 data flows is to effectively treat and prevent the onward spread of COVID-19, as such there is a need to share Patient Identifiable Data and Special Category (or sensitive) information. However, for each new data flow a review will be undertaken to ensure that the minimum amount of personal data is processed and processed securely.

Lawful basis for processing your data

The Secretary of State (SoS) for Health and Social Care served a Notice under Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 (COPI) to require health and care organisations to process confidential patient information in the manner set out below for THE following purposes:

diagnosing communicable diseases and other risks to public health;
recognising trends in such diseases and risks;
controlling and preventing the spread of such diseases and risks;
monitoring and managing understanding COVID-19 and risks to public health, trends in COVID-19 and such risks, and controlling and preventing the spread of COVID-19 and such risks
processing to support the NHS Test and Trace programme
identifying and understanding information about patients or potential patients with or at risk of COVID-19, information about incidents of patient exposure to COVID-19 and the management of patients with or at risk of COVID-19 including: locating, contacting, screening, flagging and monitoring such patients and collecting information about and providing services in relation to testing, diagnosis, self-isolation, fitness to work, treatment, medical and social interventions and recovery from COVID-19
understanding information about patient access to health services and adult social care services and the need for wider care of patients and vulnerable groups as a direct or indirect result of COVID-19 and the availability and capacity of those services or that care
monitoring and managing the response to COVID-19 by health and social care bodies and the government including providing information to the public about COVID-19 and its effectiveness and information about capacity, medicines, equipment, supplies, services and the workforce within the health services and adult social care services
delivering services to patients, clinicians, the health services and adult social care services workforce and the public about and in connection with COVID-19, including the provision of information, fit notes and the provision of healthcare and adult social care services
research and planning in relation to COVID-19

Under the UK General Data Protection Regulation (UK GDPR), Article 6, 1(c)- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

There are a number of pieces of legislation currently available to allow the processing of personal data and special category data in response to public health breakouts, which includes:

Public Health (Control of Disease) Act 1984
The Health and Social Care Act 2008 (by virtue of The Care Act 2014)
The Civil Contingencies Act 2004

The relevant basis in UK data protection law is set out in the Data Protection Act (DPA) 2018, in Schedule 1 condition 2. This condition covers the following purposes:

preventive or occupational medicine;
the assessment of an employee’s working capacity;
medical diagnosis;
the provision of health care or treatment;
the provision of social care (this is likely to include social work, personal care and social support services); or
the management of health care systems or services or social care systems or services.

Article 9(3) of the GDPR contains the additional safeguard that you can only rely on this condition if the personal data is being processed by (or under the responsibility of) a professional who is subject to an obligation of professional secrecy. Section 11 of the DPA 2018 makes it clear that in the UK this includes:

a health professional or a social work professional; or
another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.

By virtue of the Data Protection Act 2018 (c. 12) Schedule 1 — Special categories of personal data and criminal convictions etc data, Part 1 – Conditions relating to employment, health and research etc, paragraph 3(a), processing meet the GDPR Article 9 condition ‘if processing is necessary for reasons of public interest in the area of public health’.

Right to access and correct

All the personal data we process is processed by our staff in the UK however for the purposes of IT hosting and maintenance this information may be located on servers within the European Union.

No 3rd parties have access to your personal data unless the law allows them to do so and appropriate safeguards have been put in place such as a Data Processor as above). We have a Data Protection regime in place to oversee the effective and secure processing of your personal and or special category (sensitive, confidential) data.

Retention period

The data will be retained in line with the law and national guidance. https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016.

Note: This Privacy Notice issued sets aside the requirements of Common Law Duty of Confidentially for COVID-19 purposes, Regulation 4 Health Service Control of Patient Information Regulations 2002 provides that ‘information may be processed in accordance with these Regulations, notwithstanding any common law obligation of confidence’, meaning that identifiable patient data can be shared with other organisations where it is ‘necessary’ for a COVID-19 purpose.

Three circumstances making disclosure of confidential information lawful are:

where the individual to whom the information relates has consented;
where disclosure is in the public interest; and
where there is a legal duty to do so, for example a court order.

PLEASE READ THESE TERMS OF USE CONDITIONS CAREFULLY BEFORE USING THIS SITE

Who we are and how to contact us

These terms refer to using our site, operated by (“We” or “us”). We are registered in England. Address: Cressex Health Centre
Hanover house, Coronation Road
Cressex Buisness Park, High Wycombe
Buckinghamshire
HP12 3PP

By using our site you accept these terms

By using our site together with our privacy policy and disclaimer, you confirm that you accept these terms of use and that you agree to comply with them. If you do not agree to these terms, you must not use our site. We recommend that you print a copy of these terms for future reference.

Privacy Policy

Our privacy policy also applies to your use of our site, which sets out the terms on which we process any personal data that we collect from you, or that you provide to us. By using our site, you consent to such processing and you warrant that all data provided by you is accurate.

Patient / Customer Interactive Services via our Websites and App

We use patient / customer interactive services from our websites, which include without limitation email, new bulletins, videos, video and audio consultation services. Where these services are provided, there will be clear information on how to use them, and the roles and responsibilities of each party.

We are under no obligation to oversee, monitor or moderate any patient / customer services that we provide via our website – we explicitly exclude our liability for any loss of damages arising from the use of any interactive services by a user in breaching of our standards as set out.

We may make changes to these terms

We amend these terms from time to time. Every time you wish to use our site, please check these terms to ensure you understand the terms that apply at that time.

We may make changes to our site

We may update and change our site from time to time.

We may suspend or withdraw our site

We do not guarantee that our site, or any content on it, will always be available or be uninterrupted. We may suspend or withdraw or restrict the availability of all or any part of our site for business and operational reasons. You are also responsible for ensuring that all persons who access our site through your internet connection are aware of these terms of use and other applicable terms and conditions, and that they comply with them.

You must keep your account details safe

If you choose, or you are provided with, a user identification code, password or any other piece of information as part of our security procedures, you must treat such information as confidential. You must not disclose it to any third party. We have the right to disable any user identification code or password, whether chosen by you or allocated by us, at any time, if in our reasonable opinion you have failed to comply with any of the provisions of these terms of use.

If you know or suspect that anyone other than you knows your user identification code or password, you must promptly notify us by email to [email protected]

How you may use material on our site

We are the owner or the licensee of all intellectual property rights in our sites, and in the material published on it. Those works are protected by copyright laws and treaties around the world. All such rights are reserved. You may print off one copy, and may download extracts, of any page(s) from our site for your personal use and you may draw the attention of others within your organisation to content posted on our site.

You must not modify the paper or digital copies of any materials you have printed off or downloaded in any way, and you must not use any illustrations, photographs, video or audio sequences or any graphics separately from any accompanying text.

Our status (and that of any identified contributors) as the authors of content on our site must always be acknowledged. You shall ensure that each use of the content bears the following copyright identification: ‘© (year of publication)’ (and the date to be placed in brackets after ‘©’ shall be the date specified for that purpose or the particular Material) and a notice to the effect that such Materials are used under licence.

You must not use any part of the content on our site for commercial purposes without obtaining a licence to do so from us or our licensors. If you print off, copy or download any part of our site in breach of these terms of use, your right to use our site will cease immediately and you must, at our option, return or destroy any copies of the materials you have made.

We are not responsible for websites we link to

Where our site contains links to other sites and resources provided by third parties, these links are provided for your information only. Such links should not be interpreted as approval by us of those linked websites or information you may obtain from them. We have no control over the contents of those sites or resources.

Our responsibility for loss or damage suffered by you

The content on our site is provided on the basis that you use such content at your own risk. We make no representations, warranties or guarantees in respect of our site or any content on it. We exclude all implied conditions, warranties, representations or other terms that may apply to our site or any content on it.
We do not exclude or limit in any way our liability to you where it would be unlawful to do so. This includes liability for death or personal injury caused by our negligence or the negligence of our employees, agents or subcontractors and for fraud or fraudulent misrepresentation.
Subject to that, we will not be liable to you for any loss or damage whatsoever (whether direct, indirect or consequential), whether in contract, tort (including negligence), breach of statutory duty, or otherwise, even if foreseeable, including, without limitation, any loss or damage arising under or in connection with:
- use of, or inability to use, our site; or
- use of or reliance on any content on our site.

We are not responsible for viruses and you must not introduce them

We do not guarantee that our site will be secure or free from bugs or viruses.

You are responsible for configuring your information technology, computer programmes and platform to access our site. You should use your own virus protection software.

You must not misuse our site by knowingly introducing viruses, Trojans, worms, logic bombs or other material that is malicious or technologically harmful. You must not attempt to gain unauthorised access to our site, the server on which our site is stored or any server, computer or database connected to our site. You must not attack our site via a denial-of-service attack or a distributed denial-of-service attack. By breaching this provision, you would commit a criminal offence under the Computer Misuse Act 1990. We will report any such breach to the relevant law enforcement authorities and we will co-operate with those authorities by disclosing your identity to them. In the event of such a breach, your right to use our site will cease immediately.

No linking to our site

Our site must not be framed on any other site, nor may you create a link to any part of our site without the expressed consent of a Director.

Which country’s laws apply to any disputes?

These terms of use, their subject matter and their formation (and any non-contractual disputes or claims) are governed by English law. We agree to the exclusive jurisdiction of the courts of England and Wales.

Who we are

Coronavirus (COVID-19)

Advice in your region