Data  Privacy  Notice and Consent Form for  Patients

 

 

The Gastro Clinic  (“We”, “Us”, “Our”) is committed to protecting information through appropriate controls, being transparent about what data we hold and how we use it, and about respecting Your privacy.  “You” (“Your”) are Our patient to whom We provide services, or are considering entering into an agreement with us for the provision of Our services.

 

The rules on processing of personal data are set out in the General Data Protection Regulation (“GDPR”).  The  terms  “Data  Controller”,  “Data  Processor”, “Data  Subject”, “Personal  Data”, “Processing”  and “Appropriate Technical and Organisational Measures” used below shall be interpreted in accordance with the GDPR.

 

This policy sets out the basis on which any Personal Data we collect from You, or that You provide to Us, will be processed by Us.

 

The Personal Data we collect from you includes but is not limited to the following:

 

When you enquire about our services, We will request Personal Data such as your name, date of birth, email address and telephone numbers and information about you to help Us to register you to see a doctor and to contact You with further information such as results of tests and investigations.  When you register with the Practice we will request detailed medical information relevant to you.  This information is stored with Heydoc, which provides secure and GDPR compliant storage of your medical records.  This may include:

 

  • Encrypted emails – Encrypt emails and attachments in transit and at rest, and add multi-factor authentication and policy controls for additional security.

  • Data subject access requests – Investigate and manage all data access requests and export patient notes to ensure that any data subject access requests can easily be completed within the 1-month mandatory timeline.

  • Data auditing – Reporting functionality to assess, monitor and report on how, when and where your data is accessed.

  • Digital consent capturing – Capture and record patient consent for the collection, use and sharing of their personal data within DGL Practice Manager.

Any medically sensitive, patient identifiable information, such as letters of correspondence, test results or any direct email communication with you will be using a secure encrypted service. 

If you visit our website and make enquiries through this portal, Your usage may be tracked by using “cookies” and other similar technologies to help us make improvements to the websites and to the  services we make available.

 Where we receive or make phone calls on your behalf, We will collect call data records including the calling line Identity passed, the call date and time, the number dialled and the duration of the call, the names of the parties to the call, and any message or other information given during the call. 

 Where we receive or send emails on your behalf, we may collect the names and email addresses of the third parties and any information contained therein. 

If We receive or send paper documents or other forms of communication on Your behalf, We may collect the names and addresses of the third parties and any information contained therein.  When you access our web portal, We will collect information you enter into the portal and the IP addresses from which you access the portal.  When you correspond  with us by phone, email or otherwise, We will collect all information  provided by you and  

 Where we provide relevant services to you, such as referral to specialists or referral to allied health practitioners, we will provide you with these in encrypted format.

 We will NOT at any time share any of your information with any third party for the purposes of marketing, advertising, or website testimonials without specific consent.

In compliance with GDPR Article 6 (“processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract”), We will use the Personal Data for purposes that include but are not limited to:

 

  • Processing any enquiries you have about Our services;

 

  • verifying your identity when you use Our services or contact Us;

 

  • understanding, processing and executing instructions You give Us in relation to the delivery of our services;

 

  • delivering our services to you;

 

  • notifying  you about  changes  to  our websites,  services  or  terms  and  conditions or  anything  else  We  may  be  required  or  reasonably  expected  to  notify  you  of

 

  • providing You with accurate and detailed billing for using Our services;  

 

  • and collecting payment, and recovering any monies you may owe  to us or use of our services.

 

In compliance with GDPR Article 6 (“processing is necessary for compliance with a legal obligation to which the controller is subject”), We will use the Personal Data for purposes that include but are not limited to:

 

  • maintaining our business records and accounts;

 

  • meeting our obligations to HMRC;

 

  • preventing or detecting a crime, fraud or misuse of our services, and investigating where we believe any of these have or may  have occurred;

 

  • meeting our obligations under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 and the London Local Authorities Act 2007;

 

  • meeting Our obligations under the Data Retention (EC  Directive) Regulations 2009; and

 

  • providing phone number portability under Ofcom’s General Conditions.

 

In compliance with GDPR Article 6  (“the Data Subject has given consent to the processing of his or her Personal Data for one or more specific purposes”), if You have given and not withdrawn consent We may use the Personal Data for these purposes:

 

  • to provide you with information about our other services, offers or products that you may be interested in; and

 

  • to provide you with information about third party services, offers or products that you may be interested in.

 

 

Whilst storing your data we will use Appropriate Technical and Organisational Measures to keep Personal Data secure and to prevent it being accidentally lost, accessed or used in an unauthorised way, altered or disclosed.   We will make reasonable efforts to ensure the data is accurate and up-to-date and will undertake to rectify any inaccuracies of which We become aware without delay.   All Personal Data we store is stored in the European Economic Area. 

 

We may monitor and record Your phone conversations with Us and use this information for training and quality purposes, to ensure any verbal instructions You give Us are properly understood, to enable Us to investigate complaints, and to meet Our legal and regulatory obligations.  All recordings are encrypted and securely stored shortly after completion of the phone call and access to recordings is controlled and monitored.

 

We may share information with third parties:

 

  • In response to properly made requests from law enforcement agencies for the prevention and/or detection of a crime, for the purpose of safeguarding national security or when the law requires us to, such as in response to a court order or other lawful demand or powers contained in legislation;

 

  • in response to properly made requests from regulatory bodies such as the Information Commissioner’s Office and Ofcom;

 

  • as part of the process of selling our business;

 

  • as part of current or future legal proceedings; and

 

  • with a company who is assisting Us in providing services to You or who provides services to Us which enable Us to provide our services to you, examples of such services being billing and financial systems, telecommunications services and customer management systems.  Where we share information with other  Data  Privacy  Notice  for  clients. We will  have  contracts  in  place  with  them  to  ensure  that  they  must  comply  with  the  requirements  of  the  GDPR  and  any  other  relevant  legislation  to  protect  your information  and  keep  it  secure.

 

Some of the organisations with whom we may share information may be outside the European Economic Area in countries that do not always have the same data protection laws as the UK.  However, we will have contracts in  place with them to ensure that your information is adequately protected and we will remain bound by our obligations even when your personal information is processed outside the European Economic Area.

 

Where any data breach is identIfied that affects the information that We hold about or  have processed from you, We will take urgent action in accordance with the GDPR and guidance issued from the Information Commissioner’s Office.  If you identify any data breach that  affects data we have passed to you, You must notify us in writing immediately and provide full information about the data affected by this  reach.

 

The time period that we will keep information for will vary depending on what the information is used for.  Unless there is a specific legal requirement to the contrary, We will keep information in a form which permits identification of Data Subjects only for as long as it is necessary for the purposes for which we process it.  Once the requirement to hold the data is complete, appropriate measures will be taken to delete the data in line with  the terms of the GDPR.  Any physical paper documents which enter Our possession and are no longer required will be destroyed by an ISO 27001 and NAID accredited data destruction organisation.

 

Automated decision making based on Personal Data is not used in Our business.

 

Cookies are tiny files of letters and numbers that are stored by your web browser, either temporarily within your device’s memory or more permanently on Your device’s storage.  We use analytical and tracking cookies on Our main website as a result of using services supplied by Google.  These cookies contain data including but not limited to: details of the operating system, browser and IP address of the device used to visit the website, the time and duration of the visit and which parts of Our website were visited.  They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it.  These cookies are stored on Your device’s storage or varying durations, typically around a month.  When visiting Our main website You can choose to decline Our use of cookies by clicking on the “Decline” button which appears at the top of Your browser window.  We use a security cookie on Our web portal.   This cookie is required for the operation of our web portal, and contains only a session security token without any Personal Data.  This cookie only exists for the duration of Your web browser session in Your device’s memory.  Use of this cookie is a requirement of using Our web portal.  We will not attempt to personally identify visitors from their IP addresses unless required to as a matter of law or regulation or in order to protect Our or Our other customers' rights.

 

Data subject access request

 

Under the GDPR, a Data Subject has the right to request a record of the data held about him/her.  To do this a request should be submitted in writing to the Practice Manager ADDRESS HERE   We may ask the Data Subject to provide Us with proof of identity to make sure We are giving information to the right person.

 

Other rights of Data Subject

 

The GDPR gives Data Subjects a number of other rights including the right to request the correction or erasure of Personal Data, the right to request the restriction of processing of Personal Data, the right to request the transfer of Personal Data (to the Data Subjector a third party), and the right to withdraw Your consent to the processing at any time where consent is the lawful basis for processing.  

 

Changes

 

Please note that the ways in which we collect, use and protect Personal Data will be reviewed periodically and may change from time to time.  We will notify you by email should such changes occur.

 

Contact Us

 

If you have any questions about privacy issues, want Us to update  Your marketing preferences, or amend information, please contact Us by email at support@thegastroclinic.co.uk.

 

 

Complaints

 

In the first instance, please contact Us using the details above.  If this does not resolve your complaint to your satisfaction, you have the right to complain to the Information Commissioner about the way in which we collect and use Your personal Data.  Email  https://www.ico.org.uk/concerns or telephone  0303 123 1113 or write to ICO, 100 College Road, Harrow, HA1 1BQ.

 

We are registered with the ICO, reference number ZB076610.




Through your ongoing use of the website, you are indicating your agreement to the collection and processing of your data in accordance with the terms and conditions detailed above.