Privacy Policy – updated 20.05.24
Keeping your information safe
In order to support your care, healthcare staff maintain records about you. In our Privacy Policy we take great care to ensure your information is kept securely and used appropriately. Our staff are fully trained to understand their legal and professional obligations to protect your information. X-PERT Health are registered with the Information Commissioners Office, number Z3004299. Any communication we have with you whilst you are participating in any of our programmes, including online video consultations, are delivered using secure, encrypted methods.
If you are accessing our digital programme you will be requested to set your own password. Please ensure that this is kept securely and not shared, to avoid any unauthorised access. If you believe that access has been gained without your consent then please report to our Data Protection Officer (DPO) using the contact details provided below. If you have any queries about your data or this policy you can contact our Data Protection Officer about this too.
Data Protection Officer: Helen Knight. Address: X-PERT Health, Linden Mill, Linden Road, Hebden Bridge, West Yorkshire, HX7 7DP; phone number: 01422 847871; email: mail@xperthealth.org.uk.
Information we hold about you
- Your name, NHS number, contact details, date of birth. Gender and ethnicity is also recorded where this data is provided
- Records about your health, treatment and care
No personal data is collected beyond the minimum necessary for the specific purpose, and your data will be securely destroyed once there is no longer any need to keep it.
Why do we need to collect your data?
We collect and process information about you only where we have the legal basis for doing so under applicable UK laws. We collect and share information for the following purposes:
- To provide our services and to protect the safety and security of the services, for example, we may collect your NHS number and date of birth to verify and ensure that we have the correct information about you
- In order to evaluate and audit our programmes, to ensure they continue to be effective and meet National Institute of Health and Care Excellence (NICE) key criteria for structured education
- To protect your vital interests or to protect a public interest, for example, we share your data with healthcare professionals and feedback into your local healthcare teams to improve structured education. Anonymised data is always used for regional and national quality reporting
- Our services do not involve any automated decision making, for instance “profiling”
How is your data stored?
Your data is transferred and stored in encrypted format in either secure UK based data centres (UKFast) or held on Cloud platforms run by AWS (Amazon EC2) or Google Cloud Platform. All have extensive data security measures in place.
Consent to sharing your information
The first time you attend our group programmes or access our digital programme we will ask for your consent to hold your data and to be able to share it with other organisations, in line with procedures outline in the subsequent sections. However, if you decide that you do not want us to have access to your information or to share it with other organisations then please do not fill in the consent form or mark this as a preference in the settings page of the digital programme.
Sharing information with other organisations
When information is shared, it is passed securely and kept confidentially by the people who receive it. It will only be used for the purpose it has been shared for. This includes providing:
- GPs with updates on your treatment plans
- Other NHS organisations where you have treatment with relevant information
We may also share anonymised information with organisations that help plan local health and care. Identifiable information personal to you is removed before sharing. Organisations that this statement is relevant to include:
- Primary Care Networks (PCNs)
We facilitate regular testing of our security measures and in the event of a data breach incident we will notify the data protection authority within 72 hours.
Sharing your information without consent
We will usually tell you before we share your information. However, there are times when we may need to share your information without your consent, for example:
- Where there is a risk of harm to you or other people
- Where a serious crime, such as assault, is being investigated or where it could be prevented
- When there is a legal requirement to do so
You may request details of personal information we hold about you under the Data Protection Act 2018, or you can make a complaint. To do this, please write to the address below.
Your data rights
All our data collection fully complies with UK GDPR and the wider Data Protection Act 2018 (DPA 2018). You are entitled to the following rights: the right to access; rectification; erasure; restrict processing; object to processing; data portability; the right to withdraw consent; and the right to request that you are not subject to a decision based solely on automated processing, including profiling. If you wish to exercise any of these rights please contact the Information Governance Lead listed below, who will respond in accordance with the above Act. If the purpose of our data collection changes you will be informed and consent reobtained.
Unsubscribing or requesting your data be deleted
If you would like to unsubscribe or have your data deleted from any of our records at any time please contact our Information Governance Lead at the address below. If using our digital programme and you would like to stop your data from automatically uploading to the audit database, or you would like to permanently delete your data, then please visit the settings section of the digital programme.
Information Governance Lead: Helen Knight. Address: X-PERT Health, Linden Mill, Linden Road, Hebden Bridge, West Yorkshire, HX7 7DP; phone number: 01422 847871; email: mail@xperthealth.org.uk.
Transparency Statement – National Data Opt-out
How the NHS and care services use your information – X-PERT Health is one of many organisations working in the health and care system to improve care for patients and the public. Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment. The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
- improving the quality and standards of care provided
- research into the development of new treatments
- preventing illness and diseases
- monitoring safety
- planning services
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law. Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care. To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters. On this web page you will be able to:
- see what is meant by confidential patient information
- find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
- find out more about the benefits of sharing data
- understand more about who uses the data
- find out how your data is protected
- be able to access the system to view, set or change your opt-out setting
- find the contact telephone number if you want to know any more or to set/change your opt-out by phone
- see the situations where the opt-out will not apply
You can also find out more about how patient information is used at: https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); or https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)
You can change your mind about your choice at any time.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes. X-PERT Health would never use, or ask for permission to use, your data in this way.
X-PERT Health is compliant with the national data opt-out policy.