Patient Privacy Notice

Your information was shared with us by the person or organisation that purchased the services on your behalf and referred you to IPRS Health for treatment.

Under the DPA and UK GDPR, processing includes any action taken with personal data, even just storing it. Processing begins as soon as we receive your information and continues until we delete or destroy it.

We process your personal and health information so that we can manage your health or wellbeing referral effectively and ensure that we provide the most appropriate care for your needs.

This information may be kept as electronic health records, held on our secure, UK-based servers, or sometimes paper files, stored securely in locked cabinets.

In whichever format your information is stored, its security is paramount; access to it is tightly controlled and restricted only to those who need access, to manage your care.

IPRS Health will not use your data for direct marketing purposes.

Our lawful basis for processing your data is our ‘Legitimate Interests’.

IPRS Health processes your data in order to be able to carry out its lawful business, which is provision of health and wellbeing services to its client. As we have been appointed by one of those clients to provide services to you, we need to:

• communicate with that organisation about you;
• communicate with the suppliers who deliver services on our behalf;
• communicate with you, and;
• keep your information as a health record.

Communication with our clients and providers requires us to share your information, which we will only do:

• for the purpose of managing your referral;
• for financial purposes in the payment and submission of invoices, and;
• for communicating statistical information about you and your care.

These are our legitimate interests (and those of the organisation that referred you or that provide care to you) and these interests will continue providing that they do not countermand your own interests, rights, or freedoms as an individual.

You benefit from IPRS Health processing your data, as you are able to access the health and wellbeing services purchased on your behalf. We cannot provide those services without processing your data.

In addition to your personal and contact data, we also need to process information about your health.

Your health data are processed under the condition that processing is:

“Necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of UK law.”

under Article 9 section 2(h) GDPR and Chapter 2, sections 10 & 11 DPA.

For the purposes of Article 9(2)(h), the circumstances in which the processing of personal data is carried out subject to the conditions and safeguards referred to in Article 9(3) of the GDPR (obligation of secrecy) is that it is carried out:

“By or under the responsibility of a health professional.”

The personal data that we process may include your:

• Full name and preferred name
• Home and work addresses
• Telephone numbers
• Email addresses
• Date of birth
• Gender
• Occupation
• Work or employment information
• Employee number
• Membership/Insurance policy details

We collect your personal and health-related information from:

• Your referring organisation;
• Directly from you (or your authorised representative);
• From our authorised service providers.

In addition to the above, we will also hold specific information about your health and wellbeing, which may include:

• An electronic health record detailing the significant events and correspondence related to your referral to IPRS Health;
• Health notes and reports, including details of treatment and care;
• Information about your Physical and Mental Health conditions, as relevant to your referral;
• Results of investigations or procedures;
• Information from other healthcare professionals involved in your care;
•  Other health or wellbeing-related data about your smoking status, alcohol consumption, any disabilities you may have, and your family, lifestyle, and social circumstances.

These data will only be collected and processed where this is necessary and relevant to the management and delivery of services provided to you by IPRS Health.

We will never collect information which is not justified by our legitimate interests, and we will never use your health or wellbeing data for direct marketing.

We share your data with:

• Our selected service providers;
• Your referring organisation, departments within your organisation or specific people within your organisation, such as your line manager;
• Your solicitor (in certain circumstances).

Your information is used by IPRS Health only to manage and deliver your health or wellbeing services, and to communicate with the parties mentioned, which ensures that:

• People involved in delivering your care have accurate and up-to-date information:
• IPRS Health colleagues involved in managing your referral can do so efficiently;
• Your referring organisation has sufficient information to manage your Occupational Health needs, to help find you the most appropriate work duties or to effectively administer your insurance case or claim, depending upon the nature of your referral to IPRS Health.

The information we collect and hold about you may also be used to:

• Tell you about any arrangements IPRS Health has made on your behalf;
• Provide you with the contact details of our providers so that you can communicate with them directly;
• Investigate complaints and report to the appropriate authorities when required to do so by law or with your consent;
• Send you copies of reports, letters, or any documentation you request in relation to your health or wellbeing services;
• Contact you regarding patient satisfaction surveys, the results of which will be used to further improve IPRS Health’s services to future users;
• Conduct quality management activities, such as audits.

We always use the least amount of your information that we can, to achieve our aims, and will try to anonymise or pseudonymise your information whenever possible, to give the greatest possible protection for your privacy.

Your data are never used for marketing or advertising purposes and would not be released to a third party, other than those delivering your care, without your explicit consent; unless there is a legal or medical requirement to do so, such as a court order.

We would only transfer your personal data within the UK, unless you request that we transfer them internationally.

As previously mentioned, your data may be held in both electronic and paper forms. All data are held securely, and are retained for a specified period of time, as laid out in our data retention schedules. Different types of data are held for different retention periods, as required by law, or by IPRS Health’s legitimate purposes.

• Health records (containing the information pertaining to your health and wellbeing services) are retained by IPRS Health for ten years from the date of your discharge from IPRS Health’s care. If you were a minor (under 18) at the time of discharge, the record will be kept for ten years from your eighteenth birthday. These durations are required by our liability insurance provider, in anticipation of a need for health records being requested for legal claims.
• Call recordings are kept for up to one year in case they are needed for a complaint or incident investigation.
• Unconverted referral data (where you have declined treatment, or we have been unable to contact you or provide services) are kept for one year.
• Complaint files and data subject access requests are kept for two years.

Once the retention period for your data expires, it will be destroyed or deleted in a secure manner.

If we wish to retain data indefinitely for research or analytical purposes, these are retained as anonymous statistical data, that is no longer ‘identifiable’.

In addition to the legislation (the DPA and UK GDPR), health information is also protected under the common law by our duty of confidentiality, as well as under healthcare professional standards (such as those set by the Health and Care Professions Council), or national standards as set by the Information Commissioner’s Office.

These combined requirements mean that we must:

• Maintain your records fully and accurately;
• Keep your data confidential and secure;
• At your request, give you access to your information in a convenient format.

Under data protection law, you have certain rights as an individual regarding your personal data and how it is processed by IPRS Health.

You have the right to:

• Be kept informed by IPRS Health about any processing that takes place, which is the purpose of this privacy notice;
• Know what information IPRS Health holds about you, and have access to that information;
• Request the correction of inaccurate or incomplete data held by IPRS Health;
• Restrict or object to IPRS Health’s processing of your personal data, in certain circumstances.

Health records are not subject to the right of erasure, and because we do not receive the data only from you, your data is not portable.

IPRS Health does not base any decision solely on automated processing or profiling.

Should you wish to exercise any of your rights concerning your personal data, please contact IPRS Health’s Data Protection Officer at DataProtectionOfficer@iprsgroup.com or by telephone on 0800 072 1227.

If you have any concerns about what IPRS Health doing with your data, please contact IPRS Health’s Data Protection Officer in the first instance.

You have the right under UK data protection law to lodge a complaint with a supervisory authority. IPRS Health is regulated in all matters of data protection by the Information Commissioner’s Office (ICO). If you are dissatisfied with our response to your concerns or believe that IPRS Health is processing your data otherwise than in accordance with the law, you have to right to make a complaint to the ICO, as below.

Information Commissioner's Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.

Fax: 01625 524 510