Data protection and use of data
We are committed to protecting and respecting patient privacy and are fully compliant with the Data Protection Act 1998, the 2018 General Data Protection Regulation (GDPR) and medical confidentiality guidelines as issued by the General Medical Council. We are registered with the Information Commissioner’s Office.
Under Article 6 of the GDPR, our lawful grounds for processing data is “Consent” and our legal basis for processing data under Article 9 is that: Processing is necessary for the purposes of medical diagnosis or treatment.
(for further clarification on these terms, please visit the Guide to GDPR on the Information Commissioner’s website, www.ico.org.uk).
When patients register at the hospital or clinic prior to their first consultation with Dr Lever, information collected by the hospitals is shared with Dr Lever and his secretaries.
We will ascertain patient preferences on methods of communication (post, email, telephone), which can be updated at any time by contacting the office.
Explicit consent is gained for the use of email to send medical reports to the patient, and to their referring GP/ specialist and any other clinicians involved in their care.
How your data is used
We keep relevant information on patients to provide them with safe and appropriate medical care. With the patient’s permission we will share information with their GP and other specialists to assist with continuity of care. Patients are sent a copy of Dr Lever’s clinic letters after every consultation, together with relevant test results. We may also be asked to share information with a patient’s medical insurance provider, but we will only do so with the patient’s written consent. Invoices submitted to private medical insurance providers for payment do not include details about diagnoses or medication but will itemise any procedures that have been carried out. In the event that an invoice remains unpaid, data may need to be shared with other professionals such as debt collection agencies or solicitors, but this will not include medical details.
Personal data will not be used for marketing purposes in any way.
We use a clinical software programme, DGL Practice Manager, provided by Clanwilliam Health, to store administrative, medical and financial information on our patients. This is a remote cloud-based system with off-site back-up within the EU and is accessible by Dr Lever and his administration team. Our IT support is provided by Clanwillliam Health and this organisation is bound by its own confidentiality code in respect of any data visualised in the process of fixing any software or hardware issues with or computers or other electronic devices.
We also have paper files on each current patient, which are stored in lockable filing cabinets. Notes on patients who have not been seen for more than 6 months are scanned and paper records destroyed.
All administration staff have confidentiality clauses in their contracts. The administrators have full access to all our patient data, but do not access data unnecessarily and only view the information they need to see at a given time. Dr Lever is the main person responsible for data protection in his practice and data protection functions are shared with Spire Bushey Hospital, BMI the Clementine Hospital and 108 Medical Chambers depending on the site of consultation. A full Subject Access Request should be made in writing to Dr Lever and will be granted electronically within 30 days.
Use of Email
Email is a very efficient method of communication and one which we are keen to utilise, however, there are risks associated with e-mail and we would like you to be aware of these before agreeing to correspond with us in this way. The risks of communication by e-mail include, but are not limited to: The email being received by unintended recipients; the email being intercepted, altered, forwarded or used without authorisation and without detection; the email being circulated, forwarded and stored in paper and electronic files; the email being blocked by a spam filter and not received; backup copies of the email remaining after the sender and recipient have deleted their copies; viruses being transmitted from one computer to another.
Under the General Data Protection Regulation (GDPR) any email containing patient data of any kind must be sent in an encrypted format. We will be using the Egress Switch platform for this purpose. To receive such emails, you will be required to subscribe to Egress Switch which is free to email recipients. Instructions on how to receive encrypted emails will be sent with the first message we send you. If you advise us in writing, we can send unencrypted emails, but this is not recommended.
With your permission, we would like to use email to:
Send clinic letters and test results to your GP and any other doctors or medical professionals involved in your care in encrypted PDF format; send you a copy of your GP letter or medical report and any relevant test results in encrypted PDF format, respond to non-urgent administrative, accounts and clinical enquiries from you or anyone else involved in your care in encrypted PDF format.