Data Protection is important to us
The Privacy Notices below will provide you with details as to what we will do with your personal information when you contact us or use our website, social media or services.
Data Protection Privacy Statement
We will tell you:
- why we are able to process your information
- what purpose we are processing it for
- whether you have to provide it to us
- how long we store it for
- whether there are other recipients of your personal information
- whether we intend to transfer it to another country (we do not!) and
- whether we do automated decision-making or profiling (we do not!).
This Privacy Notice tells you what HUC will do with your personal information when you contact us or use our services. Given the complexity of HUC, the requirements of the legislation and our desire to ensure full compliance with the legislation, this Privacy Notice is lengthy.
Most of the personal information we process is provided to us directly by you or by our healthcare partners, such as:
- You have used one of our services.
- Your information has been passed to us by our partners, such as results of tests and information from people who care for you, including health professionals and relatives
- You have applied for a job or secondment with us.
- You are representing your organisation.
- The professionals caring for you keep records about your health and any care you receive to ensure that you are provided with the best possible treatment.
Your records are used to direct, manage and deliver the care you receive to ensure that:
- The health professionals involved in your care have accurate and up to date information to assess your health and decide on the most appropriate treatment for you
- Your concerns can be properly investigated if a complaint is raised
- Appropriate information is available if you see another doctor, or are referred to another part of the NHS, for example, the ambulance service.
How your information helps us improve services:
Your information may also be used to help us improve services by:
- Reviewing the care we provide to ensure it is of the highest standard and quality
- Ensuring our services can meet patient needs in the future
- Investigating patient queries, complaints and legal claims.
Please let us know if you do not wish for us to contact you to ask for your views on our services.
We do process children’s personal data. Children need particular protection because they may be less aware of the risks involved. We need to have a lawful basis for processing a child’s personal data. Where we are using ‘consent’ as a lawful basis, only children aged 13 or over are able to provide their own consent. For children under 13, we will obtain consent from whoever holds parental responsibility for the child.
Children have the same rights as adults over their personal data. These include the rights to access their personal data; request rectification; object to processing and have their personal data erased
Data is kept according to our retention guidelines, which are largely set by statute. Retention guidelines are available from the Data Protection Officer.
Your rights depend on the nature of the data that is held in our files. You can find more detail about the type data we collect, how we collect, when and why throughout this page.
You can submit a request for the data that we hold on you. This request can be completed in writing, by email, or verbally. You do not have to make any mention of legislation or use specific wording, although we may ask you for clarification. The request can be made to any member of staff, who will forward the details to the Data Protection Officer, who will coordinate the response.
Alternatively, you can contact HUC at huc.informationrequests@nhs.net. We will need to confirm your identification.
You can also ask a third party (eg a relative, friend or solicitor) to make a SAR on your behalf. We will need to be satisfied that the third party making the request is entitled to act on your behalf, and it will be your and the third party’s responsibility to provide evidence of their authority.
We have to supply the data within one month and, in most circumstances, we cannot charge a fee for this service. If the request is complex, or if we receive a number of requests, we can extend the time limit by a further two months.
Before responding to a SAR for information held about a child, we will consider whether the child is mature enough to understand their rights. If the request is from a child and we are confident they can understand their rights, we will usually respond directly to the child. We may, however, allow the parent or guardian to exercise the child’s rights on their behalf if the child authorises this, or if it is evident that this is in the best interests of the child. If a child is competent, they may authorise someone else, other than a parent or guardian, to make a SAR on their behalf.
The data will be supplied to you in an accessible, concise and intelligible format, usually using the same means by which the request was made; thus if the request has been made by email, the response will be sent by email.
We can refuse to provide the information if an exemption or restriction applies, or if your request is manifestly unfounded or excessive.
The Data Protection Act 2018 gives you the right to access the information we hold about you on our records. This is generally done by contacting your GP surgery, but we can assist with some data requests.
We will ask you to provide proof of your identity before releasing records.
Please contact our Clinical Governance team: at huc.informationrequests@nhs.net to make your access requests.
We may share information with relevant third parties for direct care or safeguarding purposes.
Everyone working within HUC receives Data Protection training and knows that they have a legal duty to keep information about you confidential. Under the Data Protection Act and the NHS Confidentiality Code of Conduct, all our staff are required to protect your information, inform you of how your information will be used and that it will be shared across your integrated care team when relevant.
We will share information about you with staff in other organisations when it is necessary for your care. These may include:
- Your GP practice
- Other hospitals involved in your care
- Ambulance services
- Social services and care homes.
Sometimes we must pass on personal information by law, for example:
- When required to by a formal court order
- When sharing information with the police may prevent a serious crime or prevent harm to you or other people.
Your GP, hospital, community health, mental health and social care teams may all hold records about your care separately. Often, only health and care professionals within the same organisation can see this information. This means it can be difficult for them to work together to deliver the best care.
My Care Record is an approach to improving care by joining up health and care information. Wherever possible, health and care professionals will be able to access your records from other services when it is needed for your care. This may include individuals working within hospitals, GP practices, treatment centres, care homes, social care and community teams. This will make it easier and faster for them to make the best decisions. An administrator may access your records under the direction of a health and care professional providing care to you. For example, to check details of appointments and co-ordinate care.
Several different secure computer systems are used across the region. These allow health and care professionals to digitally access your records held by other services. In some areas systems are already in place, in other areas more work is underway to invest in the technology needed. The approach also provides an agreement between all the health and care organisations involved. This means they commit to sharing information in a secure way to help improve your care.
The My Care Record approach is in line with General Data Protection Regulation (GDPR) which provides the legal basis to share information between health and care services when it is needed to deliver care. All your information will be held securely.
Certain information – that doesn’t identify you – will also be used to help improve services and plan for the future. For example, it will help us plan for the number of doctors, nurses and care workers needed to look after you in the future.
You can object to your record being shared between services. To do this, speak to the person delivering care to you at each organisation such as your GP, specialist or social worker.
- It is important to understand that not allowing access to your information may affect the quality of the care you receive.
- In many situations, it is necessary to share information between services to deliver care. However, it may be possible to request that specific or sensitive information is not made available.
- There may also be some situations where information still needs to be made available. For example, if there is a serious concern about an individual’s safety.
Please see the My Care Record website www.mycarerecord.org.uk for more information. More information about the areas where your information may be used can be found on the My Care Record website www.mycarerecord.org.uk.
Each partner organisation participating is responsible for the information they share/access within the shared environment, including personal and special category data incorporated from individual records held by partner organisations. The information that can be accessed from your record from each service or organisation will depend on the system that is used.
It may sometimes be necessary to share confidential information without consent or where the individual has explicitly refused consent. There must be a legal basis for doing so (e.g. to safeguard a child) or a court order must be in place.
Where there is a legal requirement to disclose, for example, a direction under the Health and Social Care Act 2012 or disclosures under public health legislation, the lawful basis for processing would be: ‘… for compliance with a legal obligation…’ (Article 6(1)(c)). 9(2)(b) ‘…is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of …social protection law in so far as it is authorised by Union or Member State law..’.
For issues such as notifiable diseases, the most appropriate special category condition for processing in the face of a legal requirement to disclose is ‘…for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and services…’ (Article 9(2)(h)).
In deciding on any disclosure certain considerations and steps need to be taken:
- Discuss the request with the appropriate personnel such as the Caldicott Guardian and/or SIRO.
- Disclose only that information which is necessary or prescribed by law.
- Ensure recipient is aware that they owe a duty of confidentiality to the information.
- Document and justify the decision to release the information.
- Take advice in relation to any concerns you may have about risks of significant harm if information is not disclosed.
Requests may be received by other agencies which are related to law enforcement such as:
- The Police or another enforcement agency where the appropriate section 29 request form (in line with the Access to Records Procedure) needs to be submitted from the law enforcement agency in order for the CCGs to consider the request.
- The Local and National Counter Fraud specialists in relation to any actual or suspected fraudulent activity.
Staff will also take into account the seventh Caldicott principle and Information Governance Alliance guidance if there is a clear legal basis to share.
In some circumstances we are legally obliged to share information. In any scenario, we’ll satisfy ourselves that we have a lawful basis on which to share the information and document our decision making and satisfy ourselves we have a legal basis on which to share the information. The organisation will ensure that information sharing takes place within a structured and documented process and in line with the Information Commissioner’s Code of Conduct and in accordance with the Health and Social Care Act 2012 and Health and Social Care (Safety and Quality) Act 2015.
We use data processors who are third parties who provide elements of services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.
The data is all held in England. We do not process data outside England.
We will not share your information with any third parties for the purposes of direct marketing.
You have the right to restrict how and with whom we share the personal information in your records. This must be noted explicitly within your records so all healthcare professionals and staff treating you are aware of your decision.
By choosing this option, unfortunately it may make the provision of treatment or care more difficult or unavailable. You can also change your mind at any time about a disclosure decision.
Your Data Protection Rights
Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information.
Your right of access
You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process. You can read more about this right here.
Your right to rectification
You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies. You can read more about this right here.
Your right to erasure
You have the right to ask us to erase your personal information in certain circumstances. You can read more about this right here.
Your right to restriction of processing
You have the right to ask us to restrict the processing of your information in certain circumstances. You can read more about this right here.
Your right to object to processing
You have the right to object to processing if we are able to process your information because the process forms part of our public tasks, or is in our legitimate interests. You can read more about this right here.
Your right to data portability
This only applies to the information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated. You can read more about this right here.
We work to high standards when it comes to processing your personal information. If you have queries or concerns, please contact us at dpo@huc.nhs.uk and we will respond.
If you remain dissatisfied, you can make a complaint about the way we process your personal information to the Information Commissioner’s Office.
Contact our DPO
Our Data Protection Officer can be contacted at dpo@huc.nhs.uk or via our postal address.
HUC Head Office
The Old Ambulance Station,
Ascots Lane, Welwyn Garden City,
AL7 4HL
Please mark the envelope ‘Data Protection Officer’.
Website Privacy Policy
This privacy policy is for this website www.hucweb.co.uk and served by Herts Urgent Care (HUC) and governs the privacy of its users who choose to use it.
The policy sets out the different areas where user privacy is concerned and outlines the obligations & requirements of the users, the website and website owners. Furthermore, the way this website processes, stores and protects user data and information will also be detailed within this policy.
The Website
This website and its owners take a proactive approach to user privacy and ensure the necessary steps are taken to protect the privacy of its users throughout their visiting experience. This website complies to all UK national laws and requirements for user privacy.
Our website uses cookies to enhance your browsing experience. A cookie is a small text file of data stored by our website within your browser. These cookies allow us to distinguish you from other users of our website, which helps us to provide you with a good experience when you browse our website and also allows us to improve our site.
If you have previously browsed to our website and no longer wish to accept cookies, please be aware that some cookies may have already been set. You may delete these cookies at any time via your browser by following these instructions here
You can control cookies via your browser settings by following the instructions at this address, however if you choose to block cookies then your browsing experience may be affected.
Read more about the individual cookies we use and how to recognise them by looking at the table below.
Contact & Communication
Users contacting this website and/or its owners do so at their own discretion and provide any such personal details requested at their own risk. Your personal information is kept private and stored securely until a time it is no longer required or has no use, as detailed in the Data Protection Act 2018. Every effort has been made to ensure a safe and secure form to email submission process but advise users using such form to email processes that they do so at their own risk.
This website and its owners use any information submitted to provide you with further information about the training and services we offer or to assist you in answering any questions or queries you may have submitted. Your details are not passed on to any third parties.
External Links
Although this website only looks to include quality, safe and relevant external links, users are advised adopt a policy of caution before clicking any external web links mentioned throughout this website. (External links are clickable text/banner/image links to other websites, similar to www.facebook.com or Google.)
The owners of this website cannot guarantee or verify the contents of any externally linked website despite their best efforts. Users should therefore note they click on external links at their own risk and this website and its owners cannot be held liable for any damages or implications caused by visiting any external links mentioned.
Adverts and Sponsored Links
This website may contain sponsored links and adverts. These will typically be served through our advertising partners, to whom may have detailed privacy policies relating directly to the adverts they serve.
Clicking on any such adverts will send you to the advertisers website through a referral program which may use cookies and will track the number of referrals sent from this website. This may include the use of cookies which may in turn be saved on your computers hard drive. Users should therefore note they click on sponsored external links at their own risk and this website and its owners cannot be held liable for any damages or implications caused by visiting any external links mentioned.
Social Media Platforms
Communication, engagement and actions taken through external social media platforms that this website and its owners participate on are custom to the terms and conditions as well as the privacy policies held with each social media platform respectively.
Users are advised to use social media platforms wisely and communicate/engage upon them with due care and caution in regard to their own privacy and personal details. This website nor its owners will ever ask for personal or sensitive information through social media platforms and encourage users wishing to discuss sensitive details to contact them through primary communication channels such as by telephone or email.
This website may use social sharing buttons which help share web content directly from web pages to the social media platform in question. Users are advised before using such social sharing buttons that they do so at their own discretion and note that the social media platform may track and save your request to share a web page respectively through your social media platform account.
Shortened Links in Social Media
This website and its owners through their social media platform accounts may share web links to relevant web pages. By default, some social media platforms shorten lengthy urls www.imet.co.uk (this is an example: http://bit.ly/2h619CG).
Users are advised to take caution and good judgement before clicking any shortened urls published on social media platforms by this website and its owners. Despite the best efforts to ensure only genuine urls are published many social media platforms are prone to spam and hacking and therefore this website and its owners cannot be held liable for any damages or implications caused by visiting any shortened links.
Why we process data on our website
The purpose for implementing some of the steps above is to maintain and monitor the performance of our website and to constantly look to improve the site and the services it offers to our users.
The lawful basis we rely on to process your personal data is either Article 6(1)(a) of the GDPR, for example when we require your consent for the optional cookies we use, or Article 6(1)(f) which allows us to process personal data when it’s necessary for our legitimate interests. For example in order to maintain the integrity of our IT systems and the continuity of our business.
As we are processing your personal data for our legitimate interests as stated above, you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.
We work to high standards when it comes to processing your personal information. If you have queries or concerns, please contact us at dpo@huc.nhs.uk and we’ll respond.
If you remain dissatisfied, you can make a complaint about the way we process your personal information to the Information Commissioner’s Office . Please follow this link to see how to do that.
Fair Processing Notices for Devon Doctors Group Patients and Staff
For patients and staff of Devon Doctors Group, which merged with HUC at the end of 2022, there is a Fair Processing Notice available here.