GP Menopause specialist POI specialist Premenstrual Disorders specialist

Privacy Policy

Dr Hannah Short’s Practice Privacy Notice (PPN)

Dr Hannah Short fully complies with Data Protection Legislation and medical confidentiality guidelines and is registered with the Information Commissioners Office (ICO).

Contact details for the data controller:

Dr Hannah Short, Menopause & Premenstrual Disorders Clinic, Healthshare Clinic Norwich, Colney Hall, Watton Road, Norwich, NR4 7TY admin@medofficeuk.com

Contact details for the data protection officer:

Dr Hannah Short, Menopause & Premenstrual Disorders Clinic, Healthshare Clinic Norwich, Colney Hall, Watton Road, Norwich, NR4 7TY admin@medofficeuk.com

The purposes for processing the data and the legal basis for processing the data:

Processing is for direct patient care in accordance with the Health and Social Care Act 2012 Articles 6(1)(e) and 9(2)(h)

Other legal bases when processing for reasons other than direct care include a direction under the Health and Social Care Act 2012

Where disclosures are a legal requirement the lawful basis and special category condition for such processing are: ‘…for compliance with a legal obligation…’ (Article 6(1)(c)) and Article 9(2)(h) ’…management of health or social care systems…’;

In the face of an objection from a patient in many cases we would be likely to be able to demonstrate ‘compelling legitimate grounds’ for continued processing for the safe provision of direct care and processing which is necessary for compliance with a legal obligation.

We rely on legitimate interests as the lawful basis for processing patient data:

CPD has applied the three-part test to demonstrate that we have fully considered and protected individual’s rights and interests.

The three-part test as applied to CPD
Purpose – the provision of medical care
Necessity – without processing data we cannot provide safe medical services to the patient
Balance – We respect the interests & fundamental rights and freedoms of our patients which require the protection of personal data

Information about with whom data are shared:

We hold demographics about our patients (e.g. name, date of birth, email, address, telephone number).

We keep clinical records of consultations with patients.

We attach copies of letters from GPs and consultants, imaging and blood results in the medical records.

This information is kept solely for the provision of medical care for our patients.

Information is strictly personal between ourselves and the patients.

Any communication with outside agencies will usually be to secondary care medical services as an integral part of medical care provision to the patient

Our patients have the right to access their medical record and to have inaccurate data corrected:

All of our patients have a right to see full contents of their medical records at no cost.

Request should be made in writing or by email rather than verbal.

We reserve the right to remove any information specifically relating to a third party – for example a separate letter with confidential information about another patient. In this situation the patient asking for release of all records will be notified of any omissions.

We will reply within one month.

We reserve the right to refuse or charge for requests that are manifestly unfounded or excessive.

If we refuse a request we will give a full explanation.

In case of conflict you have the right to complain to the supervisory authority and to a judicial remedy. You must do this without undue delay and at the latest, within one month.

Retention periods:

Medical records are retained until death of the patient or request to delete data by the patient.

Complaints:

Patients are entitled to lodge any complaint with the Information Commissioner’s Office(ICO) if they feel that their rights have been breached https://ico.org.uk/make-a-complaint/

Consent:

We do not ask formal consent from patients for the use of an electronic medical record (this is stated clearly to all patients on booking appointments).

Similarly, we do not formally ask for permission to share clinical information for the purposes of ongoing care (this is usually when we refer – at the patient’s request – to another specialist).

Information is kept solely for the provision of medical care for our patients.

Information is strictly personal between ourselves and the patients.

Any communication with outside agencies will usually be to secondary care medical services as an integral part of medical care provision to the patient.

This is in line with the official guidance:

Explicit consent under the GDPR is distinct from implied consent for sharing for direct care purposes under the common law duty of confidentiality.

The GDPR creates a lawful basis for processing special category health data when it is for the provision of direct care that does not require explicit consent.

A common example of when consent can be implied is when a patient agrees to a referral from one healthcare professional to another.

In these circumstances, when the patient agrees to the referral this implies their consent for sharing relevant information to support the referral (unless the patient objects).

The only exception to the above would be where there is a legal requirement to disclose, for example, a direction under the Health and Social Care Act 2012 or disclosures under public health legislation.