The purpose of this Privacy Statement

The purpose of this Privacy Statement is to explain how the musculoskeletal practice processes the personal data of its patients. It covers data handling, retention and destruction across all areas of the Practice. 

the muskuloskeletal practice’s commitment

The musculoskeletal practice is committed to processing all personal data in a responsible way in accordance with the latest data protection legislation. To do this, his Practice implements appropriate technical and organisational measures to ensure a level of security commensurate with the risks. At all times, our staff are conscious of the confidential nature of patients’ personal data and we ensures that our support staff understand their roles and responsibilities in this regard.

Prof Field as a data controller

Prof Field is the data controller as he determines the purposes and means for which all personal data is managed once it has been passed to the musculoskeletal practice. He is supported by a Data Protection Officer (DPO) to whom data protection related concerns should be addressed in the first instance using:  privacy@themskpractice.com

How personal data is acquired

Patient data will be provided to the Practice either directly from the patient or from one of the following third parties:

·      A referring General Practitioner, another Consultant, or other Healthcare practitioners.

·      The hospital in which the patient is being treated by Prof Field or other hospitals where a patient has been treated in the past.

·      Laboratories where investigations are undertaken.

·      Imaging facilities where imaging studies are undertaken.

·      Third party organisations who undertake specialised studies such as motion analysis studies and surgical planning. 

·      Third party organisations who provide robotic assisted, planning for surgery. 

·      Third party organisations who provide patient specific instruments for surgery. 

Occasionally, other (non-patient) personal data may be processed and this will be collected directly from the source. This will be managed in accordance with this privacy statement.

 

Why we collect your personal data and how we justify it in law

Prof Field will process patient personal data to fulfil his contractual and legal obligations in support of any treatment that is being planned and further post operation activity. He will use his legitimate interests to process long-term patient review data and to contact patients regarding their participation in clinical outcomes and research studies, fundraising activities and to receive relevant information of interest. For each subject area, patients will be reminded that they have the option to decline further communication. 

Where historical data about patient’s treatment and outcomes are processed for research, education and marketing purposes, it will be anonymised beforehand.

In all cases, Prof Field will ensure that all personal data collected shall be: 

·      Processed fairly, lawfully and transparently.

·      Collected for a specified, explicit and legitimate purposes.

·      Adequate, relevant and limited to what is necessary (and no more).

·      Accurate and, where necessary kept up to date.

·      Kept for no longer than is necessary.

·      Processed in a manner that ensures appropriate security. 

Where the personal data is processed and stored

The majority of processing takes place at the hospitals where Prof Field undertakes out-patient clinics and surgery using a cloud-based medical records platform known as iMedDoc. This is supporting servers are located within the European Economic Area (EEA) and operated under licence from Imedoc Software Limited. The hospitals and out-patient facilities that Prof Field uses for patient treatments are:

·      The South West London Elective Orthopaedic Centre (SWLEOC), Epsom, Surrey.

·      The Lister Hospital Chelsea Bridge Rd, London SW1W 8RH.

·      The Chelsea Out-Patient centre, 280 Kings Road, London, SW3 5AW. 

·      Spire St Anthony’s Hospital, 280 London Road, North Cheam, Surrey, SM3 9DW.

The support staff who are directly employed or contracted by Prof Field, process patients’ personal data in accordance with Prof Field’s internal procedures and those of the hospitals who share access to patient data.

 

 

Privacy statement

In addition, Prof Field uses the services of Imedoc Software Limited for transcription services. A very limited amount of personal data is processed outside the EEA but none of it is retained. Once transcriptions are completed, they are checked by UK based staff for accuracy and only stored on servers within the EEA. Extensive technical, organisational, security and control measures are taken to ensure that this service complies with the relevant legislation for cross border transfers of personal data. 

As part of patients’ ongoing treatment, personal data, will be collected before and after any operation through questionnaires completed on paper or via an on-line data capture portal. 

Any images (photographs, X-Rays, scans etc.) taken of a patient in support of the treatment being applied, are stored either in the patient’s standard medical records pack, on Prof Field’s IT support database or on a secure sever located in the EEA.

With whom your information is shared

Due to the nature of his work, Prof Field will need to share patient personal data with some or all of the following agencies:

·      A patient’s GP and/or Prof referring consultants and referring healthcare practitioners.

·      The host hospital where the anticipated treatment will take place.

·      Independent consultants and Healthcare practitioners engaged by the Practice on a patient’s behalf.

·      Companies providing diagnostic and surgical planning services.

·      Companies providing patient review programmes.

·      Office support service companies for administrative purposes only.

·      Other undefined agencies but only when acting in a patient’s vital interests.

·      HMRC for all financial transactions. 

·      Prof Field’s accountants for regulatory auditing. 

How long personal data is retained after patient involvement with Prof Field has ended

Once there is no lawful reason to process patient personal data, it will either be deleted, destroyed or put beyond operational use in accordance with the following schedule: 

·      For invoice transactions and payments and payroll, to comply with HMRC regulations, this will be retained for 6 years at the end of the current tax year.

·      For patient case files, papers and images, these will be retained up to 30 years after surgery and post operation follow up appointments have been completed. 

 

Information about data protection rights

Recent legislation puts much greater emphasis on transparency of processing and accountability by all parties involved in handling personal data. It also extends the rights of individuals in respect of their personal data. It should be noted that these rights have limits therefore they do not necessarily apply in all situations. For ease of visibility, the rights are listed below 

·      Right to be informed.

·      Right to access.

·      Right to rectification.

·      Right to erasure (‘right to be forgotten’).

·      Right to restrict processing.

·      Right to data portability.

·      Right to object to processing (for example direct marketing). 

·      Rights related to automated decision making and profiling.

In addition, there is a right to make a complaint directly to the Information Commissioner’s Office (ICO). For more details about all of these rights, please visit the ICO website at https://ico.org.uk.

If a patient wishes to exercise his or her right(s) or has concerns regarding the handling of their personal data, they are asked to contact the Prof Field in the first instance using privacy@themskpractice.com. If a data subject access request is made, the Practice may ask for supporting documentation to verify the identity of the requester.

Last Updated April 2020