Policy & Procedure
Latest review date:
This version approved:
Next review due:
Original publication date
All Staff & Public
- the https://www.shpca.net/ website (“Site”) or;
- services offered by SHPCA or;
- employment matters (employees) by SHPCA or;
- in relation to duties SHPCA holds under the Companies Act (2006).
SHPCA is registered with the Information Commissioner’s Office: ZA292145.
- 1.Using Our Website
Personal identification information
We may collect personal identification information from Users in a variety of ways. This is including, but not limited to, when Users visit or register on the site, subscribe, fill out a form. As well as in connection with other activities, services, features or resources available on our Site. Users may be asked for their, name, email address, mailing address, phone number. Users may visit our Site anonymously. We will collect personal identification information from Users only if they voluntarily submit such information to us. Users can refuse to supply personal identification information, except that it may prevent them from engaging in certain Site related activities.
Non-personal identification information
We may collect non-personal identification information about Users whenever they interact with our Site. Non-personal identification information may include the browser name, type of computer and technical information about Users means of connection to our Site, such as the operating system, Internet Service Provider(s) used and other non-personal information.
Web browser cookies
What are Cookies?
Cookies are small text files that are placed on your computer or other devices by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.
We plan to use Google Analytics software on this site to collect information about how visitors use our website and how we can improve it. The information collected is anonymous and includes pages visited on our website; how much time is spent on each page and where visitors have come to the website from.
How do I change my Cookie settings?
Most web browsers allow some control of cookies through the browser settings. To find out more about cookies, including how to change your settings or how to delete cookies that are already on your computer, visit the websites below. Please note that by deleting our cookies or disabling future cookies you may not be able to access certain areas or features of our site.
How we use collected information
SHPCA may collect and use Users personal information for the following purposes:
To improve customer service, personalise user experience, improve our Site, run a promotion, contest, survey or other Site feature i.e. to send Users information they agreed to receive about topics we think will be of interest to them.
How we protect your information
We adopt appropriate data collection, storage and processing practices and security measures. This is to protect against unauthorised access, alteration, disclosure or destruction of your personal information, username, password, transaction information and data stored on our Site.
Sharing your personal information
We do not sell, trade, or rent Users personal identification information to others. SHPCA may share generic aggregated demographic information not linked to any personal identification information regarding visitors and users with our business partners, trusted affiliates and advertisers for the purposes outlined above. We may use third-party service providers to help us operate our business and the Site or administer activities on our behalf, such as sending out newsletters or surveys. SHPCA may share your information with these third parties for those limited purposes, provided that you have given us your permission.
Users may find advertising or other content on our Site that link to the sites and services of our partners, suppliers, advertisers, sponsors, licensors and other third parties. We do not control the content or links that appear on these sites and are not responsible for the practices employed by websites linked to or from our Site. In addition, these sites or services, including their content and links, may be constantly changing. These sites and services may have their own privacy policies and customer service policies. Browsing and interaction on any other website, including websites which have a link to our Site, is subject to that website’s own terms and policies.
Your acceptance of these terms
By using this Site, you signify your acceptance of this policy. If you do not agree to this policy, please do not use our Site. Your continued use of the Site following the posting of changes to this policy will be deemed your acceptance of those changes.
- 2.Using Our Patient Health Services
We are contracted to provide patient services including Specialist Community Clinical Services, Urgent Care Centres (UCC), Phlebotomy and Out-of-Hours Primary Care Services (the Integrated Primary Care Service – IPCAS). In order to provide patient care, we may need to collect and process personal information. We do this with your consent, using the minimal information needed and within the parameters of specific data sharing agreements we hold with organisations (the Data Controllers) who are responsible for your holding and maintaining your medical record, for example, your GP Practice.
Personal identification information
In the safe and lawful operation of patient services we require access to accurate and up to date personal identification information which includes a patient’s name, address, telephone number, NHS number and health information and wherever possible this will be processed to your GP patient record. Information will be collected from: –
- People who use our services or request a service from us
- Patient records accessed/required for the purposes of safe operation of SHPCA’s patient services.
- Complaints information
Before we book an appointment with one of our services, your consent is required. You have the right to withhold your consent, however in these circumstances, for reasons of patient safety we will be unable to provide the service to you. Your entitlement to health services through your GP practice is not affected.
Where your GP patient record is not available, other secure systems may be used to provide safe specialist care to record health information including ECGs, this may be shared with a specialist consultant; any hard copy information e.g. cardiograms will be securely disposed of.
- 3.Working for SHPCA
Applying to work for us
When you apply to work for us, we will use your personal data to process your application and to monitor recruitment statistics. Where we need to disclose information to a third party, e.g. where we want to take up a reference or obtain a ‘disclosure’ from the Disclosure & Barring Service, we will not do so without informing you beforehand unless the disclosure is required by law.
During employment with us, accurate and up to date personal information will be collected so that we meet our statutory function, legal and contractual obligations, and to ensure you are kept informed. This will be collected and stored electronically within our secure HR system and within a hard copy employment file held at head office. This may include information relating to: –
- Personal identification
- Contract/s of Employment
- Payroll services
- Career development
- Grievance and Disciplinary matters
- Health information
- Next of kin
- Job application and references
- Absence (including Annual Leave)
- Disclosure and Barring Service records
- Declarations of Interest/s
- Photographic images of documentation legally required for employment purposes
- Reference requests
- Leaver and termination of Employment details
- 4.Member Practices
We process personal information about Shareholding Partners and named ‘points of contact’ in our Member Practices and share such information with our appointed Company Secretary (Thrings LLP) to ensure our compliance with Company law, issue Notices and other communications with Members and Shareholders.
- 5.Your Rights
All personal data is processed fairly and lawfully, whether it is received directly from you or from a third party. The different types of personal data / information needed to provide our specific services and for recruitment and staffing purposes may include:
- ‘Personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified from the data.
- ‘Special Category / sensitive data’ such as medical history, details of appointments / contacts, medication, appointments and admissions, clinical notes, treatments, results of investigations, supportive care arrangements, social care status, race, ethnic origin, genetics and sexual orientation.
- ‘Pseudonymised’ – data that has undergone a technical process that replaces your identifiable information such as NHS number, postcode, date of birth with a unique identifier, which obscures the ‘real world’ identity of the individual patient to those working with the data
- ‘Anonymised’ – data about individuals but with identifying details removed so that there is little or no risk of the individual being re-identified
- ‘Aggregated’ – anonymised information grouped together so that it doesn’t identify individuals
Why we collect information about you
As a primary care provider, we need to process your information to:
- Protect your vital interests
- Deliver preventative medicine, medical diagnosis, medical research
- Pursue our legitimate interests as a provider of medical care
- Perform tasks in the public’s interest
- Manage the health and social care system and services.
How is the information collected?
Your personnel or healthcare records are generally held electronically. We use a combination of technologies and working practices to ensure that we keep your information secure and confidential. We use secure NHS Mail or electronic transfer over an NHS encrypted network connection. Most health information is processed directly to your GP patient record and your GP practice remains the Data Controller.
Who will the information be shared with?
Personal data is treated confidentially and will only be shared internally and as appropriate with staff who need access to perform their roles for the provision of your care, or required to satisfy our statutory function and legal obligations
To deliver and coordinate your health and social care, we may need to share information with the following organisations:
- Local GP Practices in order to deliver extended primary care services
- Portsmouth Hospitals NHS Foundation Trust, Southern Health NHS Foundation Trust, Solent NHS Trust, University Hospital Southampton NHS Foundation Trust, Frimley Park Hospital, South Central Ambulance Service NHS Foundation Trust (SCAS)
- Partnering Health Limited (PHL) to whom we subcontract our contractual obligation to provide the Out-of-Hours GP Home Visiting service as part of our (IPCAS) Integrated Primary Care Access Service contract.
- When we are contacted by ‘NHS 111’ or ‘999’, patient’s information because they have been clinically triaged to attend an urgent, primary care, ‘Out-of-Hours’ (IPCAS) appointment.
- Local Social Services and Community Care services
- Voluntary Support Organisations commissioned to provide services by Hampshire, Southampton and Isle of Wight CCG/ Hampshire Health and Wellbeing Board
- Pharmacies (prescriptions)
To comply with our legal responsibilities as an Employer, we may share information with external service suppliers including, but not limited to:
- the ‘NHS South, Central and West Commissioning Support Unit’ (CSU) to whom we have subcontracted our HR support service requirements
- NHS Business Services Authority who provide NHS Pensions for SHPCA employees.
- The Disclosure and Barring Service, the British Medical Association (Performers List) and the Nursing and Midwifery Council to provide employment and professional eligibility checks.
- Sensi, our on-line Locum booking platform to enable clinicians (including GPs, Advanced Nurse Practitioners, Practice Nurses, Health Care Assistants, Receptionists) to manage shifts and remuneration for providing patient services.
- The ‘Medical and Dental Defence Union of Scotland’ (MDDUS) and the Medical Defence Union (MDU) in connection with Corporate, medical indemnity and associated support services that we secure for present and former employees and directors.
- ‘Afilio Clarity who provide and maintain e-learning training modules and services for our workforce.
- Matrix IT Solutions Limited because personal information is necessary to set-up Microsoft SharePoint for employees (Shpca.net).
To comply with our legal responsibilities as a Company we may share personal information with Thrings LLP in connection with Statutory and Company Secretary services for SHPCA.
How do we maintain the confidentiality of your records and ensure the information you give us is kept securely?
We will only use information that has been collected lawfully and is only used by people who have a right to see it. Every member of staff has a legal obligation to keep information about you confidential. The NHS Code of Practice on Confidential information applies to all staff and is required to keep your information protected. We maintain our duty of confidentiality by conducting training and awareness, ensuring access to personal data is limited to the appropriate staff and information is only shared with organisations and individuals that have a legitimate and legal basis for access. Your information will not be transferred or stored outside the European Union.
To support the highest standards of security SHPCA appoints a Data Protection Officer, Caldicott Guardian and a Senior Information Risk Owner, all of whom can be contacted via https://www.shpca.net/contact.
How we use your information
We use personal information to:
- Deliver patient services, provide support, advice and services
- Check and improve the quality of services and develop future services.
- Provide statistical reports to those who contract with us to deliver services. Statistics are used in such a way that individuals cannot be identified.
- Carry out requirements under the law such as health and safety, employment law and the safeguarding of vulnerable children and adults.
- Deal with payments from those with whom we contract for services and payroll
- Help investigate any concerns or complaints you make
- Enable us to safely recruit, engage, employ and contract with, manage, support, train and remunerate our clinical and non-clinical workforce.
- Provide IT and mobile phone connectivity to support our workforce and patient services.
- Comply with Company law in respect of our members and shareholders.
We do not pass on your email address to any third party without your express permission.
How long do we keep your personal information?
We keep your personal data in line with our data retention and erasure policy and in accordance with the Records Management Code of Practice for Health and Social Care 2016. We will not keep your information longer than necessary.
How do you access your personal information? (Subject Access Request)
You can find out what personal information we hold about you by making a ‘subject access request’. You can also ask us to correct any mistakes in the records we hold about you.
Subject access requests should be made to: The Data Protection Officer (https://www.shpca.net/contact). Or E-mail: Shpca.firstname.lastname@example.org
Freedom of information
The Freedom of Information Act 2000 (‘FOIA)’ gives the right to access a range of recorded information held by organisations which are ‘public authorities’ under the FOIA (Schedule 1). For the avoidance of doubt, SHPCA is not a public authority but may be subject to the FOIA in relation to services it provides through a NHS contract. Written requests under the Freedom of Information Act should be sent to Shpca.email@example.com. We will normally provide respond within 20 working days from receipt of a request.
What about CCTV images of me?
SHPCA does not use CCTV, however there may be CCTV installed at the location where your appointment is held. You can ask to see CCTV images by making a Subject Access Request to the individual site.
What is the legal basis for processing the data?
All data is processed in accordance with law enforcement, Information Commissioner’s Office guidelines, The Data Protection Act 2018 and General Data Protection Regulation (2016). The lawful basis for processing data includes:-
- Article 6(1)a ‘consent’
- Article 6(1)b ‘contract’
- Article 9(2) ’preventative or occupational medicine’
What rights does the data subject have?
- To be informed
- To access information we hold about you (unless an exemption applies)
- To restrict processing
- Data portability
- To object
- Not to be subject to automated decision-making including profiling
Should you wish to raise an objection to some, or all the information being processed, please contact The Data Protection Officer (https://www.shpca.net/contact).
Your right to opt out of data sharing and processing
The NHS Constitution states ‘You have a right to request that your personal confidential information is not used beyond your own care and treatment and to have your objections considered’. For further information please visit: https://www.gov.uk/government/publications/the-nhs-constitution-for-england
There are several forms of opt-outs available at different levels and some examples include:
Type 1 opt-out. If you do not want personal confidential information that identifies you to be shared outside your GP practice you can register with your GP practice. This prevents your personal confidential information from being used except for your direct health care needs and in specific circumstances required by law e.g. an outbreak of a pandemic disease. Patients are only able to register the opt-out at their GP practice.
National data opt-out
NHS Digital collects information from a range of places where people receive care, such as hospitals and community services. The new programme provides a facility for individuals to opt-out from the use of their data for research or planning purposes. The national data opt-out choice can be viewed or changed at any time by using the online service at www.nhs.uk/your-nhs-data-matters
We collect personal information when we receive and investigate a complaint. We will only use your information to resolve your complaint. We provide reports to our Board and to those who contract with us on complaints received but not in a way which would identify you. We will keep personal information contained in complaint files in line with our retention policy, which is available on request. Our complaints are stored
In the event that you feel SHPCA has not complied with the current data protection legislation, either in responding to your request or in our general processing of your personal information, you should raise your concerns in the first instance in writing to the Data Protection Officer (see ‘How to contact us’ below).
If you remain dissatisfied with our response you can contact the Information Commissioner’s Office (ICO) at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF – Helpline: 0303 123 1113 or online at https://ico.org.uk/
SHPCA is registered with the ICO: ZA292145.
How to Contact us
Address: Southern Hampshire Primary Care Alliance Limited, 35 Pure Offices, One Port Way, Portsmouth, PO6 4TY
E-mail: firstname.lastname@example.org Tel: 023 92 414 020