How we use your personal information
- Why we collect information about you
- How information is used
- Your rights
- How we keep your personal information confidential
- What to do if there is a problem with your data
Face Clinic Limited (Tahmina Pearsall)
Face Clinic Ltd is a company through which Tahmina Pearsall delivers Cataract Surgery and other general ophthalmology services across England.
Face Clinic Ltd is the Data Controller for the information it collects and records, uses and stores about its patients, carers, staff and the public.
This Privacy Notice informs you how and why we collect and process your personal data and your rights relating to that data.
We are registered with the Information Commissioner’s Office (ICO).
Our registration number is ZA275605.
If you would like to look at our registration, please go to the Data Protection register on the ICO website or use the link: https://ico.org.uk/esdwebpages/search
Lawful Basis for Processing
We will only process information relating to you as long as there is a lawful basis and it is necessary to do so. We may use one of the following lawful bases:
- Public Task – this is the lawful basis that we will mostly use to deliver our services as a provider of NHS services.
- Legitimate Interest – where we need to process your data for the day to day running of Face Clinic Ltd, other than for the performance of our public task.
- Vital Interest – when it is necessary to protect someone’s life.
- Legal Obligation – where we need to comply with the law.
- Contract – in order to perform our contract with you.
What we collect and record about our patients and carers
We keep records about your treatment and care both on paper and electronically. Details of the information we keep include, but are not limited to:
- personal details such as name, address, date of birth, ethnicity and religion, NHS number and next of kin.
- contact we have with you e.g. hospital admissions, outpatients/clinic appointments
- notes and reports by health and care professionals about your health, GP details etc.
- details and records about your treatment and care.
- results of scans, laboratory tests, and any other tests.
- relevant information about people that care for you and know you well.
- basic details about associated people e.g. your spouse / partner, children, carers, relatives etc.
This information may be given to us directly by you. Our staff record information about you as part of your care. The staff who do this include surgeons, optometrists, nurses, HCTs, administrative & support staff.
We may also hold information relating to your direct care which has been provided to us by other NHS organisations such as your GP and optician.
Processing your data for direct care and administrative purposes.
We need to collect, record, store and use your personal data in order to provide our healthcare services to you. Face Clinic Ltd has a lawful basis for processing personal data and meets the condition for processing special data.
As a provider of health care services, for most of its processing it is undertaking its public task, which is health care provision including education and teaching. Any patient data used for education and teaching is anonymised.
How is your information used?
Your information is used for direct care, education/teaching and administrative purposes, which may include (but is not limited to):
- providing you with care and treatment, both now and in the future
- ensuring that appropriate information is available to all those who treat you medically and care for you professionally
- sharing information with staff employed by Face Clinic Ltd and other NHS and non-NHS organisations that may provide care for you
- supporting you in managing your own care
- helping our staff check that the care they provide to you is safe and effective e.g. clinical audit
- training and teaching our healthcare professionals so that they can experience, learn and train with real health care scenarios
As a healthcare provider and part of the NHS Constitution, the NHS commits
“to ensure that those involved in your care and treatment have access to your health information so they can care for you safely and effectively”.
To deliver this commitment, Face Clinic Ltd routinely sends your GP a letter detailing the outcome of any episode of care delivered to you. We will also share proportionate information about your direct care with other appropriate NHS and non-NHS organisations, for example your referring optician, to help them provide direct care for you.
We may use your information for other purposes such as to:
- properly investigate any complaints or legal claim, should you or someone on your behalf make a complaint about your care
- manage and plan our services
- send national surveys relating to the services you use.
We share some information about you with organisations that do not provide direct care. Any information we provide always complies with Data Protection legislation and NHS Caldicott principles and we ensure that it is relevant and proportionate for the purpose for which it is being used.
For example, we make mandatory, monthly returns of anonymised data to the government’s Secondary Uses Service (SUS). This data is used by NHS commissioners and the government to plan and assess healthcare provision locally, regionally and nationally.
Examples of organisations who we share information with include, but are not limited to:
- National Optical Council (NOC).
- Government departments: e.g. NHS England, Department of Health.
- SUS submissions to a Data Sources for Commissioners Regional Office (DSCRO).
We may also share your information where we have a legal obligation, for example where:
- we receive a formal court order
- there is a need to protect and safeguard vulnerable children and adults
- there is a public health need such as infectious disease
The above are only some examples.
We may also use your data to provide:
- anonymised information – where your data is rendered into a form which does not identify you. This data cannot be converted back into identifiable format.
- pseudonymised information – where your identifying data is replaced with non-identifiable data so that your ‘real world’ identity is removed. This data can only be converted back into identifiable format by an authorised, restricted keyholder This is done through a strict approval process to ensure it is safe and secure and only used for the purpose in which it is being provided.
Your telephone/mobile phone number.
We record telephone numbers to enable us to contact you to arrange appointments or if an appointment has to be rearranged. We also contact you prior to your appointment to check that you are fit and well to undergo surgery. Some services also provide a text reminder service so that you can be reminded of your appointment. If you prefer not to be contacted in this way, please tell us so we can remove your number from the system.
Clinical Audits and Research
Face Clinic Ltd is exempt from requiring Health Research Authority Approval because most of our studies are audit based and therefore do not require ethical approval.
CCTV (closed circuit television)
We use CCTV in some parts of our hospitals to help us maintain the safety and security of individuals and property; for prevention and detection of crime and to facilitate the apprehension and prosecution of offenders and apprehension of suspected offenders. CCTV is used under strict guidelines and in line with national legislation and guidance.
We process this data as part of our legitimate interests.
Accessing your information (Right of Access)
You have the right of access to records we hold on you. This is sometimes referred to as a Subject Access Request. To help us process your request we will require you to provide proof of your identity and some clarity about the information you require. A form is available to help with the request. For our patients, the form can be accessed on our external website (www.tahminapearsall.com) or it can be provided by contacting the Subject Access Request team below.
Subject Access Request
Face Clinic Ltd,49 Station Road,Polegate,East Sussex,BN26 6EA
In addition to the Right to be Informed (i.e. this privacy notice) and the Right of Access, which is documented above, you also have the:
- Right to Rectification
- Right to Erasure (Right to be Forgotten)*
- Right to Object
- Right to Restrict Processing
- Right to Data Portability*
- Right not to be subject to automated decision-making including profiling.
*The right to erasure and right to data portability are not applicable when processing on the lawful basis of a public task.
If you would like to exercise any of these other rights, please contact:
Face Clinic Ltd,49 Station Road,Polegate,East Sussex,BN26 6EA
Email : firstname.lastname@example.org
We will consider your request and respond to you within 30 days.
National NHS Data Opt-Out
If you have registered a national data opt-out for your NHS records, we will respect that. However, we may then need to ask you for specific details to inform your care and possible treatment by Face Clinic Ltd.
Face Clinic Ltd do not use personal confidential data for any other purpose than personal care.
Keeping your Data Secure and Confidential
We keep all paper and electronic records securely to ensure confidentiality, integrity and availability and prevent unauthorised access. The sensitivity of patient information is well understood within the healthcare sector. Our staff are required to undertake annual training on their duty of confidentiality and data protection, and responsibilities are written into employee’s contracts.
Our contractors and agency staff have confidentiality clauses in their contracts. All our staff have their own unique logon credentials (username / password) for accessing our systems; and can only access those systems necessary for their job role. Within the different systems, their access is also in line with the individual’s job role. This ensures confidential data is on a “need to know” basis. We will undertake a Data Protection Impact Assessment (DPIA) where necessary, for example at the start of any major new project that involves the use of personal data or introduces new technologies. We do not transfer any information to countries outside the UK. If your information is to be sent outside of the European Economic Area, we will undertake a DPIA to ensure transfer is in accordance with Data Protection legislation and any identified risk is mitigated.
In the event of a data breach, this will be logged on our Incident Reporting system and fully investigated, with remedial action taken where required. We will report certain types of personal data breach to the Information Commissioner’s Office (ICO) and we are committed to the NHS Statutory Duty of Candour which means we will be open when errors are made and harmed caused.
Retention of data
We keep your data for as long as required in line with national NHS Records Management Code of Practice for Health and Social Care 2016. For further information please use “NHS records management code of practice 2016” in an internet search engine or use the link: https://digital.nhs.uk/article/1202/Records-Management-Codeof-Practice-for-Health-and-Social-Care-2016
The Information Commissioner’s Office
If you would like independent advice about data protection or if you are not satisfied with the handling of your rights under data protection, you can contact:
The Information Commissioner’s Office