The Harley Street Dermatology Clinic, identified in this document as “We, Us, Our” is committed to making sure that our data subjects’, identified as “You, Your” data is safeguarded and you’re aware of the rights you hold when your data is being processed by us.
Harley Street Dermatology Clinic Company is the Data Controller of the data it holds about its patients and staff. Us and Chits UK are Data Processors and are responsible to ensure our data is collected and stored in compliance with GDPR.
GDPR – General Data Protection Regulation. New data privacy and protection regulations replacing the individual data protection laws in all EU countries on 25th May 2018.
Health Record – Your health record is a history of your healthcare, including treatments, medication, allergies, test results, X-rays and scans.
Consent – Freely given, specific, informed and explicit consent by statement or action by the patient, staff member or any person signifying agreement to the processing of their personal data.
Controller – The Natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Processor – A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Data Subject – Any individual we deal with such as a patient, or doctor, whom the particular personal data is about that we obtain.
Data Protection Officer (DPO) – An expert on data privacy who works independently to ensure the business is adhering to the policies and procedures set forth in the GDPR.
Personal Data – Any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
Processing – Any operation performed on personal data, whether or not by automated means, including collection, use, recording, etc.
Right to be Forgotten (RTBF) – Also known as 'right to erasure'. Entitles the data subject to have the clinic erase his/her personal data, cease further dissemination of the data, and potentially have third parties cease processing of the data.
The Harley Street Dermatology Clinic needs to keep a record of the care you receive to ensure that:
We have a duty to:
If you wish us to, and it is practical, we will discuss and agree with you what we are going to enter on your record and show you what we have recorded.
We have many patients with similar names so it vitally important for all patients to be properly identified as individuals. In order to be absolutely sure that you have been correctly identified we may ask you for a number of pieces of information. Suitable items include:
We take your privacy seriously so please let us know how you want us to contact you.
If you provide a mobile phone number: we may ring, leave a message or text you, please inform us if you do not want us to do so.
If you provide a landline: we may leave a message, please inform us if you do not want us to do so.
If you provide us with your email address: we may use it send confidential health information, unless you have instructed us not to do so.
Please read the following before providing us with your email address:
For the purpose of sending sensitive and confidential medical information such as medical reports, referrals and test results we use EGRESS email encryption. Egress are compliant with information security standards, including the Data Protection Act and the EU GDPR.
This encryption allows us to stop further access to content you send, prevent data breaches, and control your data at all times. With this software we ensure end-to-end encryption between healthcare professionals, internal clinic staff and our patients, regardless of third parties’ access to our general email intranet. Sensitive documents and files will be received from us in encrypted emails.
We have full visibility over everyone accessing shared information and what they do with it by implementing all-inclusive audit logs.
Our guiding principle is that we hold your records in strict confidence. We use appropriate technical and organisational measures to ensure this.
Harley Street Dermatology Clinic Company is registered under the Data Protection Act 1998. It abides by the law and observes good practice in maintaining confidentiality and appropriate information security.
We will fulfil its obligations under this Act to the fullest extent, including ensuring that the following 8 principles governing the processing of personal data are observed.
Harley Street Dermatology Clinic is also registered with the Care Quality Commission (CQC). This means that we are subject to ongoing inspection and regulation by the CQC. This includes checks by the CQC that we are observing all necessary and statutory guidelines for use of your data in line with Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 (Part 3).
Information about you and the services you receive may be held in numerous formats and will be kept for the specific retention periods outlined by the relevant professional bodies. Harley Street Dermatology Clinic Company uses secure electronic systems to store medical records, images and details of prescriptions. Patient data held on paper or disk will be processed in accordance with the Data Protection Act and destroyed using secure documented procedures after the time periods set out by the Department of Health.
We use your records to:
Wherever possible, we anonymise your data or use a quasi-identifier such as your patient or NHS number.
The Harley Street Dermatology Clinic Company has a Caldicott Guardian who is responsible for protecting the confidentiality of patient information and making sure that information is shared where this is appropriate.
Please note that anyone who receives information from us also has a legal duty to keep it confidential.
We may also share information that identifies you where:
We will normally share information about the progress of your treatment with the person you name as your Emergency Contact, unless you have told us not to do so. Your emergency contact should be someone that you trust. It does not have to be a blood relative; it can be a friend. We ask patients to name their emergency contact so that we know who you would like us to keep informed about the care we provide or the decisions we need to make. In identifying your emergency contact, you are giving us permission to keep them informed. However, please note that since our Company provides principally diagnostic services only, it will not generally be appropriate for us to give general information about a patient’s health and such requests therefore should be directed to the patient's own General Practitioner or other health professional responsible for the patient’s care.
You can also name other people, with whom you would like us to share information about you. We make best efforts to ensure that information provided over the telephone is restricted to those you have named and we share on a need-to-know basis. Sometimes this means refusing to disclose information about you to someone who feels they should know about your treatment and progress. Please make your family and friends aware of this.
Sometimes we have a legal duty to provide information about people; examples are reporting some infectious diseases, and when a court order instructs us to do so. Records may also be shared without the patient's consent in exceptional situations, such as to safeguard adults or children.
The Care Quality Commission is the independent regulator of health care and they also protect the interests of people whose rights are restricted under the Mental Health Act. They routinely inspect our premises to quality check information we hold and the services we provide in line with the Health & Social Care Acts. This is designed to ensure that patients using services are protected and receive the care, treatment and support they need. These inspectors have the authority to access personal information without the permission of patients.
If your permanent address is outside the EU, or your treatment is continuing outside the EU, we may send details of your treatment to individuals based outside the EU specifically to promote your ongoing care. This would normally be the doctor who referred you to us for treatment. If you wish, we can give you the documents so that you have physical control over this information.
In the usual course of our business, we may use third parties to process and store your data on our behalf. We normally store your data on secure servers in the European Economic Area (EEA). Such processing is subject to contractual restrictions with regard to confidentiality and security in addition to the obligations imposed by the Data Protection Act 1998.
Exceptionally we may use suppliers who are based outside the EEA for processing and storing your data. We have strict controls over how and why your data can be accessed. By submitting your personal data, you agree to this.
Where necessary we may transfer personal information overseas for processing to support the long- term effectiveness of treatment and monitor patient outcomes. Personal information will be processed in this way where it is not possible to achieve this purpose with the use of anonymised or pseudonymised information only.
Harley Street Dermatology Clinic is a clinical diagnostic service which acts to provide information principally for other health professionals who have requested this since they require further detailed investigations on their patients. So naturally we will normally need to share this information with your doctor who has referred you to our service.
If you do not want us to share your information with your GP, other healthcare providers or carers, please tell the team looking after you. But please note that not sharing your information may affect the care that can be provided for you.
You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered. Where your wishes cannot be followed you will be told the reasons including the legal basis. You may at any time withdraw any consent you have previously given to Harley Street Dermatology Clinic Company to process information about you.
If you wish to exercise your right to opt-out, withdraw consent to use your information, or to speak to somebody to understand what impact this may have, please discuss your concerns with your clinician, or email to email@example.com typing ‘Opt Out Request’ in the subject line of the email.
You have the right to confidentiality under the Data Protection Act 1998 (DPA), the Human Rights Act 1998 and the Common Law Duty of Confidentiality. The Equality Act 2010 may also apply.
You have the right to request the erasing of your data under the policy Right to Erasure (‘right to be forgotten’) in article 17 of Chapter 3 of the GDPR (EU) 2016/679.
You have the right to know what information we hold about you, what we use it for and if the information is to be shared, who it will be shared with.
You have the right to apply for access to the information we hold about you. Other people can also apply to access your health records on your behalf. These include anyone authorised by you in writing (such as a solicitor), or any person appointed by a court to manage your affairs where you cannot manage them yourself. Access covers:
If you wish to apply for access to the information we hold about you. Please note:
We value your views and feedback about your experience of visiting HSDC. The results of these surveys will help us to improve the service that you and others will receive.
The surveys ask questions regarding your experience of the service that you received from HSDC. The data you provide can be anonymous, therefore we will not analyse or report data that will make you identifiable. If you would like to speak to a member of the team at HSDC, please include your name and email address and we can make contact.
The surveys contain some open-ended questions. When providing free text answers, please do not disclose any information that may identify you (e.g. names, email addresses, reference numbers etc.).
If you do not provide your name or email, the data you provide will be anonymous, we will not be able to identify your responses. Therefore you will not be able to:
• request access to your data;
• withdraw your consent;
• object to, or restrict, the processing of data; and
• rectify the data held
However, if you do include these details, you will be able to:
• request access to your data;
• withdraw your consent;
• object to, or restrict, the processing of data; and rectify the data held
HSDC uses Jotform for feedback - Jotform's data processing details can be seen here: https://eu.jotform.com/faq/ and Mailchimp for contacting you - Mailchimp's data processing details can be seen here: https://mailchimp.com/legal/privacy/.
Data Protection Officer:
firstname.lastname@example.org Sarah Sheridan, Practice Manager
Information Commissioner’s Office (ICO)
The Information Commissioner’s Office, Wycliffe House, Cheshire, SK9 5AF
Helpline: 08456 30 60 60
You also have a right to complain to the Information Commissioners' Office, the UK's data protection regulator. You can find out more about this right here: https://ico.org.uk/concerns/