The General Data Protection Regulation (GDPR) is a Europe-wide law that replaced the Data Protection Act 1998 in the UK. It was implemented from the 25th May 2018. Information about GDPR is available from the Information Commissioner’s Office.
To comply with GDPR, this privacy notice explains how I and any medical secretaries who assist me in an administrative capacity collect and use your personal data.
I, Dr Yuk-ki Wong, am a registered data controller with the ICO (Registration Reference Z8293217).
If you have any queries, comments or concerns about how I use your personal data, please contact myself or my secretary.
What is personal data?
With reference to GDPR, personal data means “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier”.
Special Category Data
With reference to GDPR, some data is classified as Special Category Data. This includes data relating to physical and mental health, ethnic origin, religion, genetics, biometric data, sex life and sexual orientation. This category of data is considered sensitive and needs more protection.
So long as there is lawful basis as described below, I am able to process special category data for the purposes of preventative or occupational medicine, for medical diagnosis and for the provision of health care.
The confidentiality of your personal information and special category data is very important to me and I make every effort to prevent unauthorised access to and use of this data. In doing so, I will comply with GDPR and all applicable medical confidentiality guidelines issued by professional bodies including the General Medical Council.
The type of personal information that I collect and its use
Broadly speaking, the information I collect from you is a comprehensive medical history. This is used to diagnose your symptoms and to make an appropriate investigation and treatment plan. If you require a medical report for occupational, regulatory, insurance or other reasons, additional specific information may be required.
As a matter of routine, your full name, date of birth and current address will be collected and you may wish to inform me of your phone number and email address. Sometimes, I ask for contact details of your next of kin.
I am required by the General Medical Council to take part in annual appraisal. This may involve processing your personal data in anonymised form.
I work at St. Richard’s Hospital, Chichester, West Sussex and if you have any queries or complaints about the service provided to you by myself or St. Richard’s Hospital, I will treat these seriously. For me to resolve such matters fully and properly, I will need to use your personal information.
As I provide medical services for which I charge a fee, I will also collect information for my business needs. For instance, billing and payment dates are documented as are the details of any private medical insurance policy that you use. Relevant information may be used to recover outstanding amounts via the small claims court.
I do not buy or sell personal data. I do not use personal data for direct marketing reasons.
The lawful basis on which I process your data
The legal justification to use your personal data will depend on what purpose the data is used for. Generally, I will use the following legal justifications.
- I will take steps at your request so that you can enter a contract to receive healthcare services from me.
- For the purposes of providing you with healthcare pursuant to a contract between myself and you.
- I may have a legal or a regulatory obligation to use your personal data.
- I have appropriate business needs to process your personal data where these do not override your privacy rights.
- I may need to use your personal data to exercise or defend my legal rights.
- You have provided your consent to my use of your personal data.
Where do I get your information from?
Most of my patients are referred to me by General Practioners, hospital doctors and other healthcare providers. Sometimes, I am asked to see patients by regulatory bodies such as the CAA. Some patients refer themselves.
Referrers usually send me a referral letter containing your name, address and contact telephone numbers. The letter will document the reason for referral and may also contain details of your past medical history and list of medications.
Further information is obtained from you during consultations. Where appropriate, information may be sought from other health care providers that you have seen in the past and I will ask your permission beforehand.
Who do I share your information with?
After each consultation with you, I will write a letter to the doctor or healthcare provider who referred you. The letter will inform them of the outcome of the consultation including diagnoses and proposed investigation and treatment plan.
I work at St. Richard’s Hospital, Chichester and they will also process your personal data. For example, at each visit, they may confirm that your contact details are up to date. If you have had any investigations done at St. Richard’s such as blood tests and Xrays, the results will be stored on their computer systems.
It may be necessary for me to refer you to other doctors and healthcare providers. For instance, you may need referral to a radiologist for X-rays. I will have discussed this with you beforehand and we would have agreed on the management plan. If I do refer you to another doctor, healthcare provider or hospital, it may be necessary for them to also process your personal data.
If you have used a medical insurance policy to see me, I will need to provide your insurance company with relevant information as described in the terms and conditions of your policy. Usually, I will need to provide them with appropriate information at the time of sending them an invoice for your care. This may include the medical diagnosis. I may also need to provide them with information to obtain authorisation for treatment. Sometimes, the insurance company may ask me for a medical report.
I may be asked to share information with a National Clinical Audit programme, hosted by NHS England. I may do so without your consent provided that the audit has received statutory approval or where the information will be provided in a purely anonymised form.
Your personal data may be used for local clinical audit for the purposes of identifying potential improvements in patient care. This is part of legitimate clinical activities with appropriate safeguards by the Clinical Audit Committee of St. Richard’s Hospital, Chichester.
Sometimes, it may be necessary to share your personal data to save your life and to protect your vital interests. This may not require your consent, for instance, if you are unconscious after a car accident. Apart from situations like this, I will seek your consent before sharing personal data.
As a healthcare provider, I am subject to a wide range of legal and regulatory responsibilities which is not possible to list fully here. I may be required by law or by regulators to provide personal data.
How will I communicate with you?
I will usually communicate with you by letter and telephone. Where you have given me your email address, I can also communicate by email to make clinic appointments and for other administrative purposes. I do not participate in direct marketing activities.
How long do I keep personal information?
I will only keep your personal information for as long as reasonably necessary to fulfil the relevant purposes set out in this Privacy Notice and in order to comply with my legal and regulatory obligations.
GDPR and rights for individuals
GDPR provides certain rights for individuals and these are described below.
There will not usually be a charge for a request to exercise such rights and requests can be made verbally or in writing.
If I receive a request in relation to one of these rights, I will comply with requests within a month from the day after I receive your request. Some rights are not absolute and if there is a reason why I cannot comply with a request, I will explain the reason to you and you have the right to complain to the Information Commissioner’s Office.
I may refuse requests if they are manifestly unfounded or excessive. Alternatively, I may charge a reasonable fee to comply with the request.
Right to be informed
You have a right to be informed about the collection and use of your personal data.
I will provide you with this Privacy Notice at the time I collect your personal data or if I have received your personal data from a third party, I will provide it to you within a month.
The right to access your personal information (subject access request)
You have a right to know whether I hold personal information about you.
You have a right to have a copy of the personal information that I hold about you.
Sometimes, responding to a right to access request may involve providing information that relates both to the individual making the request and to another individual. I do not have to comply with such requests if it means disclosing information about another individual who can be identified from that information. However, I will comply with such requests if the other individual has consented to the disclosure or it is reasonable to comply without that individual’s consent.
The right to rectification
You have a right to have your personal data rectified if it is inaccurate or incomplete.
However, this right does not extend to medical opinions if the data recorded accurately represents the opinion at the time. An initial diagnosis may prove to be incorrect but it may reflect the opinion at the time.
Where data has been rectified, I will also notify other recipients of the personal data in question if I have shared it with them. Sometimes, it may not be possible to do this or the effort may be disproportionate. At your request, I will also inform you about these recipients.
The right to erasure (“the right to be forgotten”)
This is the right to have erasure of your personal data. This is not an absolute right. In particular, GDPR specifies two circumstances where this right will not apply to special category data. It will not apply if processing of personal information is necessary for public health purposes in the public interest. It will also not apply if processing is necessary for the purposes of preventative or occupational medicine (e.g. where the processing is necessary for the provision of health care and for medical diagnosis). I can decline the right to erasure under these circumstances because I a medical professional subject to a legal obligation of professional secrecy.
The right to restriction
This is your right to ask me to stop processing your personal data. For instance, you may believe that the information I hold is inaccurate or that I have processed it unlawfully. When I restrict your data, I do nothing with it apart from store it. I will let you know before I lift any restriction. There may be reasons why I cannot restrict your data. For instance, I may need to perform tasks for public health purposes in the public interest or I may need to defend a legal claim.
Where data has been restricted, I will also notify other recipients of the personal data in question if I have shared it with them. Sometimes, it may not be possible to do this or the effort may be disproportionate. At your request, I will also inform you about these recipients.
The right to data portability
This is a right to obtain and reuse your personal data. It includes your right to have your personal data transferred from one data controller to another if this is technically possible e.g. to transfer your records from myself to another health care provider. This right only applies to information that you have provided. I have to provide the data in a format that is structured, commonly used and machine readable.
The right to object
This is your right to object to the processing of your personal data. It only applies under certain circumstances and it depends on the purposes of processing and the lawful basis for processing.
You have an absolute right to object to the processing of your personal data for direct marketing purposes. I do not use personal data for direct marketing.
Where data processing is done for reasons of “public task” (“in the exercise of official authority”, “to perform a specific task in the public interest that is set out in law”) or legitimate interests, the right to object is not an absolute right.
Rights related to automated decision making including profiling
Autmomated decision making is where decisions are made solely by automated means without any human involvement.
Profiling is automated processing of personal data to evaluate certain things about an individual.
The GDPR restricts solely automated decisions, including those based on profiling, that have a legal or similarly significant effect on individuals. These types of effect are not defined in the GDPR, but the decision must have a serious negative impact on an individual to be caught by this provision. A legal effect is something that adversely affects someone’s legal rights. Similarly significant effects are more difficult to define but would include, for example, automatic refusal of an online credit application, and e-recruiting practices without human intervention.
I confirm that I do not carry out automated individual decision making or profiling.
Yuk-ki Wong. 23rd April 2020.