Introduction

Vita Health Group (Vita Health Group Ltd, Right CoreCare Ltd, Crystal Palace Physio Group Ltd, including any other subsidiary companies or trading names) provides healthcare and wellbeing services to private customers, the NHS, employers, insurance companies and Occupational Health providers across the UK.  The confidential data we collect and access must be used legally and in good faith, following the principles and guidance published in relevant legislation industry standards.  To ensure this, this policy documents the principles and guidance we apply at all times.

Scope

This policy applies to the treatment of personal data for which Vita Health Group is the data processor or data controller and applies to all staff members, temporary staff members, associates, and sub-processors.

Personal data is defined as any data that can be used to identify a living individual.  Anonymised or aggregated data is not regulated by the Data Protection Act (DPA) or General Data Protection Regulation (GDPR), providing the anonymisation or aggregation has not been done in a reversible way.  For clarity, Individuals can be identified by various means including their name and address, telephone number or Email address.

Confidential data must be treated with an enhanced level of diligence.  For clarity, confidential data includes any data (or information) which is shared under a reasonable expectation of confidentiality, but specifically includes all Special Categories of Data as defined in the GDPR:

  1. Race or ethnic origin;
  2. Political opinions;
  3. Religious or philosophical beliefs;
  4. Trade union membership;
  5. Genetic data;
  6. Biometric data;
  7. Health data;
  8. Sexual history and/or sexual orientation;
  9. Criminal data.

Purpose

This document states and explains how we comply with the principles of data protection, and acts as a statement of intent to which the company, employees or third parties must abide.  This policy is published and distributed to staff, customers, customers or service users, and clients as required for informative purposes.  This policy cannot, and does not aim to cover every possible use of data, but should be used for guidance where required.

Commitments

Vita Heath Group will:

  1. Ensure that we comply with the Principles of Data Protection and the Caldicott Principles.
  2. Meet our legal obligations as laid down by the General Data Protection Regulation, Human Rights Act 1990, Health and Social Care Act 2015, Access to Health Records Act 2000, and any other relevant legislation.
  3. Ensure that processes and procedures are in place to allow data subjects’ rights to exercise their rights.

Data Protection Principles

The data protection principles shall be used to guide all use of personal data:

  1. Accountability – This means that we acknowledge and understand our role and responsibilities as a data controller and data processor. We ensure this by having appropriate governance of how data is used, at the appropriate level of management
  2. Lawfulness, Fairness, and Transparency –
    1. Lawfulness means having a legitimate legal basis for processing personal data. This is the service contracts or agreements we have in place with our Customers.  When a customer purchases our services, refers a patient to us, or a patient self-refers, this gives us the legitimate legal basis to process their personal data.
    2. Fairness means only using data in the manner which is expected. We ensure this by making sure customers and service users are aware of, and understand how, we process their personal data, ensuring that this is clear and accurate, and ensuring that we do not use data in any other way.
    3. Transparency means that customers and service users must be aware of how we use their data. We ensure this by publishing information on how we use personal data (such as this policy), and on gathering relevant informed consents.
  3. Purpose Limitation – This means that data may only be collected for specific, explicit and legitimate purposes. We ensure this by having clear agreements with our customers and suppliers which limit the use of personal data, and only using data in the manner which would be expected.
  4. Data Minimisation – This means that only the minimum relevant personal data should be collected for the agreed purposes. We ensure this by only collecting the data we require to provide our services, and by ensuring that staff are adequately trained.
  5. Accuracy – This means ensuring that data is accurate and up-to-date. We ensure this by adequately training our staff, and by having a process in place to allow customers and service users to access and request corrections to their personal data.
  6. Storage Limitation – This means that personal data should only be kept for the minimum time necessary. We ensure this by regularly reviewing the data we hold, and destroying it in line with our own policies and any other relevant guidance, regulation or legislation.  In practice this means that we store clinical data for eight years from the customer or service user last contacted us.
  7. Storage Limitation – This means that personal data should only be kept for the minimum time necessary. We ensure this by regularly reviewing the data we hold, and destroying it in line with our own policies and any other relevant guidance, regulation or legislation.  In practice this means that we store clinical data for eight years from the customer or service user last contacted us.

Caldicott Principles

The Caldicott Principles are specifically focussed on the use of confidential healthcare data.  These principles shall be considered, above and beyond those stated above when considering clinical data:

  1. Justify the purpose(s) for using confidential information: This means that use of personal confidential data should be clearly defined, scrutinised, documented, and reviewed by an appropriate guardian.
  2. Don’t use personal confidential data unless it is absolutely necessary: This means that personal confidential data items should not be included unless it is essential.  The need for customers and service users to be identified should be considered at each stage.
  3. Use the minimum necessary personal confidential data: This means that where use of personal confidential data is considered to be essential, the inclusion of each individual item of data should be considered and justified so that the minimum amount of personal confidential data is used as is necessary for a given function to be carried out.
  4. Access to personal confidential data should be on a strict need-to-know basis: This means that only those individuals who need access to personal confidential data should have access to it, and they should only have access to the data items that they need to see.
  5. Everyone with access to personal confidential data should be aware of their responsibilities: Tis means that clinical and non-clinical staff handling personal confidential data should be fully aware of their responsibilities and obligations to respect patient confidentiality.
  6. Comply with the law: This means every use of personal confidential data must be lawful.  Each organisation handling personal confidential data should have a person responsible for ensuring that the organisation complies with legal requirements.
  7. The duty to share information can be as important as the duty to protect patient confidentiality: This means that health and social care professionals should have the confidence to share information in the best interests of customers and service users within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.

What Data we Collect

Vita Health Group collects and stores personal data on behalf of private customers, the NHS, employers, Occupational Health providers, or insurance companies who pay for our services, and website users who visit our webpages and resources.  Generally, the data we collect may consist of (where required for treatment or the provision of services):

  1. name;
  2. address and post code;
  3. telephone number;
  4. employee number or employment details;
  5. email address;
  6. payment card details;
  7. medical history;
  8. medical conditions;
  9. age or date of birth;
  10. gender;
  11. ethnic group or race;
  12. sexual orientation;
  13. criminal offences;
  14. political, religious or philosophical beliefs;
  15. other details about a patient as required for legitimate treatment purposes;
  16. Relevant interests or activities;
  17. Some data is collected automatically by our websites. See relevant website Privacy Policy for more details.

How we Use Personal Data

The data we collect is used for legitimate business purposes only.  We never sell data any to third party and we aim to be fully transparent in its use.  Data is used in the following ways:

  1. for the provision of Physiotherapy, Psychological Therapy, Counselling, and Employee Assistance Services;
  2. to provide reports to customers or service users in line with our agreements;
  3. to positively identify service users or other individuals;
  4. for clinical or business audit and quality assurance purposes;
  5. to provide analysis and intelligence reports to customers or for use internally;
  6. for billing, payment, or accounting purposes;
  7. (NB. in most cases and where suitable, personal data is anonymised when reporting to customer organisations to protect service user confidentiality)
  8. to send or supply goods, products or services;
  9. to manage inquiries or complaints;
  10. to send communications about services, or that have been specifically requested;
  11. to send some marketing communications relating to our business or products, or those of selected third parties

For NHS patients

How the NHS and care services use your information

Vita Health Group is one of many organisations working in the health and care system to improve care for patients and the public.

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services

 

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters.  On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply

 

You can also find out more about how patient information is used at:

https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and

https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

 

Marketing Communications

Where individuals have opted in to receive marketing communications, or communications about our products and services, data will be stored within our MailChimp account.  The purpose is to send clients regular updates about the business, treatments, and health & wellbeing related news, as specified on the signup form.  Other optional personal data (name, surname, DOB, sports/ activities, preferred appointment location, other detail) may be collected for email marketing purposes.  Individuals can stop receiving these emails at any time by:

  1. clicking the unsubscribe link in the email;
  2. making a request directly to MailChimp through their website, or by emailing personaldatarequest@mailchimp.com;
  3. contacting the data protection officer, using the details at the bottom of this policy.

Who Has Access to Personal Data

Personal data collected as part of treatment may be accessed by clinical or administrative members of staff as required for the provision of services, or by clinical auditors who ensure the quality of service.  This data may also be shared with other clinical professionals outside of Vita Health Group, where this is required for the provision of services, is required by law, or when required to safeguard the wellbeing of a patient or other person.  Data may occasionally be accessed by selected service suppliers who provide technical support.

To see how personal data collected through our website is used, please see our Website Privacy Policy.

Where an individual has opted in to marketing communications, personal data will be stored on our MailChimp account.  See Marketing Communications section.

How Long we Keep Personal Data

Personal data collected by a healthcare professional forms part of a medical record and we are legally required to maintain this data in line with the guidance of relevant healthcare governing bodies.  In general terms, this means that data is stored for 8 years after a customers or service users last contact with a clinician, however there are exceptions for minors, or following the death of a patient.  For more detail, see the Information Governance Alliance Records Management Code of Practice.

Other personal data collected through websites or other means will be kept only for the minimum amount of time required and then deleted.

What Happens if There is a Data Breach

Any data breach which may result in harm to an individual will be reported to the individual, to any relevant customer organisation, and if required to the Information Commissioner’s Office, within 72 hours of discovery.

Any individual who believes their data may have been used unlawfully should contact the data protection officer immediately using the details at the bottom of this policy.

How we Keep Personal Data Safe

  1. Vita Health Group systems and processes are protected by CyberEssentials certified technical controls which are verified on an annual basis and managed using an ISO27001:2013 certified Information Security Management System, which is subject to bi-annual external audits, regular internal audits, and full re-certification every three years.
  2. We use enterprise-grade firewalls on network boundaries which include intruder detection and intruder prevention systems. Remote centres are connected to our network using a secure private network, and remote or mobile workers connect via an encrypted virtual private network.
  3. Data is stored on locally hosted and remote UK based platform-as-a-service hosted servers, which are managed and maintained by an ISO27001:2013 certified IT Service provider. Customer Data is also stored on a remote UK based software-as-a-service Case Management System. These services are securely connected to our local network or accessed by encrypted connections.
  4. All servers and user endpoints are protected with enterprise grade Anti-Virus/Anti-Malware software which is monitored and updated on a continuous basis. High risk endpoints are monitored with device monitoring software which allows remote secure deletion of files, or disablement.
  5. All users have unique login credentials with passwords which meet common complexity guidance, and monthly password changes are enforced by network policy. Users with regular access to sensitive data are subject to background checks, criminal records checks, previous employment checks, and governing body certification checks.
  6. Where data is transmitted outside of the network, it is protected by pseudonymisation, anonymisation, or encryption.
  7. Data is backed up locally, and remote copies are stored encrypted for one month. Key systems are also replicated, or have redundant failover to ensure continuity of services in the event of a disaster or technical incident.
  8. Network security is tested by external penetration and vulnerability testing annually, and backups and business continuity measures are fully tested at least annually.
  9. When Patient Data reaches end of life, it is securely destroyed, deleted, or otherwise made inaccessible by secure physical shredding, digital shredding, or database anonymisation.

Data Subjects Rights

Whilst data is collected on behalf of our private customers and business customers, all individuals have the following inalienable rights when it comes to their data:

  1. The right to be informed: Customers or service users should be informed, at the earliest opportunity, what data is to be collected and what it will be used for.  This must be provided in a clear, concise, and transparent format.
  2. The right of access: Customers or service users may request, verbally or in writing and free of charge, access to their own records.  These should be provided in an accessible format once the customers or service users identity has been confirmed, and within 30 calendar days in most circumstances.
  3. The right to rectification: Customers or service users may request that inaccurate or incomplete data is rectified, and where this data has been disclosed to another party, such as their insurance provider or employer, we have an obligation to inform them of corrections.
  4. The right to erase: Bearing in mind the legal protection required for medical records, customers or service users may request the deletion of data where it is no longer required for legitimate purposes, or where they withdraw their consent to processing.
  5. B. Under no circumstances may a medical record be altered or erased without seeking the proper authority and consulting with the Vita Health Group Data Protection Officer.
  6. The right to restrict processing: Processing of data may be suspended should a patient contest the accuracy of personal data, or where they object to processing, prior to any decision being made about rectifying or deleting data.  Enough data may be retained in any case to ensure that any restrictions on processing are respected in the future.
  7. The right to data portability: Customers or service users are allowed to obtain and reuse their personal data for their own purposes.  We must be prepared to transfer personal data across organisations or IT systems without hindrance to usability.
  8. The right to object: Customers or service users may object to their data being used on grounds relating to their particular situation unless we can demonstrate compelling legitimate grounds to continue.  This should be considered on a case-by case basis.

Rights in relation to automated decision making and profiling:  If an automated decision is made about an individual, they may request that this decision is reviewed by a human being.

Roles and Responsibilities

The following roles have specific responsibilities for data protection.  These are in addition to other responsibilities within the Information Governance Policy:

  1. Data Protection Officer: The IG Lead is the data protection officer for VHGs various departments and services.  The DPO will provide advice, monitor compliance, and be the first point of contact in the organisation for data protection matters. The DPO reports to the SIRO and directly to the Board in relation to data protection matters.
  2. All Employees: All employees will, through appropriate training and management:
    • Observe all forms of guidance, codes of practice and procedures about the collection and use of personal information;
    • Understand fully the purposes for which VHG uses personal information;
    • Collect and process appropriate information, and only in accordance with the purposes for which it is to be used by VHG to meet its service needs or legal requirements;
    • Ensure the information is destroyed in accordance with the provisions of the Data Protection Act and General Data Protection Regulation when it is no longer required;
    • On receipt of a request by or on behalf of an individual for information held about them, or any other data subjects’ rights in relation to their personal data, immediately notify their line manager and appropriately log the access request;
    • Not send any personal information outside of the United Kingdom without the authority of the Data Protection Officer;
    • Understand that breaches of this Policy may result in disciplinary action, up to and including dismissal.

Data Protection Policies

The following policies and sub-policies are related to this policy:

  • QA2000 –Information Governance Policy
    • QA2100 – Data Protection Policy
      • QA2101 – How We Use Your Data
      • QA 2102 – Privacy Impact Assessment Policy
      • QA2103 – Photography and Videography Policy
      • QA 2104 – Website Privacy Policy
  • QA2200 – Information Security Policy
  • QA2300 – Confidentiality Policy
  • QA2400 – Document and Records Management Policy
  • QA2500 – Information Sharing Policy

Distribution and Training

  1. This policy will be centrally published an accessible to all staff.
  2. The subject matter of this policy will form part of mandatory induction training and mandatory annual training for all staff.

Monitoring

Compliance with this policy will be monitored by the DPO as part of the Quality and Safety System, including through internal audit.  Findings shall be reported directly to the SIRO, Caldecott Guardian, and if required to the Board of Directors.

Common Questions

Every effort will be made to ensure that customers or service users clearly understand how their data is used, and employees must seek advice if they are unsure – never guess or misrepresent facts to a patient.  This policy answers most questions which a patient is likely to ask and customers or service users may be referred back to this document, however staff should be aware of the following details:

  1. Identity and contact details of the controller and the data protection officer. This is generally the customer organisation; however, this can vary between contracts and services.  Always check with the Vita Health Group Data Protection Officer, or relevant Account Manager.
  2. Purpose of the processing and the lawful basis for the processing. See sections 7 and 8.
  3. The legitimate interests of the controller or third party, where applicable. See sections 7 and 8.
  4. Any recipient or categories of recipients of the personal data. See section 10.
  5. Details of transfers to third country and safeguards – See section 8.
  6. Retention period or criteria used to determine the retention period. See section 11.
  7. The existence of each of data subject’s rights. See section 14.
  8. The right to withdraw consent at any time, where relevant. See section 14.
  9. The right to lodge a complaint with a supervisory authority. See section 20.
  10. Where any data we already hold about the patient came from. Usually this is name only and comes from the referral source.
  11. Our contractual obligation to collect data, and possible consequences of failing to provide the personal data. This varies between contracts, and should be referred to the Data Protection Officer, or relevant Account Manager.
  12. The existence of automated decision making. Some digital triage may produce automated outcomes.  These decisions are routinely reviewed by members of staff and this may form part of the treatment process, however customers or service users may request a review of any automated decisions.

Making a Data Rights Request

General queries may be answered verbally by any member of staff once a person’s identity has been confirmed; however, the following apply:

  1. Requests to access a patient’s personal data which do not fall under the remit of continuation of care can be made verbally or in writing.
  2. We must positively identify the patient’s identity prior to fulfilling any such request.
  3. On receiving an access request, we are usually bound to inform the relevant Customer organisation and may need to refer the request back to them, dependant on our contractual agreements.
  4. Where a request for a patient’s personal data does not come from the patient, refer the matter to the Data Protection Officer immediately.
  5. Requests to transfer the data to another provider, or other health professional, or another professional (such as a solicitor) must follow the procedure outlined above for access requests.
  6. Requests to correct inaccurate data may be made verbally as long as the patient has passed the standard data protection checks. In general, treatment records may not be edited but a note may be added showing a correction.  Where required, customers or service users shall be requested to write a supplementary statement of the correction required to add to a case file.
  7. Requests to erase data, or suspend processing, or withdraw consent may be made verbally, however these should be referred to the Vita Health Group Data Protection Officer, and the consequences of this explained to the patient, which may vary between contracts. In general, we may not erase any part of a medical record, but may be able to offer alternative solutions on a case-by-case basis, and if consent is withdrawn, further treatment may be withdrawn.
  8. Requests from children, from an adult who provided data to us as a child, or from a parent regarding a child will be dealt with on a case-by-case basis by the Vita Health Group Data Protection Officer.

Make a Complaint or Ask a Question

Whilst we make every effort to uphold the principles of data protection and the Caldicott Principles, occasionally we may make mistakes.  If a client or customer wishes to ask a question direct them to contact:

1.Vita Health Group Data Protection Officer:

Data Protection,14 Woolhall Street, Bury St. Edmunds, IP33 1LA

Phone: 0333 222 0272

Email: Informationgovernance@vhg.co.uk

ICO Registration Numbers: Z119839X and Z711109X.

Complaints about how a case has been handled may be escalated to:

2.The Information Commissioner’s Office:

The Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Phone: 0303 123 1113

Website: www.ico.org.uk

3.Or, to the employer or service provider who referred the client.

References

ICO Website.

Vita is an award-winning, CQC registered healthcare provider