SpaMedica is an Independent Healthcare Organisation which delivers Cataract Surgery and other general ophthalmology services for the NHS from 15 (and increasing) sites across England.
SpaMedica is the Data Controller for the information it collects and records, uses and stores about its patients, carers, staff and the public.
This Privacy Notice informs you how and why we collect and process your personal data and your rights relating to that data.
We are registered with the Information Commissioner’s Office (ICO). Our registration number is ZA282424. If you would like to look at our registration, please go to the Data Protection register on the ICO website or use the link: https://ico.org.uk/esdwebpages/search
We will only process information relating to you as long as there is a lawful basis and it is necessary to do so. We may use one of the following lawful bases:
• Public Task – this is the lawful basis that we will mostly use to deliver our services as a provider of NHS services.
• Legitimate Interest – where we need to process your data for the day to day running of SpaMedica, other than for the performance of our public task.
• Vital Interest – when it is necessary to protect someone’s life.
• Legal Obligation – where we need to comply with the law.
• Contract – in order to perform our contract with you.
Where none of these are appropriate, then we will approach you for your specific consent.
We keep records about your treatment and care both on paper and electronically. Details of the information we keep include, but are not limited to:
• personal details such as name, address, date of birth, ethnicity and religion, NHS number and next of kin.
• contact we have with you e.g. hospital admissions, outpatients/clinic appointments
• notes and reports by health and care professionals about your health, GP details etc.
• details and records about your treatment and care.
• results of scans, laboratory tests, and any other tests.
• relevant information about people that care for you and know you well.
• basic details about associated people e.g. your spouse / partner, children, carers, relatives etc.
This information may be given to us directly by you. Our staff record information about you as part of your care. The staff who do this include surgeons, optometrists, nurses, HCTs, administrative & support staff. We may also hold information relating to your direct care which has been provided to us by other NHS organisations such as your GP and optician.
We need to collect, record, store and use your personal data in order to provide our healthcare services to you. SpaMedica has a lawful basis for processing personal data and meets the condition for processing special data. As a provider of NHS services, for most of its processing it is undertaking its public task, which is health care provision including education and teaching.
Your information is used for direct care, education/teaching and administrative purposes, which may include (but is not limited to):
• providing you with care and treatment, both now and in the future
• ensuring that appropriate information is available to all those who treat you medically and care for you professionally
• sharing information with staff employed by SpaMedica and other NHS and non-NHS organisations that may provide care for you
• supporting you in managing your own care
• helping our staff check that the care they provide to you is safe and effective e.g. clinical audit
• training and teaching our healthcare professionals so that they can experience, learn and train with real health care scenarios
As part of the NHS Constitution, the NHS commits
“to ensure that those involved in your care and treatment have access to your health information so they can care for you safely and effectively”.
To deliver this commitment, SpaMedica routinely sends your GP a letter detailing the outcome of any episode of care delivered to you. We will also share proportionate information about your direct care with other appropriate NHS and non-NHS organisations, for example your referring optician, to help them provide direct care for you.
We may use your information for other purposes such as to:
• properly investigate any complaints or legal claim, should you or someone on your behalf make a complaint about your care
• manage and plan our services
• send national surveys relating to the services you use.
We share some information about you with organisations that do not provide direct care. Any information we provide always complies with Data Protection legislation and NHS Caldicott principles and we ensure that it is relevant and proportionate for the purpose for which it is being used.
For example, we make mandatory, monthly returns of anonymised data to the government’s Secondary Uses Service (SUS). This data is used by NHS commissioners and the government to plan and assess healthcare provision locally, regionally and nationally.
Examples of organisations who we share information with include, but are not limited to:
• National Optical Council (NOC).
• Government departments: e.g. NHS England, Department of Health.
• SUS submissions to a Data Sources for Commissioners Regional Office (DSCRO).
We may also share your information where we have a legal obligation, for example where:
• we receive a formal court order
• there is a need to protect and safeguard vulnerable children and adults
• there is a public health need such as infectious disease
The above are only some examples.
We may also use your data to provide:
• anonymised information – where your data is rendered into a form which does not identify you. This data cannot be converted back into identifiable format.
• pseudonymised information – where your identifying data is replaced with non-identifiable data so that your ‘real world’ identity is removed. This data can only be converted back into identifiable format by an authorised, restricted keyholder This is done through a strict approval process to ensure it is safe and secure and only used for the purpose in which it is being provided.
We record telephone numbers to enable us to contact you to arrange appointments or if an appointment has to be rearranged. We also contact you prior to your appointment to check that you are fit and well to undergo surgery. Some services also provide a text reminder service so that you can be reminded of your appointment. If you prefer not to be contacted in this way, please tell us so we can remove your number from the system.
SpaMedica is exempt from requiring Health Research Authority Approval because most of our studies are audit based and therefore do not require ethical approval. Any research carried out at SpaMedica would be undertaken using the principles of the Declaration of Helsinki and approved by the SpaMedica Medical Advisory Board.
We use CCTV in some parts of our hospitals to help us maintain the safety and security of individuals and property; for prevention and detection of crime and to facilitate the apprehension and prosecution of offenders and apprehension of suspected offenders. CCTV is used under strict guidelines and in line with national legislation and guidance. We process this data as part of our legitimate interests.
You have the right of access to records we hold on you. This is sometimes referred to as a Subject Access Request. To help us process your request we will require you to provide proof of your identity and some clarity about the information you require. A form is available to help with the request. For our patients, the form can be accessed on our external website (www.SpaMedica.co.uk) or it can be provided by contacting the Subject Access Request team below.
Subject Access Request
Email: [email protected]
In addition to the Right to be Informed (i.e. this privacy notice) and the Right of Access, which is documented above, you also have the:
• Right to Rectification
• Right to Erasure (Right to be Forgotten)*
• Right to Object
• Right to Restrict Processing
• Right to Data Portability*
• Right not to be subject to automated decision-making including profiling.
*The right to erasure and right to data portability are not applicable when processing on the lawful basis of a public task.
If you would like to exercise any of these other rights, please contact:
The Data Protection Officer
Email [email protected]
We will consider your request and respond to you within 30 days.
If you have registered a national data opt-out for your NHS records, we will respect that. However, we may then need to ask you for specific details to inform your care and possible treatment by SpaMedica.
We keep all paper and electronic records securely to ensure confidentiality, integrity and availability and prevent unauthorised access. The sensitivity of patient information is well understood within the healthcare sector. Our staff are required to undertake annual training on their duty of confidentiality and data protection, and responsibilities are written into employee’s contracts.
Our contractors and agency staff have confidentiality clauses in their contracts. All our staff have their own unique logon credentials (username / password) for accessing our systems; and can only access those systems necessary for their job role. Within the different systems, their access is also in line with the individual’s job role. This ensures confidential data is on a “need to know” basis. We will undertake a Data Protection Impact Assessment (DPIA) where necessary, for example at the start of any major new project that involves the use of personal data or introduces new technologies. We do not transfer any information to countries outside the UK. If your information is to be sent outside of the European Economic Area, we will undertake a DPIA to ensure transfer is in accordance with Data Protection legislation and any identified risk is mitigated.
In the event of a data breach, this will be logged on our Incident Reporting system and fully investigated, with remedial action taken where required. We will report certain types of personal data breach to the Information Commissioner’s Office (ICO) and we are committed to the NHS Statutory Duty of Candour which means we will be open when errors are made and harmed caused.
We keep your data for as long as required in line with national NHS Records Management Code of Practice for Health and Social Care 2016. For further information please use “NHS records management code of practice 2016” in an internet search engine or use the link: https://www.nhsx.nhs.uk/information-governance/guidance/records-management-code/
If you would like independent advice about data protection or if you are not satisfied with the handling of your rights under data protection, you can contact: