Hospital Trust

https://nhsvaccinations.co.uk Software Application Patient Privacy Notice

Updated 9th September 2020

Cievert are committed to protecting your personal privacy and choices. This information notice sets out the basis on which we process (on behalf of Hyde Primary care network, (Hyde PCN) covering the GP surgeries in South Tameside) your personal data collected via the https://nhsvaccinations.co.uk software application.

Who We Are

We are Cievert Ltd, company number 7495794 of registered address International Business Centre, Mulgrave Terrace, Gateshead, NE8 1AN (referred to in this policy as us, our, we and Cievert).

We run a secure cloud based software application which stores and processes your patient data on behalf of you GP practice. No one in our company reads your file and we do not share your personal data with anyone. We keep your data safe and secure, and only act on instructions from your GP practice when processing your personal data.

If you have questions about your care or use of the https://nhsvaccinations.co.uk Software Application you should contact your GP practice in the first instance. If you do need to contact us, our details appear below:

https://www.cievert.co.uk/contact/

Purpose of this Policy

This policy is intended to supplement any privacy policy you will have received from your GP practice about your patient data and the role of computers and software, including the https://nhsvaccinations.co.uk software product, in managing your care. The purpose of this policy is to help you understand what types of personal data Cievert processes about you as a patient and user of the https://nhsvaccinations.co.uk app, and why Cievert processes it on behalf of the NHS. It gives you information about the lawful grounds for processing your personal data, your rights in relation to your personal data and how to make a complaint. It also tells you about the steps we take to keep your personal data private, safe and secure and how long we store your information.

This policy only relates to personal data collected via the https://nhsvaccinations.co.uk app, and our roles and responsibilities as a processor acting on behalf of your GP practice through whom you were registered to use https://nhsvaccinations.co.uk. It is one of a number of information documents available to you, to help you understand how your personal data is collected, generated and processed in the course of your receipt of direct care from your GP practice.

If you have questions about your care, use of the https://nhsvaccinations.co.uk Software Application or need more information about your personal data on https://nhsvaccinations.co.uk you should contact your GP practice in the first instance. If after contacting them you still have questions about this policy, or need more information about Cievert and how we handle your personal data, please contact our Data Protection Officer:

https://www.cievert.co.uk/contact/

Types of Personal Data and How we Obtain it

The law governing personal data changed across the European Union, including the UK, in May 2018; when the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018 came into force. The new law increases the rights of personal data subjects (see the section entitled Your Rights for more information). It also increases the responsibilities of organisations handling personal data.

Personal data is any information which identifies an individual living person. It is data from which a person can be identified directly; but also includes data where the person can only be identified indirectly from that information in combination with other information. Personal data may also be special category personal data, including information about a person’s health, sexual health, medical conditions and treatment. Special category data is considered to be more sensitive than other types of personal data and it can only be processed and collected in more limited circumstances.

As a patient of direct care you will be providing a lot of personal data, including special category data, to the healthcare professionals involved in your care. The healthcare professionals you encounter make use of various tools, including software applications, to assist in managing, analysing and understanding your personal data and ensuring you receive the right health care and interventions to ensure the best outcomes for your treatment. The https://nhsvaccinations.co.uk application is one such software product which assists your healthcare provider in collecting, managing and understanding your healthcare data and needs.

Some of the types of personal data you may be asked to provide the clinic and which may be processed using the https://nhsvaccinations.co.uk application include your name, postcode, and date of birth. Other types of information which may be gathered about you by your healthcare provider might include information about any ongoing health conditions, your medicines and treatment, information about your family members and their health, other information on your health and factors which affect it.

In the course of your care, additional personal data about you may be generated or collected (including information you report to your healthcare provider or you enter into the https://nhsvaccinations.co.uk application), as well as carer’s opinions about you and how you have responded to treatments, medicines and interventions. All of the personal data relevant to you as a patient may be generated, collected and processed by your healthcare professionals using the https://nhsvaccinations.co.uk application – unless you object to use of https://nhsvaccinations.co.uk .

The use of https://nhsvaccinations.co.uk is entirely optional. Opting-out of use of https://nhsvaccinations.co.uk will not affect the quality of care you receive or what types of care you are entitled to, but it may mean you do not benefit from the more streamlined approach, reduced appointment attendance and other benefits offered by use of the https://nhsvaccinations.co.uk application in capture and analysis of your health data. If you would prefer not to use https://nhsvaccinations.co.uk please speak to your healthcare professional or by contacting us at https://www.cievert.co.uk/contact/.

As a controller of your personal data your GP practice will decide how and why to use your personal data, within the parameters set by the applicable laws and regulations. Cievert is appointed to provide a means (a software tool) for processing your personal data. Cievert employees will not read your personal data, we will always treat your personal data in accordance with the data protection legislation and we will keep your personal data secure and confidential. We will only ever process your personal data in the ways dictated by your GP Surgery and will not use your personal data for our own purposes or to allow any third party access or use of your data.

Wherever possible we, and your healthcare providers, will pseudonymise your personal data when sharing and processing that data. Pseudonymised data is where information about a person is identified using a unique identifier (e.g., a clinic patient number) instead of the person’s name, address or date of birth; so the data can only be linked to an identified individual if you have access to additional information (which is held separately from the pseudonymised data). Pseudonymisation can help reduce privacy risks by making it more difficult to identify individuals and the person to whom a particular data set relates, but such pseudonymised data is still considered to be personal data and will be treated by us in accordance with the GDPR and this privacy policy.

Why we Process our Personal Data - Lawful Grounds and Special Conditions

The https://nhsvaccinations.co.uk application is a software tool utilised by your GP practice in providing direct care to you as a patient. Cievert (as the software company responsible for running the https://nhsvaccinations.co.uk app) is acting as a processor on behalf of your GP surgery. The reason we process your personal data is, on the written instructions of your healthcare professional, in order to streamline your care and to minimise potentially unnecessary follow-up appointments.

The lawful grounds on which we rely (as a processor) in order to lawfully process your personal data are the same as (and determined by) your GP practice as the controller of your personal data. Typically, the key lawful ground for all NHS direct care personal data collection and processing is the performance of a task carried out in the public interest (Article 6(e) GDPR). The NHS is funded by the public purse in order to conduct tasks that are considered to be in the public interest, thus the public task lawful ground will apply to all NHS clinics and activities in providing direct care.

The lawful grounds on which we rely (as a processor) in order to lawfully process your personal data are the same as (and determined by) your healthcare provider, as the controller of your personal data (collected from or provided by you in the course of and for the purposes of providing you with health services). Typically, the key lawful ground for all private clinic direct care personal data collection and processing is the performance or preparation to perform a contract (for private healthcare services) with the data subject (patient) (Article 6(a) GDPR). In certain limited circumstances pursuit of the controller’s (private clinic/private healthcare provider) legitimate interests may be the relevant ground.

Where we process special category data (e.g., healthcare data) about you, in addition to the lawful grounds set out above, the clinic/NHS controller has to identify the special conditions justifying such processing. In processing carried out using the Https://nhsvaccinations.co.uk app, the special conditions which apply are set out in Schedule 1 Part 1 of the Data Protection Act 2018 and GDPR Article 9(h). The specific special conditions we rely on in this respect include that the processing is necessary for medical diagnosis, the provision of health or social care or treatment, or the management of health care systems (on the basis of UK law or, in the case of private clinics, pursuant to contract with a health professional, and subject to appropriate conditions and safeguards).

We and your healthcare provider have complied with the applicable UK laws governing such activities and carry out the processing in a proportionate way with appropriate safeguards in place, taking account of your rights as an individual (as described in more detail elsewhere in this policy – see sections on your rights, and how we protect your personal data).

Who we Share Your Personal Data With

Your personal data is shared between the healthcare professionals caring for you. It is stored within the NHS HSCN virtual private network and does not leave that network. Cievert technically has access to your personal data, because we are responsible for keeping the https://nhsvaccinations.co.uk app running and keeping your data safe within https://nhsvaccinations.co.uk, but no one at Cievert reads your personal data and all Cievert employees are under a strict obligation of confidentiality. Please refer to your healthcare provider’s privacy policy for more details on how and why they might share your personal data, Cievert will only ever share your personal data with you and your healthcare providers.

Another less direct form of sharing your personal data includes where we use third party service providers to help process your personal data, for example if we are providing secure cloud storage outside the NHS HSCN network. Wherever that happens, we will enter into written agreements with those service providers to ensure they process your personal data appropriately and in accordance with the data protection legislation and our instructions. You can find a list of our current third party contractors involved in processing your personal data, here:

Linode

Location of your Personal Data

The data protection legislation requires that we do not transfer your personal data outside the EU unless there are appropriate safeguards in place to protect your data and your rights. All your personal data is kept within the UK at all times.

How we Protect your Personal Data and Retention Periods

We have in place a number of cybersecurity and other measures designed to protect your personal data and privacy. A key measure is pseudonymising your data. We generally only process and transmit your personal data when it is in pseudonymised form. We also minimise our records, isolate access to databases behind appropriate security measures and we are careful about how long we keep your personal data. We keep our IT systems up to date, and work to high recognised standards (for example ISO9001 and ISO27001) and have satisfied the rigorous confidentiality and cybersecurity standards imposed by the Information Governance lead of your NHS healthcare provider.

As explained elsewhere in this policy, we only process your personal data on the instructions of your GP Surgery. We are subject to appropriate written contractual terms (a processing contract) with your GP Surgery.

We will delete your personal data whenever we are required to by the terms our processing contract or at the request of your healthcare provider. You may also request deletion of your personal data in some circumstances.

If you want to request deletion of your personal data from the https://nhsvaccinations.co.uk database, you will need to contact the Data Protection Officer for your GP Surgery. You can ask your GP surgery provider for details of their Data Protection Officer. If you are still unsure who to contact, please contact our DPO at the details below https://www.cievert.co.uk/contact-us/ and we will be happy to assist you in identifying who to contact, what rights you have and to exercise them.

Your Rights

A key change brought in by the new data protection legislation is that many healthcare providers will no longer be relying on your consent as the lawful basis for processing your personal data, although they will still need your consent for other things (e.g., your consent to treatment, access to certain medical records and other confidentiality considerations). This means that where you are receiving direct care, your rights under the GDPR to object to processing of your personal data for that purpose or to ask for deletion of your personal data may be limited. This is because the GDPR sits alongside, and has to be read in conjunction with other legislation, regulations and codes of practice governing what your healthcare providers do in relation to your personal data and direct care.

Typically, your data protection rights will be limited where continued retention of records and processing is required for good reasons (e.g., your safety, public safety or wider social benefit). Some examples include keeping medicines safe, promoting innovation in medicines, achieving good pharmacovigilance and adverse event reporting, maintaining public confidence in the safety and efficacy of the NHS and monitoring the long term effects of medicines. Retention of your records may also be justified for reasons which relate more directly to keeping you safe by maintaining records of the treatment and care you have received and how you have responded to it.

You may still be able to request your personal data be kept elsewhere than on the https://nhsvaccinations.co.uk database, so please contact your healthcare provider or their appointed DPO to request this.

Under the data protection legislation, individuals have the following rights in relation to their personal data:

You can always request to exercise your rights, and we will provide you with further information and respond to such requests in accordance with the legislation. As mentioned above, there may be reasons why your request can be lawfully refused – but you will receive an explanation for any refusal. As a processor acting on behalf of a controller (your GP practice) we will usually have to refer all requests to exercise your rights to the controller. The controller generally has one month to respond and usually has to do so free of charge.

We will always try to reduce the amount of personal data we keep to the minimum necessary to achieve the required purpose, and we use measures such as pseudonymisation and the security measures discussed above to protect your privacy even where your personal rights to insist on restricted processing or deletion are limited.

You can find out more about your rights under the data protection legislation by visiting https://ico.org.uk/your-data-matters/ or contacting the Information Commissioner’s Office to discuss your concerns https://ico.org.uk/make-a-complaint/.

How to Complain

If you have a concern or complaint, you should approach your healthcare provider or its Data Protection Officer in the first instance. If you are not satisfied with your healthcare providers’ response, please contact Cievert to discuss any remaining concerns or complaints about how we collect or use your personal data. Please contact our Data Protection Officer at one of the contact points listed below https://www.cievert.co.uk/contact-us/.

You can complain direct to the Information Commissioner’s Office at any time – please go to https://ico.org.uk/make-a-complaint/ where you will find details on how to complain and up to date contact details for the ICO. If you are based outside the UK you can contact your local Data Protection Authority or the ICO.

Our Cookie Policy

As part of our overall approach to privacy and transparency, this section describes what cookies are in the context of our web interface, and what their use means to you. At the end, we’ve included some links to help you research cookies and their impact, and how you can use your web browser to control the way it manages cookies.

What are cookies?

According to Microsoft:

“Cookies are a very small text file placed on your hard drive by a web page server. It is essentially your identification card, and cannot be executed as code or deliver viruses. It is uniquely yours and can only be read by the server that gave it to you. A Cookie’s purpose is to tell the server that you returned to that web page.”

What cookies do we use?

In this section, we explain how cookies are used in the overall service we provide to our clients, and how you can switch off cookies via a setting in your browser. Our use of cookies:

List of services we use which use their own cookies:

Changes to this Privacy Notice

We keep our privacy notice under regular review. This privacy notice was last updated in September 2020. This notice is not a contract and is subject to change at any time. Whenever a change occurs, we will make the updated notice available on the https://nhsvaccinations.co.uk application.

How to Contact us

Questions, comments and requests regarding this privacy policy are welcomed. If you want to request information about our approach to protecting your personal data or about this privacy policy you can email us or write to us at the address below.

The Data Controller, responsible for keeping your information secure in relation to the above services is the clinic or NHS trust who provided you with access to the https://nhsvaccinations.co.uk application.

We process your data on behalf of the NHS and you contact us using the following details, although we will need to consult with the data controller before responding to any request to exercise your rights.

Cievert Ltd

International Business Centre,

Mulgrave Terrace,

Gateshead, NE8 1AN

Email: info@cievert.co.uk

Telephone: 0191 303 8089

Cievert has nominated a person responsible to lead on Data Protection matters: this is Cievert’s Data Protection Officer, who can be contacted using the details above.