STAR (See Treat Analyse Report) Skin Service Privacy Policy
The STAR Skin service is committed to protecting patient privacy and security. This privacy policy explains how and why we use patient personal data and is intended to help ensure that patients remain informed and in control of their information.
Overview
The STAR Skin service was established by Miss Samantha MT Anthony in 2010 following national changes to the management and treatment of what are documented as low-priority skin lesions according to low priority frameworks now well established in England, precluding the treatment of a range of non-urgent, non-cancerous lesions including those of a cosmetic nuisance, and locally established policies are available from individual NHS dermatology departments and hospital Trusts. (https://www.nottingham.ac.uk/research/groups/cebd/documents/hcnaskinconditionsuk2009.pdf, http://www.bad.org.uk/library-media/documents/Dermatology%20Standards%20FINAL%20-%20July%202011.pdf)
The STAR Skin Surgery Service receives, handles, stores, exchanges and transfers patient personal information and data between only the essential parties necessarily involved in the management and care of those individuals seeking and undergoing advice, treatment, and investigations according to individual patient need and care. The Information Commissioner’s Office (ICO) is the independent supervisory authority set up to promote and oversee compliance with data protection legislation in the UK. On 25 May 2018, a new data protection regime will come into force, through the General Data Protection Regulation (GDPR) and the Data Protection (Charges and Information) Regulations 2018 (the 2018 Regulations). The STAR Skin service is registered with the ICO and fully respects the handling of patient data and information lawfully and confidentially, strictly in accordance with the above data protection regulations, and the General Medical Council's Good Medical Practice code.
How we communicate with you
We will communicate with you via email to exchange information regarding our service, to arrange your appointment, and to send and receive photographs and your personal and medical information, correspondence letters sent to your GP, and anything else relevant to your interactions with the service before during and after your appointment with us. This will be made in agreement with you (detail in the autoreply signature in all emails sent from the STAR skin service emails). When personal/demographic/medical/photographic information is requested from or sent to you the patient, or other referring medical practitioners, the STAR service will do so via the Egress secure email platform, and instructions on how to access and send information are sent via the platform. If you are unable or unwilling to use this platform when requested to, and prefer to send via the STAR service email(s) then this is done at your own risk and with the full understanding that your information is travelling via the internet in a less secure way. If you do not have access to the internet or email then other options will be made available to you to make contact and we will ask for an alternative way to contact you also. Please note that this service does not provide telephone consultations at this time.
Personal Data
We collect “personal data”, which is information that identifies a living person, or which can be identified as relating to a living person.
Personal Data we hold
We collect your data either in writing when a patient or GP enquired or sends emails, paper referrals or scanned referrals via the receiving clinic (currently Centennial Medical Care, Elstree) or directly to Miss Anthony or her appointments manager, or via information received via telephone. By the answering of queries, replying to requests for appointments to be made, and the process of booking appointments and the attending for consultation, treatment, and processing of laboratory investigations, following fully informed written consent, you are agreeing to these exchanges, and you are entering a legitimate interest basis for data processing.
We collect the following:
Personal details such as name, gender, nationality, date of birth, email, home addresses, telephone numbers, GP name and address
-Medical History as obtained from your GP at the time of referral to the service, medications, allergies and all else relevant to the processing of the referral and booking an appointment, and any safety of procedures undertaken
-Referral, Consultation notes, written Consent, Procedure notes, Laboratory pathology analysis results, resultant correspondence with GP and patient, scanned items, and photographs, where relevant to the individual case, are stored securely on your record on our database (g suite by Google*)
-Of note, Financial information is not requested nor stored by the STAR service, but by the hosting clinic (currently Centennial Medical Care, Elstree)
-Personal data generated by your involvement with the STAR service
-All data and information which is received, handled, exchanged, and collected via administrative and attending nursing staff, the hosting clinic, the affiliated receiving pathology laboratory, and Miss Anthony, is kept as a record on a secure, encrypted hosting database (g suite by Google*), and for any necessary future reference
-Tracked email correspondence with patients is stored securely on their individual contact record on our database (g suite by Google*)
How we use personal data
General use and administration:
We collect and process patients’ personal data to enable us to process appointments and manage patient care effectively, lawfully and appropriately, and to ensure that all, and only, those parties relevant to the patient pathway with the STAR Skin service are communicated with as necessary, from the time of referral to discharge. Disclosing and sharing personal data.
We do not sell nor share patient information to unauthorised third parties outside of the immediate service administrators and clinicians involved in the patient's pathway.
The STAR Skin clinic collects and handles information pertinent to the individual for the duration of the patient pathway for any single episode, after which it is stored securely, for a record, and in the event of retrieving for necessary future reference.
Regarding authorised third party involvement, we do have third party service providers working on our behalf, for the purposes of completing tasks and providing services to enable an efficient patient pathway only. To this end we may pass on patient information to the hosting clinic (currently Centennial Medical Care, Elstree), or the appointments manager, or Miss Anthony, or her attending nursing staff, and the investigative pathology laboratory, all of whom who may also be first in the receipt of patient referrals (except the latter).
When patient information is disclosed by any authorised handling party or service provider we ensure that only the necessary information needed to complete the service required to be carried out is disclosed. This includes the investigating pathology laboratory. Each of these parties is also bound by the data protection laws and confidentiality rules to ensure keeping information secure. However each of these third parties is responsible for their own adherence to these codes of practice.
Data security
We employ a variety of physical and technical measures to protect information we hold and to prevent unauthorised access to, or use or disclosure of your personal data. Data is stored electronically wherever possible on a secure computer database system (g suite by Google*) and we control who has access to this information (using both physical and electronic means). As all information following completion of patient treatment and their pathway is stored in a cloud, and all necessary users have password protected access to this information (only Miss Anthony has full disclosure of all data and information from start to end of the patient pathway; the authorised third parties have access only to the relevant and necessary information according to the point in the patient pathway which inevitably involves them). All data is received, handled, stored and transferred with encryption in accordance with required data protection codes (via g suite by Google*) Staff receive data protection training in accordance with their roles.
Payment Security
Financial information is not requested nor stored by the STAR Skin service, but by the hosting clinic (currently Centennial Medical Care, Elstree)
Storing Personal Data
We are wholly based in the UK and store data according to the GDPR regulations
Retention of personal data: We will only retain personal data for as long as it is required for the purposes for which we collected it (e.g. we have a genuine and legitimate reason and we’re not harming any of your rights and interests). We continually review what information we hold and will delete personal data which is no longer required.
Control of personal data
We want to ensure that individuals remain in control of their personal data and understand their legal rights, which are:
• the right to know whether we hold an individual's personal data and, if we do so, to be sent a copy of the personal data that we hold about you (a “subject access request”) within one month if requested to do so
• the right of an individual to have personal data erased (though this will not apply where it is necessary for us to continue to use the data for a lawful reason);
• the right to have inaccurate personal data rectified;
• (where technically feasible) the right to be given a copy of personal data that you have provided to us (and which we process automatically on the basis of your consent or the performance of a contract) in a common electronic format for your re-use.
There are some exceptions to the rights above and, although we will always try to respond to any instructions individuals may give us about our handling of their personal information, there may be situations where we are unable to meet their requirements in full.
Complaints
Should an individual have a complaint about how we have used (‘processed’) their personal data, they may complain to the STAR Skin Clinic / Miss Anthony directly by contacting us in the first instance (with the exception of the case of a complaint regarding the hosting clinic or other authorised third party, in which cases these should be directed to them accordingly).
If an individual is not happy with our response, or they believe that their data protection or privacy rights have been infringed, they may complain to the UK Information Commissioner’s Office which regulates and enforces data protection law in the UK. Details of how to do this can be found at www.ico.org.uk
Disclaimer in relation to the hosting clinic (currently Centennial Medical Care, Elstree), or other authorised third party involvement
Miss Anthony and the STAR Skin clinic is an independently established patient service, hosted by a third party premises. The hosting clinic and appointments manager may receive referrals and enquiries containing patient personal and medical information , and receive, handle, transfer and store this information of their own accord, which the STAR Skin clinic and Miss Anthony request strictest adherence to all patient information in accordance with this policy and according to legal patient data handling codes and the GMC code of Good Medical Practice. Miss Anthony cannot take any responsibility for any infringements outlined in this policy if carried out by any individuals from the hosting clinic or other authorised third party handling this information at any time during the patient pathway. All issues and complaints regarding these involvements should be directed individually to them.
*For more information on G Suite by Google regarding security of data storage and transfer see the Google Cloud Security and Compliance Whitepaper: visit https://stotage.googleapis.com/gfw-touched-accounts-pdfs/google-cloud-security-and-compliance-whitepaper.pdf
This privacy policy is subject to amendment to ensure it remains up to date and reflects how and why we use your personal data. The latest version will always be visible at www.drsamanthonyskin.com
Any questions regarding this privacy policy should be sent to Miss Samantha MT Anthony at [email protected]
May 2018