Coronavirus (COVID-19) Pandemic and your Information
The ICO recognises the unprecedented challenges the NHS and other health professionals are facing during the Coronavirus (COVID-19) pandemic. The ICO also recognise that ‘public bodies may require additional collection and sharing of personal data to protect against serious threats to public health.’
The government have also taken action in respect of this and on 20th March 2020 the Secretary of State for Health and Social Care issued a notice under Regulation 3(4) of The Health Service (Control of Patient Information) Regulations 2002 requiring organisations such as GP Practices to use your information to help GP Practices and other healthcare organisations to respond to and deal with the COVID-19 pandemic.
In order to look after your healthcare needs during this difficult time, we may urgently need to share your personal information, including medical records, with clinical and non-clinical staff who belong to organisations that are permitted to use your information and need to use it to help deal with the COVID-19 pandemic. This could (amongst other measures) consist of either treating you or a member of your family and enable us and other healthcare organisations to monitor the disease, assess risk and manage the spread of the disease.
Please be assured that we will only share information and health data that is necessary to meet yours and public healthcare needs.
The Secretary of State for Health and Social Care has also stated that these measures are temporary and will expire on 30th September 2020 unless a further extension is required. Any further extension will be communicated via an update to this privacy notice. Please also note that the data protection and electronic communication laws do not stop us from sending public health messages to you, either by phone, text or email as these messages are not direct marketing. It may also be necessary, where the latest technology allows us to do so, to use your information and health data to facilitate digital consultations and diagnoses and we will always do this with your security in mind.
If you are concerned about how your information is being used, please contact our DPO using the contact details provided in this privacy notice.
Heacham Group Practice and Your Information
Heacham Group Practice takes your privacy very seriously.
We are registered with the Information Commissioner as a Data Controller and our registration number is Z8035294.
If you have any questions or wish to make a request in relation to your information, please contact the Data Protection Officer at;
Heacham Group Practice is required to collect, use, store and share information about you, for the purposes of maintaining and intensifying the employment relationship we have with you.
We do not transfer your employee information outside of the UK.
How does Heacham Group Practice collect my information?
We will collect information about you, either directly – when you make an application for a job with us to, or indirectly – through references, occupational health referrals and during the course of your employment with us.
The information we collect will be stored on computer and electronic systems. The information includes Personal Data:
- basic details about you, such as address, date of birth, and next of kin
as well as Sensitive Personal Data, where it is relevant to your employment;
- notes and reports about your health and any disabilities
- information about your home life such as marital status
- Information about criminal records checks – generally, we will only retain the reference number
Heacham Group Practice are permitted to collect, store, use and share this information, where necessary, under the General Data Protection Regulations Article 6 (1) (b) “for the purposes of a contract” and Article 9 (2) (b) “employment purposes” and Data Protection act 2018 Schedule 9 (2) (a) “performance of a contract” and Schedule 10 (2) “in connection with employment”.
How does Heacham Group Practice use my information?
Heacham Group Practice will use your information for your recruitment and employment in the following ways:
- To assess your suitability for the role
- To support the process of recruiting and onboarding you as a member of staff
- To pay you and to keep payroll records
- Administration of Expenses and Leave
- To deliver and maintain records on your training and professional development
- To support secondments or promotions
- To manage your performance
To undertake some of these activities, your information will be shared internally across our teams. We will work to ensure that only the right people have your information and that they are only given the information they need.
Who does Heacham Group Practice share my information with?
Sometimes we will be required by law to share your information and will not always be able to discuss this with you directly. Examples might be for the purposes of detection or prevention of crime, where it is in the wider public interest, to safeguard children or vulnerable adults, reporting infectious diseases or where required by court order.
Information Access and Rights
Heacham Group Practice works hard to ensure that only the right people have your information and that they are only given the information they need.
- Your information will be shared internally across our teams such as NHS Pensions uses other companies to help us deliver some of our services such as;
- Provision of HR Portal Systems (www.adp.com)
- Shared Network Drive G:Drive Ardens & Greater East Midlands commissioning support group
- Payroll Mapus Smith & Lemmon Accountants
Personal data will never be made available to organisations not involved in your employment or contracted directly by us without letting you know and giving you a chance to object.
We have contracts in place with these organisations that prevent them from using it in any other way that how we tell them to. These contracts also require them to maintain good standards of security to ensure your confidentiality.
Will Heacham Group Practice share without asking me?
Sometimes we will be required by law to share your information and will not always be able to discuss this with you directly.
Examples might be:
- Sharing with the police or tax authorities for the detection or prevention of crime
- Where it is in the wider public interest – to keep the public safe for example
- To safeguard children or vulnerable adults
- Because the court has told us we must share.
What are my information rights?
Data protection law provides you with a number of rights that Heacham Group Practice is committed to supporting you with:
Right to Access
You have the right to obtain:
- confirmation that your information is being used, stored or shared by [insert organisation]
- a copy of information held about you
- If you only require a particular part of your record, tell us and this can reduce the time it takes to provide it
- We will respond to your request within one month of receipt or will tell you when it might take longer.
- We are required to validate your identity including the identity of someone making a request on your behalf
Right to Object or Withdraw Consent
We collect, use, store and share your information because we are permitted to by law; in order to deliver your support your employment, but you do have a right to object to us doing this.
When we collect, use, store or share your information based on your consent, you have a right to withdraw that consent at any time.
Our Data Protection Officer will be happy to speak with you about any concerns you have.
Right to Correction
If information about you is incorrect, you are entitled to request that we correct it.
There may be occasions, where we are required by law to maintain the original information – our Data Protection Officer will talk to you about this and you may request that the information is not used during this time
We will respond to your request within one month of receipt or will tell you when it might take longer.
Right to Portability
You can ask us to send your information to another organisation on your behalf if you wish.
You also have the right to make complaints and request investigations into the way your information is used. Please contact our Data Protection Officer or visit the link below for more information.
For more detailed information on your rights visit www.ico.org.uk/for-the-public.
Does Heach Group Practice use profiling or automated decision making?
No Heacham Group Practice does not undertake automatic profiling or automated decision making in relation to your employment information.
Our Data Protection Officer will be happy to speak to you about this if you have concerns or objections.
How does Heacham Group Practice protect my information?
Heacham Group Practice are committed to ensuring the security and confidentiality of your information.
There are a number of ways we do this:
- Staff receive regular training about protecting and using personal data
- Policies are in place for staff to follow and are regularly reviewed
- We check that only the minimum amount of data is shared or accessed
- We use controlled access to systems, this helps to ensure that the right people are accessing data – people with a ‘need to know’
- We use encrypted emails and storage which would make it difficult for someone to ‘intercept’ your information
- We report and manage incidents to make sure we learn from them and improve
- We put in place contracts that require providers and suppliers to protect your data as well
How long does Heacham Group Practice store my information?
Heacham Group Practice will retain / store your CV / Application form for no more than 7 months if you are unsuccessful. We will keep your personnel record for your 6 Years post-employment date as part of our obligations as an employer. Where items of your record can be removed at an earlier time, or be de-identified, this will happen to ensure that Heacham Group Practice only hold information that is needed.