SpaMedica is an Independent Healthcare Organisation which delivers Cataract Surgery and other general ophthalmology services for the NHS from 23 (and increasing) sites across England.
SpaMedica is the Data Controller for the information it collects and records, uses and stores about its patients, carers, staff and the public.
This Privacy Notice informs you how and why we collect and process your personal data and your rights relating to that data.
We are registered with the Information Commissioner’s Office (ICO). Our registration number is ZA282424. If you would like to look at our registration, please go to the Data Protection register on the ICO website or use the link: https://ico.org.uk/esdwebpages/search
We will only process information relating to you as long as there is a lawful basis and it is necessary to do so. We may use one of the following lawful bases:
We keep records about your treatment and care both on paper and electronically. Details of the information we keep include, but are not limited to:
This information may be given to us directly by you. Our staff record information about you as part of your care. The staff who do this include surgeons, optometrists, nurses, HCTs, administrative & support staff.
We may also hold information relating to your direct care which has been provided to us by other NHS organisations such as your GP and optician.
We need to collect, record, store and use your personal data in order to provide our healthcare services to you. SpaMedica has a lawful basis for processing personal data and meets the condition for processing special data.
As a provider of NHS services, for most of its processing it is undertaking its public task, which is health care provision including education and teaching. Any patient data used for education and teaching is anonymised.
Your information is used for direct care, education/teaching and administrative purposes, which may include (but is not limited to):
As part of the NHS Constitution, the NHS commits:
“to ensure that those involved in your care and treatment have access to your health information so they can care for you safely and effectively”.
To deliver this commitment, SpaMedica routinely sends your GP a letter detailing the outcome of any episode of care delivered to you. We will also share proportionate information about your direct care with other appropriate NHS and non-NHS organisations, for example your referring optician, to help them provide direct care for you.
We may use your information for other purposes such as to:
We share some information about you with organisations that do not provide direct care. Any information we provide always complies with Data Protection legislation and NHS Caldicott principles and we ensure that it is relevant and proportionate for the purpose for which it is being used.
For example, we make mandatory, monthly returns of anonymised data to the government’s Secondary Uses Service (SUS). This data is used by NHS commissioners and the government to plan and assess healthcare provision locally, regionally and nationally.
Examples of organisations who we share information with include, but are not limited to:
We may also share your information where we have a legal obligation, for example where:
The above are only some examples.
We may also use your data to provide:
We record telephone numbers to enable us to contact you to arrange appointments or if an appointment has to be rearranged. We also contact you prior to your appointment to check that you are fit and well to undergo surgery. Some services also provide a text reminder service so that you can be reminded of your appointment. If you prefer not to be contacted in this way, please tell us so we can remove your number from the system.
SpaMedica is exempt from requiring Health Research Authority Approval because most of our studies are audit based and therefore do not require ethical approval. Any research carried out at SpaMedica would be undertaken using the principles of the Declaration of Helsinki and approved by the SpaMedica Medical Advisory Board.
We use CCTV in some parts of our hospitals to help us maintain the safety and security of individuals and property; for prevention and detection of crime and to facilitate the apprehension and prosecution of offenders and apprehension of suspected offenders. CCTV is used under strict guidelines and in line with national legislation and guidance. We process this data as part of our legitimate interests.
You have the right of access to records we hold on you. This is sometimes referred to as a Subject Access Request. To help us process your request we will require you to provide proof of your identity and some clarity about the information you require. Please send a signed letter with your request by post to the address below or, alternatively, please scan/take a photo of your signed letter and email to us at firstname.lastname@example.org.
Subject Access Request
In addition to the Right to be Informed (i.e. this privacy notice) and the Right of Access, which is documented above, you also have the:
*The right to erasure and right to data portability are not applicable when processing on the lawful basis of a public task.
If you would like to exercise any of these other rights, please contact:
The Data Protection Officer
We will consider your request and respond to you within 30 days.
If you have registered a national data opt-out for your NHS records, we will respect that. However, we may then need to ask you for specific details to inform your care and possible treatment by SpaMedica.
SpaMedica do not use personal confidential data for any other purpose than personal care.
We keep all paper and electronic records securely to ensure confidentiality, integrity and availability and prevent unauthorised access. The sensitivity of patient information is well understood within the healthcare sector. Our staff are required to undertake annual training on their duty of confidentiality and data protection, and responsibilities are written into employee’s contracts.
Our contractors and agency staff have confidentiality clauses in their contracts. All our staff have their own unique logon credentials (username / password) for accessing our systems; and can only access those systems necessary for their job role. Within the different systems, their access is also in line with the individual’s job role. This ensures confidential data is on a “need to know” basis. We will undertake a Data Protection Impact Assessment (DPIA) where necessary, for example at the start of any major new project that involves the use of personal data or introduces new technologies. We do not transfer any information to countries outside the UK. If your information is to be sent outside of the European Economic Area, we will undertake a DPIA to ensure transfer is in accordance with Data Protection legislation and any identified risk is mitigated.
In the event of a data breach, this will be logged on our Incident Reporting system and fully investigated, with remedial action taken where required. We will report certain types of personal data breach to the Information Commissioner’s Office (ICO) and we are committed to the NHS Statutory Duty of Candour which means we will be open when errors are made and harmed caused.
We keep your data for as long as required in line with national NHS Records Management Code of Practice for Health and Social Care 2016. For further information please use “NHS records management code of practice 2016” in an internet search engine or use the link: https://digital.nhs.uk/article/1202/Records-Management-Codeof-Practice-for-Health-and-Social-Care-2016
If you would like independent advice about data protection or if you are not satisfied with the handling of your rights under data protection, you can contact:
The Information Commissioner’s Office