Practice Plus Private Privacy Notice
Practice Plus Private is a premium for-pay primary care service and a new addition to our expanding portfolio of private healthcare services. Building on our significant experience in independent sector healthcare, we are now offering a suite of premium virtual and face to face GP services to our patients. Practice Plus Private is open to members of the public who can purchase our services directly from us. Practice Plus Private aims to offer a safe, effective convenient service outside of normal NHS provided primary care services.
These services draw from the same clinical and operational expertise as the other services provided by the Practice Plus Group, including; general practice, elective surgical centres, health in justice and integrated urgent care.
Patients who are treated by us can rest assured that we value your privacy and want you to understand the choices and control you have over your information with Practice Plus Group. We have created this GDPR privacy notice to help explain those choices and give you that control.
The General Data Protection Regulation (GDPR) is European Union (EU) legislation that became directly applicable in EU Member States (e.g. the UK) on 25 May 2018. It is a regulation by which the European Parliament, the Council of the EU and the European Commission intend to strengthen and unify data protection for all individuals within the EU.
The GDPR was designed to replace the existing Data Protection Act 1998 and allow individuals to better control their personal data, as well as enable organisations to think harder about the privacy and controls they have on the data they hold and process about individuals. These modernised and unified rules allowed businesses to make the most of opportunities and benefit from reinforced consumer trust.
At Practice Plus Group, we are committed to being transparent about how we use your data and keep it safe, and will continue to provide accessible information to individuals in line with the UK Data Protection Regulations outlined in the General Data Protection Regulation (EU) 2016/679. The most common way to provide this information is in a privacy notice.
Purpose of processing personal information
The purpose of Practice Plus Group processing your personal information/data is so we can provide you with an effective service. As a leading healthcare provider, Practice Plus Group delivers healthcare services to you and must collect and use personal information about you.
We follow industry best practice and will:
- Discuss and agree with you what we are going to record about you;
- Give you a copy of letters we are writing about you; and
- Show you what we have recorded about you, if you ask.
The GDPR ensures that we comply with a series of data protection principles. These principles are there to protect you and they make sure that we:
- Process all personal information lawfully, fairly and in a transparent manner.
- Collect personal information for a specified, explicit and legitimate purpose.
- Guarantee that the personal information processed is adequate, relevant and limited to the purposes for which it was collected.
- Ensure the personal information is accurate and up to date.
- Retain your personal information for no longer than is necessary for the purpose(s) for which it was collected.
- Keep your personal information securely using appropriate technical or organisational measures.
To make sure you receive the best possible care, your records are used to assist the care you receive. Your information may be used within Practice Plus Group for clinical audit purposes to monitor the quality of the service provided.
The lawful basis for the process
Practice Plus Group at all times operates according to statutory health and social care guidelines in the delivery of their functions. Practice Plus Group uses the following lawful basis for processing your data:
- Article 6 Lawful processing: Article 6(1)(a) personal data explicit consent ‘….the data subject has given consent to the processing of his or her personal data for one or more specific purposes’.
- Article 6 Lawful processing: Article 6(1)(b) contractual agreement ‘…processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract…’
- Article 6 Lawful processing: Article 6(1)(c) Legal obligation: ‘the processing is necessary for us to comply with the law (not including contractual obligations)’. This includes processing for direct care.
- Article 6 Lawful processing: Article 6(1)(e) Public task: ‘the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law’. This includes processing in a similar fashion to our NHS services.
- Article 9 Special category data: Article 9(2)(a) Sensitive data explicit consent ‘….the data subject has given explicit consent to the processing of those personal data for one or more specified purposes’.
- Article 9 condition for direct care or administrative purposes: 9(2)(h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’
This also includes local administrative purposes such as:
- Activity monitoring
- Local clinical audit
We will not share information that identifies you for any reason, unless:
- You ask us to do so
- We ask and you give us specific permission
- We have to do this by law
- We have special permission because we believe that the reasons for sharing are so important that they override our obligation of confidentiality, for example, to prevent someone from being seriously harmed.
Categories of personal data we process
We process personal information relating to identified natural persons so we may deliver a thorough and efficient service for our patients.
Healthcare records may be electronic, physical (paper) or a mixture of both. We use a combination of working practices and technology to guarantee that your information is kept confidential and secure. Records held by Practice Plus Group may include the following information about you:
- Details such as your address, carer, legal representative, emergency contact details
- Any contact the Practice Plus Group operational units have had with you, such as appointments, clinic visits, emergency appointments, telephone calls etc.
- Notes and reports about your health
- Details about your treatment and care
- Results of investigations such as laboratory tests, X-rays etc.
- Relevant information from other health professionals, relatives or those who care for you.
- Video images if you use our video consultation service
- Bank information for payment (this is retained by our third party payment service - Stripe)
- Your employers details (if we are providing occupational health services or providing them with a medical report)
- Information from compliments, complaints and incidents
- Your feedback and contribution to our client questionnaires and surveys
To make sure that we provide you with an efficient and effective service, we will sometimes need to share your information:
- Between teams within our organisation
- With partner organisations including within the NHS that support the delivery of the service you may receive
- With organisations we have contracted to provide a direct care service to you.
Who are our partner organisations?
We may have to share your personal information, subject to strict agreements on how it will be used, with the following organisations:
- NHS trusts / Foundation trusts
- NHS Commissioning support units
- Independent contractors such as dentists, opticians, pharmacists
- Private sector providers
- Voluntary sector providers
- Ambulance trusts
- Clinical Commissioning Groups
- Social care services
- NHS Digital
- Local authorities
- Education services
- Fire and Rescue services
- Police and Judicial services
- Voluntary sector providers
- Financial services providers (if applicable)
- NHS approved private sector providers i.e. independent hospitals
- Heydoc Limited (patient management system)
- The Doctor’s Laboratory (pathology services)
- Stripe (payment services)
- Other ‘data processors’ which you will be informed of at the point of direct care.
We will only ever share your information for your direct care, and only when we are satisfied that our partners or suppliers have sufficient measures in place to protect your information in the same way that we do.
Before sharing information we confirm that:
- Privacy Notices are completed with our partners, if appropriate.
- Technical security such as encryption and access controls are in place to keep information secure.
- Information Sharing Agreements are completed showing the rules to be adopted by the various organisations involved in the sharing exercise.
- Data Protection Impact Assessments are completed to assess any risks or potential negative effects to you.
- Common retention periods and deletion arrangements are set for the information we process and share.
- Your access rights are catered for to support you in any request for your data.
Your information will only be shared within the legal basis we have stated and we will never share your information for any other purposes other than for your direct care and the administration of your contract with us.
We may share data with other organisations within the health economy in the event of a pandemic / preparedness plan, in line with national guidance from NHS England and any relevant legislation from HM Government.
Transfers and safeguards of your personal data to other countries
Stripe Inc. is our chosen payment partner for this service. As part of using this service your payment details may be processed outside the EEA. Stripe adheres to the EU Standard Contractual Clauses in respect of the GDPR and the UK’s Data Protection Act 2018 with regard to the overseas transfer of data.
All of our other partners for the provision of this service are based within the UK and no other data ever leaves the EEA.
We will only keep your information for as long as it is required to be retained under the statutory limits. The retention period is either dictated by law or by our discretion. Once your information is no longer needed as set out in this Privacy notice it will be securely and confidentially destroyed.
You have guaranteed rights under the GDPR which we will uphold at all times. Your rights are:
- The right to be informed via Privacy notices such as this one.
- The right to free access to any personal information Practice Plus Group holds about you. You are entitled to receive a copy of your personal data – free of charge – and within 30 calendar days of our receipt of your subject access request, provided you have submitted the correct proof of identity details.
- The right of rectification. If you believe your details are incorrect, we are required to correct inaccurate or incomplete data within one month.
- The right to erasure. Ordinarily under GDPR you have the right to have your personal data erased and to prevent processing, however, this right does not apply to GDPR Art 9 – special category data. The processing we conduct is necessary for the purposes of preventative or occupational medicine for medical diagnosis; and for the provision of health and social care systems. Your data is processed by and under the responsibility of healthcare professionals who are subject to a legal obligation of professional confidentiality.
- The right to restrict processing. You have the right to suppress processing. We can retain just enough information about you to ensure that the restriction is respected in future.
- The right to data portability. We can provide you with your personal data in a structured, commonly used, machine readable format when you request your data.
- The right to object. You can object to your personal data being used for profiling, direct marketing or research purposes.
- You have rights in relation to automated decision making and profiling, to reduce the risk that a potentially damaging decision is taken without human intervention.
To request a copy of the personal information we hold about you, please complete a Data Request
Alternatively please send an email with the Subject Header: DATA ACCESS REQUEST, for the attention of (FAO) The Service Manager to: email@example.com
To help us deal with your request as efficiently as possible, you will need to include:
- Your current name and address
- Proof of identity (a copy of your driving licence, passport or two different utility bills that display your name and address)
- As much detail as possible regarding your request so that we can identify any information we may hold about you, this may need to include your previous name and address, date of birth and what Practice Plus Group services you received.
The right to lodge a complaint
Should you have any concerns about how your information is managed by Practice Plus Group, please contact the Practice Plus Group Caldicott Guardian.
Practice Plus Group Caldicott Guardian, Hawker House, 5-6 Napier Court, Napier Road. Reading,
Berkshire, RG1 8BW.
If you are still unhappy following a review by our Caldicott Guardian, you can then complain to the Information Commissioners Office (ICO) via their website (www.ico.gov.uk).
Where personal data comes from
The healthcare professionals who provide you with care maintain records about your health and any treatment or care you have received previously with us. These records help us to provide you with the best possible healthcare.
We will not use any information about you that is available in publicly accessible sources.
Any additional details we will require about you in order to carry out our duty of care, we will request directly from you.
Failure to provide personal data to Practice Plus Group
The provision of your personal data about your health and any treatment or care you have received previously is part of the UK statutory instrument:
- Health and Social Care Act 2012
- GDPR Art 9.2(h)
Failure to provide personal information and data about yourself as mandated by NHS England may result in us not being able to provide you the necessary healthcare services.
If you do not wish personal data that we hold about you to be used or shared in the way that is described in this notice, please discuss the matter with us. You have the right to object, but this may affect our ability to provide you with care or advice.
How to contact us
Practice Plus Group Limited is registered as a data controller with the Information Commissioner’s Office registration number: A8260356
If you have any questions, comments or concerns about how we handle your personal data, then you may contact our Quality and Governance team by email to DPO@practiceplusgroup.com or write to us at:
Quality and Governance team
Practice Plus Group
5-6 Napier Court