Privacy Policy
When we outline to you how we take care of your data you will notice we use the words ‘the Clinic’, ‘we’, ‘us’ or ‘our’. This means we are referring to Devonshire Dermatology. We are a limited company registered in England and Wales.
We are, in almost all circumstances, what is called the ‘Data Controller’ of your personal data. We are responsible for deciding how we hold and use your data, for taking care of your data and ensuring that anyone we work with, who might need to access your data, also takes care of it and follows our rules. If there is ever a situation where another organisation or person is the Data Controller of your data, we will let you know.
What data we collect from you
We will need different pieces of information from you for different purposes which will be driven by your interaction with us. We will always keep the data we need to a minimum, and internally will ensure that only those with a legitimate need to see your data can do so.
How we lawfully process your data
We use your data for a range of different purposes. To do so lawfully we need to have a legal basis for doing so. We normally process your personal data if it is:
Necessary to provide you with your care – to enable us to carry out our obligations to you, arising from any contract entered between us. This may include the provision of services or treatments to you and related matters, such as billing, accounting and audit, credit or other payment card verification and anti-fraud screening
In our, or a third party’s legitimate interests to do so (e.g. in helping with medical safety, quality assurance and medical research, or managing our business operations). We will be utilising legitimate interests as our lawful basis under Article 6 UK GDPR in limited circumstances where the processing of your data does not impede your rights and freedoms. For more information, please refer to the ICO’s guidance on legitimate interests
Required by any applicable law (i.e. to meet certain legal obligations placed on us by English law as a healthcare provider
With your explicit consent for example: direct consumer marketing communications, participating in a clinical research project or clinical trial and/or engaging with third parties.
As part of your treatment, we are required to get your consent to the medical treatment itself. However, this consent shouldn’t be mistaken for consent to process personal data. As a private healthcare provider, we process your personal data in order to comply with our obligations under our contract with you. Generally, we will only ask for your consent to data processing if there are no other legal grounds to process. In these circumstances, we will always aim to be clear and transparent about why we need your consent and what we are asking it for. Where we are relying on consent to process personal data you have the right to withdraw your consent at any time by contacting us using the details below and we will stop the processing for which consent was obtained.
To process special category data (i.e. personal data that needs more protection because it is sensitive), we rely on additional legal grounds and generally, they are as follows:
Necessary for the purposes of medical diagnosis, to provide health or social care treatment, or to manage health or social care systems and services. This may also include monitoring whether the quality of our services or treatment is meeting expectations
With your explicit consent
It is necessary to establish, make or defend legal claims or court action
It is necessary so that we can comply with employment laws
It is necessary for a public interest purpose in line with any laws that are applicable. This should assist in protecting the public against dishonesty, malpractice or other seriously improper behaviour for example, investigating complaints, clinical concerns, regulatory breaches or investigations e.g. the Care Quality Commission (‘CQC’), the General Medical Council (‘GMC’) or the Information’s Commissioner Office (‘ICO’).
Where we get your data from
We very rarely obtain information about you without your prior knowledge. We will collect your personal data either from you directly, from your Dermatologist, or from a referring body.
There might be some instances where we receive data about you from other organisations or people. For example, if we receive a piece of information from your General Practitioner (‘GP’), embassy or insurance company, you should know about it prior to us receiving the data or we may confirm we have received it as part of your interaction with your care team.
Who we share your data with
Where possible, we avoid sharing your data with anyone outside of Devonshire Dermatology. There will be, however, situations where this is not possible, and a third party will need to access or be given a copy of your personal data.
Dermatologists who are Data Controllers in their own right (for example, in order to deliver your care)
Suppliers or collaborators (for example, in order to provide bespoke 3D prosthetics, or to support our IT infrastructure)
Regulators, authorities or government bodies (for example, in order to resolve a complaint that has been raised or to conduct professional body safety reviews)
Professional advisers, including external legal advisors, insurance companies and medical experts (for example, in order to resolve a legal claim or dispute, to provide pre and/or post procedure reviews)
Third parties for the purposes of debt collection
Third party payment processor companies. For the avoidance of doubt, Devonshire Dermatology will not store any of your payment card details
Delivery companies for the purposes of transportation
Third parties for health, wellbeing & patient safety analysis
Third party service providers for the purposes of storage of information and confidential destruction.
Where a third-party Data Processor is used, we ensure that, in addition to their obligations under Data Protection Laws, they operate under contractual restrictions which aim to safeguard the confidentiality and security of your information.
Where in the world your data is physically sitting
We use systems, technology and/or support vendors who may store or have access to physical or cloud storage which resides both in the UK and abroad. This includes countries both within the European Economic Area (‘EEA’) and, in limited circumstances, those further afield, for example the United States of America.
Where we store or share personal data with a third party in a country outside of the UK or EEA, we will put appropriate safeguards in place to protect that data in accordance with the applicable Data Protection Laws and the ICO’s guidance. These range from a contract with that third-party supplier through to technical measures to protect it while it gets there.
We may also need to share your data with a third party in a country outside of the UK if you are a resident of another country and that third party is authorising or providing part of your care.
How long we keep your data
We only keep your data as long as it is required either by English Law, health regulatory best practice, codes of practice, or our own legitimate business needs in line with our corporate policies.
The full range of retentions varies per record, some are only kept short-term, and some kept more long-term if they relate to legal matters or long-term medical conditions. Below are the considerations we use to determine the appropriate retention period:
The purposes for which we process your personal data and whether we can achieve those purposes through other means
The applicable legal, regulatory, tax, accounting or other requirements
The amount, nature, and sensitivity of the personal data
The potential risk of harm from unauthorised use or disclosure of your personal data.
How we protect your data
As you can appreciate, we cannot give you the full list of specific measures we have in place to prevent your data from being accidentally lost, used, accessed in an unauthorised way, altered or disclosed. However, please rest assured that we are committed to ensuring a high level of protection for your data while it is in our management.
Examples of some of the measures we have in place include:
Agreed organisation-wide standards on security and data handling
IT technical controls to limit access to your personal information only to those employees, agents, contractors and other third parties who have a business need-to-know
Physical security controls on our buildings and wards
Contractual controls with third parties (‘our house, our rules’)
Training and awareness for all employees and Consultants
Key roles in our organisation with specialist knowledge on Information Governance, Data Protection and Cyber Security to ensure your information is always protected.
What your rights are in connection with your data
Where we use your information with your consent, you control how that data is used and shared by Devonshire Dermatology. However, where we are using your data under a legal obligation or other grounds, your rights under Data Protection Laws are more restricted. For example, where we feel we need to share or use data to save your life very few of the Data Protection rights apply.