Access Medical Treatment Limited – Data Privacy Notice
Informing you as to how we process the information we hold about you is a key element of the General Data Protection Regulation (GDPR). The GDPR came into effect on 18 May 2018 and replaces the 1995 EU Data Protection Directive. This notice sets out how we use the personal information collected from you when you use our services, how you can withdraw your consent for us to process or hold your personal information at any time and your other rights under this legislation. Personal information is any information that can identify you.
We will treat your data under the governing law of your residency as follows:-
- Guernsey – Data Protection (Bailiwick of Guernsey) Law 2017
- Jersey – The Data Protection Act 2018
- UK – The Data Protection Act 2018
Access Medical Treatment Limited is the data controller. The identity and contact details of the Data Protection Officer for Access Medical Treatment is:
Telephone:- 07911 737751
Purpose of Processing and legal basis for processing
Information collected by Access Medical Treatment includes basic information about you such as your name, date of birth and address. This is called personal data. Personal data is data collected about you where you, the data subject, has requested or given consent to the processing of the personal data for the purpose for which it is processed. But we also need to collect more sensitive information which is classified under the law as ‘special category data.’ Under The Data Protection (Bailiwick of Guernsey) Law 2017 Section 7 Schedule 2, you must give your explicit consent to allow us to collect and process special category data for the agreed purpose.
Examples of special category data include your medical notes and reports about your health, your previous medical treatment and care, immunisations and medications used by you, results of investigations, such as laboratory tests, x-rays, photographs and other diagnostic information.
We process your personal information, including special category data, in order to facilitate and arrange your referral to one of our medical treatment providers. They will also use your personal information including special category data to provide you, on a confidential basis, with medical treatment including arranging medical tests and investigations, prescribing drugs and medication, and providing nursing care, medical treatment and surgery. This may also involve referring you to a third party healthcare provider in certain circumstances and in which case it may be necessary for that third party provider to be given access to your personal information including special category data.
As data controller and processor, Access Medical Treatment processes your data by any one or more of the following means:
- Collecting it;
- Storing it, on computers or in paper files;
- Sharing it, as set out in this notice;
- Destroying it after a set period of time (subject to your right to request us to destroy it at any time)
Please note this list is not exhaustive.
Access Medical Treatment will collect your information and store this in a file specific to you with a unique identifier code allocated to the file. We will only share your confidential information via a secure link with our medical treatment providers in order for them to make an informed decision on the best course of treatment for you. All medical treatment providers that we share information with, have both a professional and contractual duty of confidentiality in relation to your information and are subject to European Union GDPR legislation.
Your medical notes that are specific to the treatment you have received under the arrangements entered into by you with Access Medical Treatment will be kept by us for a period of 12 months post treatment. We will send you a notification 9 months following your treatment giving you the date on which your medical notes will be transferred back to you via a secure link and the date on which your records held by Access Medical will be destroyed.
Please note that any personal information supplied to your general practitioner or other third parties will be held by them subject to their own data retention policies. In particular your personal information on the treatment provided to you as an inpatient of the treatment centres or any hospital where you have received medical treatment will be retained as part of their medical records and processed according to that organisation’s legal requirements.
Where data is not special category data, and which includes (but not limited to) your name, date of birth, gender, address, type of medical treatment sought, acceptance/rejection of treatment and date and place of treatment and bill settlement we will retain it for a period of 7 years. This is for the purpose of maintaining comprehensive records in the event that you should need follow up or further treatment whether connected to any previous referral or for any purpose arising out of the provision of treatment. You may request us at any time to delete any personal information that we hold about you at any time. We have also set out your other rights below.
Data held by Access Medical Treatment will be stored in Access Business Account Folders accessible only by Access employees and are subject to security measures. These folders are provided by Google and protected as described in the Security section here. No personal information of any of our patients is visible to, or can be overheard by, anyone visiting our premises.
Breaches in data handling is subject to the The Data Protection (Bailiwick of Guernsey) Law 2017. This requires that any data breach must be reported within 72 hours to the Data Commissioner and to you as the data subject, without undue delay.
We have set out below your rights under The Data Protection (Bailiwick of Guernsey) Law 2017. You have a right, subject to the provisions of that Law,:
- To see and have copies of the personal information that we hold that we have collected from you;
- To see and have copies of the personal information that we hold and that we have collected about you from sources other than you;
- To be made and kept aware of how your personal information is being used, and, in particular, how it is shared with third parties;
- To access any data that is being shared with third parties;
- To object to the processing of your personal information for direct marketing purposes;
- To object to the processing of your personal information for historical or scientific purposes;
- To the correction and or rectification of any of your personal information;
- To the deletion of your personal information in our possession or under our control;
- To restrict the way in which we process your personal information;
- To be notified of any rectification, deletion and restriction to or in respect of your personal information;
- Not to be subject to any automated processing;
- To withdraw your consent at any time to the holding or processing of your personal information.
Please note that you have the right at any time to complain to the Office of the Data Protection Commissioner. Their contact details are as follows:
Guernsey Email – firstname.lastname@example.org or telephone – 01481 742074
Jersey Email – email@example.com or telephone – 01534 716530
England Webpage – https://ico.org.uk/make-a-complaint/ or telephone – 0303 123 1113
The Data Protection (Bailiwick of Guernsey) Law 2017 also gives you the right to appeal against any decision of the Data Protection Commissioner in certain circumstances.
All Access Medical Treatment employees are required to sign a confidentiality agreement and are required to adhere to our professional code of conduct which specifically addresses responsibilities and expected behaviour with respect to the protection of information provided to us by our patients.
We are happy to discuss with you at any time any concerns that you may have regarding our policy and or the handling of your personal information. If you have any concerns please do not hesitate to contact the Access Medical Treatment Data Protection Officer on 07911 737751 or by email at firstname.lastname@example.org.