This policy applies to patients, carers, visitors, staff members, students, recruitment candidates, clinicians/consultants, contractors/agency staff, suppliers and visitors to Medical Imaging Partnership websiteand sets out your rights under the General Data Protection Regulations (also known as GDPR) which came into effect on 25thMay 2018. We will only process your personal data under Article 6 (1) and Article 9 (2) of the GDPR.
Who we are
Medical Imaging Partnership (also referred to as “we”, “us”, “our” in this policy) is an independent healthcare provider offering high quality radiology services to both private and NHS patients. Our goal is to give both patients and referrers fast access to expert led services.
To ensure that we process your personal information fairly and lawfully we are required to inform you about:
- Why we need your data
• How it will be used
• Who it will be shared with
• What rights you have in relation to the personal data we collect from you.
Within this policy we describe instances where Medical Imaging Partnership is the “Data Controller” (the organisation which decides what information we collect and how it is used), and where we direct or commission the processing of data to help deliver better healthcare, or to assist the management of healthcare services.
There may be situations where Medical Imaging Partnership processes personal data on the instructions of another organisation (i.e. when Medical Imaging Partnership is acting as a “data processor”), but in those circumstances our use of data would be governed by that organisation.
At Medical Imaging Partnership we recognise the importance of protecting personal and confidential information in all that we do, all we direct or commission, and ensure that we meet our legal duties.
What information do we collect about you?
We only collect and use your personal information according to the legal bases defined in the GDPR and for the lawful purposes of administering the business of Medical Imaging Partnership.The legal bases are as follows:
- Consent:where you have given your specific consent to the processing of your personal data.You may at any time change your mind and withdraw consent, but this may mean we can no longer continue to provide services to you.
- Performance of a contract:where the processing of your data is necessary for the fulfilment of a contract, for example, e-referrals for NHS patients are subject to a contract.
- Compliance with a legal obligation:processing of your data is necessary by law and Medical Imaging Partnership is required to comply.
- In the vital interest:we may process your personal data in order to protect your vital interests, for example in providing emergency treatment or care should it be required.
- Public interest:we may process personal data in order to complete a task carried out in the public interest.
- Legitimate interest:we may process your personal data where we have a legitimate “business” interest in processing that information.
The table below shows the purposes and the associated legal basis under which we process your personal data:
|Reason for processing||Legal basis for processing|
|Accounting and auditing||· Compliance with legal regulations that apply to us
· Legitimate interest: improvingservices; preventingfraud
|Advertising and public relations||· Consent
· Legitimate interest: keeping our records up to date; working out which of our products and services may interest you and telling you about them
|Conducting analysis and research activities||· Consent
· Legitimate interest: to improve and develop our services and care
|Consultancy and advisory services||· Performance of a contract|
|Directing Medical Imaging Partnership activities||· Legitimate interest: for Board members and members to effectively discharge their duties|
|Education and training for staff members||· Legitimate interest: to ensure that staff have the correct competency to fulfil their role|
|Employment and staff administration||· Performance of a contract|
|Healthcare administration and services||· Performance of a contract|
|Invitation to meetings and other events||· Consent|
|Medical records management||· Compliance with legal regulations that apply to us and our contractual duties|
|Management of donations and fundraising activities||· Consent|
|Third party delivery of services||· Performance of a contract|
Shouldyour relationship with Medical Imaging Partnership changethenthe legal basis under which we hold your data may also change.
What types of personal data do we handle?
We process personal information to enable us to support the provision of healthcare services to patients, maintain our own accounts, promote our services and to support and manage our employees. We also process personal information about healthcare professionals that deliver services within Medical Imaging Partnership.
The types of personal information we use:
|Type of personal information||Individual group some or all the information may apply to|
|Personal identity – title, name, marital status, date of birth, National Insurance number, NHS number||· Patients, carers, visitors, employees, non-executive directors, students, recruitment candidates, clinicians/consultants, suppliers, agency staff/contractors and visitors to the Medical Imaging Partnership website|
|Contact details – addresses, landline telephone & mobile numbers, email address||· Patients, carers, visitors, employees, non-executive directors, students, recruitment candidates, clinicians/consultants, suppliers, agency staff/contractors and visitors to Medical Imaging Partnership website|
|Family details – next of kin names, addresses and telephone numbers, relationships to next of kin||· Patients, employees, non-executive directors, students, clinician/consultants, agency staff/contractors.|
|Financial details – such as bank sort code/account number, payment card number||· Employees, non-executive directors, suppliers, clinicians/consultants, agency staff/contractors|
|Employment details – such as salary, annual leave, pension, benefits, discipline and grievance, payroll, tax information, performance data, occupational health data and security clearance data||· Employees, clinicians/consultants, agency staff/contractors, students|
|Education and training such as training records, qualification verification, employment history and CVs||· Employees, non-executive directors, clinicians/consultants, students, recruitment candidates|
|Details held in the patient’s record, where we hold or manage the patient’s record, such as NHS number, GP details||· Patients|
|Lifestyle and social circumstances such as questions about smoking, drinking and general lifestyle||· Patients|
|Responses to surveys where individuals have responded to surveys||· Patients, employees, clinicians/consultants, students, agency staff/contractors|
|Directorship/membership of other organisations or similar information in order to determine any conflicts of interest||· Employees (Executive Directors)
· Non-executive Directors
|Fit and proper persons declarations||· Employees (Executive Directors)
· Non-executive Directors
|Special categories of information which may include:
· Racial and ethnic origin
· Religious or philosophical beliefs
· Trade union membership
· Data concerning health
· Genetic data
· Biometric data
· Data concerning a person’s sexual orientation
· Offences (including alleged offences), criminal proceedings, outcomes and sentences
· Employment tribunal applications
· Complaints, accidents, and incident details
· Health data (including morbidity and disability)
|· Patients, employees, non-executive directors, clinicians/consultants, students, agency staff/contractors|
How will we use information about you?
Your information is used to ensure the delivery and improvement of our services.
Medical Imaging Partnership is the data controller for our electronic information systems.These systems hold personal details of all patients that have been referred via:
- TheNHS e-Referral system (for NHS patients)
- Secure email (such as NHS.net account used by General Practitioners or encrypted email if the patient was referred privately)
- By secure fax (Safe haven)
- MIP referral (Medical Imaging Partnership’s own referral portal)
The information held on these systems is used primarily for the purpose of administering healthcare services; it may however be used for other non-health related purposes and shared with statutory
bodies/organisations to enable them to fulfil their statutory obligations. We may also use the information within our systemsfor statistical analysis to see how the organisation is performing with respect to business targets and objectives and quality of care.
The information will only be shared with other organisations where there is a statutory or contractual obligation to do so, or with the agreement of the Medical Imaging PartnershipCaldicott Guardian and Data ProtectionOfficer. A Caldicott Guardian and Data Protection Officer areresponsible for protecting the confidentiality of patient and service user information and enabling appropriate information sharing.
We may keep your information in a written form or on a computer. Whenever possible all information that identifies you will be removed.
5.1. For our patients, your data may be used to:
- Manage our relationship with you
- Register all patients onto our information systems
- Register new referrals for existing patients on our systems, update demographic details and health records with new referral details
- Record telephone calls made to the appointments department in relation to appointment enquiries
- Allow the preparation of health records
- Investigate complaints, legal claims or incidents
- Make sure services are planned to meet patients’ needs in the future
- Check and report on how effective Medical Imaging Partnership and the services it provides has been
- Process anonymised statistical information on organisation performance
- Address customer service enquiries made via the website
5.2. For our staff, students, recruitment candidates, contractors/ agency staff, clinicians/consultants and suppliers, your personal data may be used to:
- Manage our relationship with you
- Fulfil our duty of care towards staff and communicate with you in the event of a major incident (e.g. in the event of a fire)
- Verify employment history, qualifications and experience
- Validate ‘right to work’
- Assess suitability for employment during selection process
- Undertake personal development of employees
- Deliver payroll for employees
- Fulfil our duties in respect of national insurance and tax accounting
- Manage disciplinary and grievances
- Undertake due diligence and risk assessment of supply chain
Sharing Your Information
We may disclose your personal information for a number of reasons (to the extent necessary). This can be due to:
- Our obligation to comply with current UK legislation
- Our duty to comply with a court order
- A contractual commitment to report statutory information
- Your consent to the disclosure of your datahaving been provided
- Where we are required to do so by law
- The sharing of your data will ultimately benefit you as the data subject
- Our obligation to comply with our regulators
In fulfilling our obligation to provide services (healthcare and other services) we may share your data with the following:
- National Health Service (NHS) organisations
- Referral Services
- General Practitioners (your Doctor)
- Imaging Exchange Portal (a web-based portal used to allow sharing of scan images between healthcare trusts/organisations)
- Specialist consultants (medical and non-medical)
- Public Health England (PHE)
- Contracted third parties providing services or devices, medical and non-medical
- Healthcare insurance providers
- Occupational Health services (staff)
- Companies House
- Health & Safety Executive (HSE)
- Communication Service (Text alert)
- Payroll Service
Sharing your Information outside of the European Economic Area (EEA)
We may from time to time be required to share your information with other service providers who are outside the UK and the EU. The sharing of your information with these providers is necessary in order to provide the necessary medical device or service. The transfer of personal data internationally will be conducted with the appropriate legal mechanisms in place.
How long will we keep your data for?
We will keep your personal information in accordance with NHS Digital guidance ‘Records Management Code of Practice for Health and Social Care 2016’and for only as long as is lawfully necessary to conduct our business with you, and/or in accordance with our legal obligations for data retention.
GDPR gives a number of rights over your data, subject to certain criteria being met. These are:
- Right of access to your personal informationand supplementary information (for example your medical record). Once we have received your request,we will respond within 30 days. This information will be sent to you free of charge.
- Right to rectify/amend your personal informationif it is incorrectly recorded. You have the right to question any information we hold about you that you think is wrong, out of date or incomplete. If you do, we will take reasonable steps to check its accuracy and correct it.
- Right to object and Right to be forgotten
You have the right to object to our use of your personal information, or to ask us to delete, remove or stop using your personal information if it is no longer needed for the purpose it was collected or otherwise processed. This is known as the ‘right to erasure’ or ‘right to be forgotten’.
- Right to restrict the use of your personal information if:
- It is not accurate;
- It has been used unlawfully but you do not want us to delete it;
- It is not relevant anymore, but you want us to keep it for use in legal claims; or
- You have already asked us to stop using your personal information,but you are waiting for us to assess your request and confirm whether we are permitted to continue using the personal information under data protection law.
- Right to obtain your personal information in a portable format
You have the right to get copies of your personal information from us in a format that can be easily re-used. You can also ask us to pass on your personal information to other organisations.
You have the right to complain to the Information Commissioner’s Office (ICO)which can be found at https://ico.org.uk/. It has enforcement powers and can investigate compliance with data protection law.
Freedom of information
Medical Imaging Partnership is not a public authority and is not governed by the Freedom of Information Act.
Changes to this policy