General Data Protection Regulation (GDPR) Policy
Grove Surgical Services Ltd
Information We Hold
We hold clinical information related to the care of patients undertaken by Grove Surgical Services Limited(GSS) employees and employee information.
The patient data held by GSS consists of:
• Name
• Date of birth
• Address
• Telephone number
• Email
• GP name
• GP address
• GP telephone number
• Insurance company information
• Outpatient written notes
• Copies of Inpatient and operation notes
• Prescriptions
• Investigation reports
• Correspondence letters
• Invoicing information
Retaining Information
Written and electronic clinical records related to adults are kept for 8 years after the date of last treatment. Written and electronic clinical records for minors are kept until the individual is 25 years of age or eight years after death, if sooner. These are the same retention periods as set out by the NHS. After the storage period has expired written records are shredded and appropriately disposed of. Electronic records are deleted.
Security of Information
There are three main groups of patients:
1. Surgical patients under the care of Professor Simon Lloyd
Patients under the care of Professor Lloyd are seen at The Alexandra Hospital, Cheadle or at Wilmslow Hospital, Wilmslow. Inpatient clinical records are kept by both hospitals on the respective sites and are subject to local data protection protocols. Copies of inpatient records and outpatient records are kept by Grove Surgical Services Limited.
These fall in to two categories. Historical records, in written form, are kept in a locked filing cabinet in a locked room. They can be recalled to the main office as required and are returned to the filing cabinet once they are no longer required. Since April 2017, all new patient records have been kept in electronic format. No written records are kept. Any paper documents related to a patient are scanned and kept electronically. Any follow up patients seen after April 2017 with historical records in written form have their written records scanned and transferred in to an electronic form. All paper copies of scanned records are securely shredded.
Electronic records are kept in a secure data cloud password protected and maintained by Dropbox, data is encrypted at rest and in transit. dropbox.com/terms2018
dropbox.com/terms
Our laptops and computers are password protected and encrypted and we
regularly backup data locally to encrypted hard drives.
The Dropbox account is accessed from:
• Professor Lloyd’s iPad
• Professor Lloyd’s iPhone
• Professor Lloyd’s
• Office desktop computer
• Mrs Lloyd’s laptop
Accounting data including patient and insurance company invoicing is recorded on Healthcode and is accessed using the above computers via a password protected portal. Data held by Healthcode is subject to Healthcodes own data protection policies. Healthcode are expanding their secure messaging service so healthcare professionals and insurers can share information in encrypted form, without compromising patient privacy.
Healthcode data is stored within a private dedicated infrastructure which is physically located in a secure UK data centre. Healthcode’s information security systems comply with the latest international specification for information security management systems (ISO/IEC 27001:2013).
2. Clients Seeking Legal Noise Induced Hearing Loss Claims
Copies of inpatient records and outpatient records provided by solicitors and are kept by Grove Surgical Services Limited.
These fall in to two categories.
1. Historical records, in written form and on disc, are kept in a locked filing cabinet in a locked room. They can be recalled to the main office as required and are returned to the filing cabinet once they are no longer required and shredded when a case is complete.
2. Electronic record of the noise induced hearing loss interview and report are kept in a secure data cloud password protected and maintained by Dropbox, data is encrypted at rest and in transit. dropbox.com/terms2018
dropbox.com/terms
Data sharing with solicitors and secretaries is by secure dropbox link.
Our laptops and computers are password protected and encrypted and we
regularly backup data locally to encrypted hard drives.
The Dropbox account is accessed from:
• Professor Lloyd’s iPad
• Professor Lloyd’s iPhone
• Professor Lloyd’s
• Office desktop computer
• Mrs Lloyd’s laptop
Accounting data including solicitor/insurance company invoicing is recorded on Healthcode and is accessed using the above computers via a password protected portal. Data held by Healthcode is subject to Healthcodes own data protection policies. Healthcode are expanding their secure messaging service so healthcare professionals and insurers can share information in encrypted form, without compromising patient privacy.
Healthcode data is stored within a private dedicated infrastructure which is physically located in a secure UK data centre. Healthcode’s information security systems comply with the latest international specification for information security management systems (ISO/IEC 27001:2013).
3. Patients under the care of Cheshire Foot Clinic
Patients under the care of Cheshire Foot Clinic are seen at Gaskell Avenue Dental Practice, Knutsford, WA16 0DA.
Records fall in to two categories. Historical records, in written form, are kept in a locked filing cabinet in a locked room and current patient records which are stored electronically on Cliniko.
Since December 2017, all new patient records have been kept in electronic format. Any paper documents related to a patient are scanned and kept electronically. Any follow up patients seen after December 2017 with historical records in written form have their written records scanned and transferred in to an electronic form. All paper copies of scanned records are securely shredded.
Grove Surgical Services Limited and Cheshire Foot Clinic have a data protection agreement in place with Cliniko which meets GDPR.
Patient consent to store their data electronically on Cliniko at initial appointment and can revoke their consent at any point when all information can be deleted. Patients can request to see the information held at any point and this can easily be exported and downloaded in an easy to read format.
Cliniko team has the minimal required level of access to customer information in order to maintain their systems and assist clients appropriately. Cliniko data is backed up daily. Redundant backups and records are deleted.
Cheshire Foot Clinic consents patients at initial appointment to use Cliniko to contact patients to remind them of upcoming appointments or information about their treatment. Patients choose to be contacted by SMS and or email and can opt out of this form of communication at any point.
Cheshire Foot Clinic signs patients up to receive marketing information by consent at appointment. Patients can request to be removed from the marketing list at any point.
Credit card payments:
In addition to providing patient care Grove Surgical Services Ltd process credit card payments. PCI DSS assessment compliance has been completed and certificated. Patient information and card numbers are not written down, recorded or communicated. See Company Information Security Policy dated 26012018 for further information.
How do staff members communicate about patients?
GSS employees generally communicate about patients and company issues via email. GSS uses proton business mail, this allows encrypted transfer of personal information.
Communication with Outside Organisations
Currently, communications are via email or letter. Patient data is only shared if required as part of the on going care of the patient. This is usually to other clinical organisations. Organisations with whom GSS regularly communicate include:
The Alexandra Hospital, Cheadle
The Wilmslow Hospital, Wilmslow
Patient’s general practitioners
Salford Royal NHS Foundation Trust, Manchester
Manchester University NHS Foundation Trust, Manchester
Solicitors handling Noise Induced Hearing Loss or Medical Negligence Claims
If other third parties request information related to the care of a specific patient then permission is sought from the patient before this data is shared. GSS does not share any patient related information with any other third party organisations unless requested by the patient.
If information passed on to other organisations by GSS is inaccurate then GSS will inform the other organisation and the patient as soon as the error is identified.
Keeping Our Patients Informed
This data protection policy outlines what data we store, how it is stored, how long it is stored for and how to complain if the individual feels that their data has been managed incorrectly. We have copies of our data protection policy and procedures available online and on request.
Whenever written correspondence is produced related to clinical care of a patient, the patient is copied in to the communication. For children (Under 18 years of age), all correspondence will be sent to their parents. If the child wishes to have a copy of the correspondence themselves then this will be forwarded to them separately.
Patients are also entitled to access their records at any time. If there is an error in their records or they object to the content of their records they are entitled to request that the records are modified or corrected. They are also entitled to ask that their records are erased. They may also limit the way that communications are made, for example, if the patient does not wish a letter to be sent to their GP. All such requests will be respected without charge to the patient. Requests will be dealt with promptly and within a maximum of 1 month.
We keep patient data for the purposes of informing their treatment. We share their medical information with other health care professional. Only key information for contacting and identifying patients is shared with the hospital and clinic sites we use.
Data Breach Procedure
If there is a data breach then the affected patients will be informed. The breach will be investigated and discussed with the data storage or the email server company and the breach will be rectified as soon as possible. The ICO will be informed of any data breach if it results in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
Responsibility for Data Protection
According to the ICO, due to the size and function of our organisation it isn’t necessary for Grove Surgical Services Limited to have a nominated data protection officer. However, each member of our team is fully briefed on our data protection policy and procedures and takes responsibility for protecting the data they handle.
If you have any queries about our data protection policy please contact us via email:
simonlloyd@earandhearing.co.uk
or by mail:
Grove Surgical Services Limited
PO Box 411
Wilmslow
SK9 0EJ
We will endeavour to respond to your request promptly.