Our policy on data processing and privacy

Millbrook Healthcare Limited provides community equipment, wheelchair, assistive technology and home improvement agency services to local authorities and the NHS. We take your confidentiality and privacy rights very seriously. This policy explains how we collect, process, transfer and store your personal information and forms part of our accountability and transparency to you under the General Data Protection Regulation (GDPR) 2018.

How will we meet the principles of the GDPR?

We do not rely on consent to use your information as a legal basis for processing. In simple terms, this means we can use your personal information to provide services to you without seeking your consent. Please note under the regulation you do have a right to say no to our use of your information, but this could have an impact on our ability to provide services to you.

We will process your personal information fairly and lawfully by:

  1. only using it if we have a lawful reason and when we do, we make sure you know how we intend to use it and tell you about your rights
  2. only collecting and using your information to provide you healthcare services and will not use it for any other purpose that is not considered by law to be for this purpose
  3. only using personal data that is relevant and necessary for us to carry out various tasks in providing healthcare services to you
  4. keeping your personal information accurate and up to date when using it, and if it is found to be incorrect, we will make it right, where appropriate, as soon as we can
  5. only keeping your information in a way that will identify you for as long as we are required to, whilst ensuring your rights
  6. having secure processes in place to keep your personal information safe and secure when it is being used, shared, and when it is being stored

What information do we collect from you?

Millbrook Healthcare staff keep records about the services we provide to you. This may include:

  • basic details such as your name, address, date of birth, telephone number(s), and email address
  • your next of kin and contact details
  • notes and reports about your physical health and any care or support you need and receive
  • relevant information and reports from other professionals, relatives or those who care for you or know you well
  • telephone records and recordings of inbound and outbound calls
  • any contact(s) you have with us such as home visits or clinic appointments
  • service user experience feedback and treatment outcome information you provide

Your personal information and records are in both electronic and hard copy paper format. Electronic record are held securely on a computer system and secure IT network.

Why do we collect this information about you?

Your information is used to guide, inform and record the services you receive and is vital in helping us to:

  • have all the necessary information to assess your needs and for making decisions with you about the services you receive
  • have details of our contact with you, such as referrals and appointments and can see the services and equipment you have received
  • assess the quality and outcomes of the services provided
  • investigate if you have any concerns or a complaint about the service(s) you have received

Staff involved in your care will also have accurate and up to date information and this accurate information about you is also available if you move to another area, need to use another service or see a different healthcare professional.

Who might we share your information with?

Your information will be shared with the team providing services for you. However, we work collaboratively with NHS partners, local authority agencies including social services so may need to share information about you with other professionals and services involved in your care and equipment provision.

We do this in order to provide the most appropriate care and support for you or when the welfare of other people is involved. We will only share your information in this way if we have your consent and it is considered necessary.

You have the right to refuse and withdraw your consent to information sharing at any time. Please discuss this with a member of staff as this could have implications in how you receive further care, support and equipment, including delays in your receiving care, support and equipment.

However, a person’s right to confidentiality is not absolute and there may be other circumstances when we must share information from your records with other agencies. On these rare occasions we are not required to have your consent. Examples of this are:

  • if there is a concern that you are putting yourself at risk of serious harm
  • if there is concern that you are putting another person at risk of serious harm
  • if there is concern that you are putting a child at risk of harm
  • if we have been instructed to do so by a Court
  • if the information is essential for the investigation of a serious crime
  • if you are subject to the Mental Health Act (1983), there are circumstances in which your ‘nearest relative’ must receive information even if you object
  • if your information falls within a category that needs to be notified for public health or other legal reasons, such as certain infectious diseases.

The information from your records will only be used for the purposes that benefit the services we provide and we would never share it for marketing or insurance purposes.

Improving health, care and services through planning

To help us monitor our performance, evaluate and develop the services we provide, it is necessary to review and share minimal information, for example with our NHS and local authority commissioning partners. The information we share would be anonymous so you cannot be identified and all access to and use of this information is strictly controlled.

In order to ensure that we have accurate and up to date records, we carry out a programme of audits with access to records for this purpose monitored and only anonymised information being used in the reports that are shared internally.

How do we keep your information safe?

The organisation is committed to keeping your information secure and have operational policies and procedures in place to protect your information whether it is in electronic or hard copy (paper) format.

The organisation is entered on the Information Commissioner’s data protection register, with registration number Z5840326.

All of the information systems used by the organisation are implemented with robust information security safeguards to protect the confidentiality, integrity and availability of your personal information. The security controls adopted by the organisation are influenced by a number of sources including NHS Digital and Government standards. This also includes certification with the Cyber Essentials accreditation scheme.

All staff and sub-contractors are legally bound to respect your confidentiality and must comply with our information governance and information security procedures. Any breach of these procedures is treated seriously and may, in certain cases, result in disciplinary action.

Please note that if any of your personal information is to be processed overseas and outside of the EEA, a full risk assessment would be undertaken to ensure the security of the information.

In ensuring the safety and confidentiality of your personal information, the organisation also has to complete Data Protection Impact Assessments (DPIA). This is a process which helps assess privacy risks and identified the legal basis for the collection, use and disclosure of information, known as processing.

All new projects and processes that involve using or sharing personal information will require a completed DPIA at the initial stages and prior to any procurement decision being made. All DPIAs completed will be submitted to the Data Protection Officer and/or the Information Governance and Security Group for approval.

How long do we keep your information?

All clinical records held by the organisation are subject to the records Management Code of Practice for Health and Social Care Act 2016 (the Code). The Code sets out best practice guidance on how long we should keep your clinical information before we are able to review and securely dispose of it.

For further information on specific timescales, please refer to the retention schedule appendix within the Information Governance policy.

How can I access the information you hold about me?

You have the right to access and see the information we hold about you, whether in electronic or hard copy format. The exception to this is information that:

  • has been provided about you by someone else if they haven’t given permission for you to see it
  • relates to criminal offences
  • is being used to prevent or detect crime
  • could cause physical or mental harm to you or someone else

Your request can be made in writing, email or verbally and can be given to the service where you receive your services from us or, alternatively, sent to:

Data Protection Officer / Caldicott Guardian
Millbrook Healthcare Limited
Nutsey Lane
Calmore Industrial Estate
SO40 3XJ
Tel. 023 8066 2312
E-mail: dpo@millbrookhealthcare.co.uk

Data Processing & Privacy Concerns and Complaints

Our complaints team are available to assist you with any comments, concerns and complaints. The team act independently of any of the services we provide ensuring your concerns are thoroughly investigated and responded to in a timely manner. Please find contact details below:

Customer Engagement Officer
Millbrook Healthcare Limited
Nutsey Lane
Calmore Industrial Estate
SO40 3XJ
E-mail: feedback@millbrookhealthcare.co.uk
Tel. 023 8066 2314

You can also get further information and advice or report a concern to the UK’s independent authority, the Information Commissioner, via the contact details below:

Information Commissioner’s Office
Wycliffe House
Water Lane
Web: http://www.ico.org.uk
Tel. 0303 123 1113

Updating this Policy

This policy is correct at the time of publishing (August 2020), and small amendments may be made from time to time. This policy is maintained by Millbrook Healthcare. Should this policy differ from the policy published on our Group website, the policy on the Group website will apply first.