Security of information
Confidentiality affects everyone: BestBrothers Ltd (the Organisation), stores and uses large amounts of personal and sensitive personal data every day, such as medical records, personal records and computerised information. This data is used by many people in the course of their work.
We take our duty to protect personal information and confidentiality very seriously and we are committed to comply with all relevant legislation and to take all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper.
At Board level, we have appointed a Senior Information Risk Owner who is accountable for the management of all information assets and any associated risks and incidents, and the Managing Director is responsible for the management of patient information and patient confidentiality.
Legal basis for the processing of your data
The General Data Protection Regulation (GDPR) 2018 requires the Organisation to process:
Personal data under 6(1)(f) “Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
Article 6(1)(a)”The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
Sensitive personal data
(Health Records) under 9(2)(h) – “Necessary for the reasons of preventative or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services”
How long health records are retained
All patient records are destroyed, which sets out the appropriate length of time each type of medical record is retained.
The Organisation does not keep patient records for longer than necessary and all records are destroyed confidentially once their retention period has been met, and the Organisation has made the decision that the records are no longer required.
Other ways in which we use your information
Telephone calls to the Organisation are routinely recorded for the following purposes:
To make sure that staff act in compliance with Organisations procedures.
To ensure quality control.
Training, monitoring and service improvement
To prevent crime, misuse and to protect staff
Data subjects rights
Under the Data Protection Act – 6th Principle:
a right of access to a copy of their personal data;
a right to object to processing that is likely to cause or is causing damage or distress;
a right to object to decisions being taken by automated means;
a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed; and
a right to claim compensation for damages caused by a breach of the Act
Under the General Data Protection Regulation (GDPR)
a right to confirmation that their personal data is being processed and access to a copy of that data which in most cases will be Free of Charge and will be available within 1 month (which can be extended to two months in some circumstances)
Who that data has or will be disclosed to;
The period of time the data will be stored for
a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed;
Data Portability – data provided electronically in a commonly used format
The right to be forgotten and erasure of data does not apply to an individual’s health record or for public health purposes
The right to lodge a complaint with a supervising authority (see Raising a concern section)
Your right to object
You have the right to restrict how and with whom we share information in your records that identifies you. If you object to us sharing your information we will record this explicitly within your records so that all healthcare professionals and staff involved with your care are aware of your decision. If you choose not to allow us to share your information with other health or social care professionals involved with your care, it may make the provision of treatment or care more difficult or unavailable.
Please discuss any concerns with the clinician treating you so that you are aware of any potential impact. You can also change your mind at any time about a disclosure decision.
SMS text messaging
When attending the Organisation for an appointment or a procedure you may be asked to confirm that the organisation has an accurate contact number and mobile telephone number for you. This can be used to provide appointment details via SMS text messages and automated calls to advise you of appointment times.
Surveillance Cameras (CCTV)
We employ surveillance cameras (CCTV) on and around our sites in order to:
protect staff, patients, visitors and Trust property
apprehend and prosecute offenders, and provide evidence to take criminal or civil court action
provide a deterrent effect and reduce unlawful activity
help provide a safer environment for our staff
assist in traffic management and car parking schemes
monitor operational and safety related incidents
help to provide improved services, for example by enabling staff to see patients and visitors requiring assistance
assist with the verification of claims
You have a right to make a Subject Access Request of surveillance information recorded of yourself and ask for a copy of it. Requests should be directed to the address below and you will need to provide further details as contained in the section ‘How you can access your records’. The details you provide must contain sufficient information to identify you and assist us in finding the images on our systems.
We reserve the right to withhold information where permissible by the General Data Protection Regulation (GDPR) 2018 and we will only retain surveillance data for a reasonable period or as long as is required by law. In certain circumstances (high profile investigations, serious or criminal incidents) we may need to disclose CCTV data for legal reasons. When this is done there is a requirement for the organisation that has received the images to adhere to the GDPR.
The Data Controller responsible for keeping your information confidential is:
Brandon Best – Director
Data Protection Officer Contact – firstname.lastname@example.org
Raising a concern
Patients who have a concern about any aspect of their care or treatment at this Organisation, or about the way their records have been managed, should contact –
Brandon Best – Director
If you have any concerns about how we handle your information you have a right to complain to the Information Commissioners Office about it.
The GDPR 2018 requires organisations to lodge a notification with the Information Commissioner to describe the purposes for which they process personal information. These details are publicly available from:
Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow, SK9 5AF
Telephone: 08456 306060
Freedom of Information
The Freedom of information Act 2000 provides any person with the right to obtain information held by BestBrothers Ltd, subject to a number of exemptions. If you would like to request some information from us, please contact us.