Effective date: 2008-11-10
Updated on: 2023-05-21
About DMC Healthcare Ltd. and DMC Imaging Ltd.
DMC Healthcare and DMC Imaging Ltd (DMC, the organisation), of 81,Bellegrove Road, Welling, Kent DA16 3PG are Controllers of the personal data we hold. We are registered with the Information Commissioner’s Office as a Data Controller and our registration numbers can be found by searching the ICO Register using this link. DMC take your privacy seriously and we want to provide you with information about your rights, who we share your information with and how we keep it secure.
How we use your information (our ‘purposes’)
DMC collects and uses your information for the following purposes:
- To provide you with healthcare when you visit our Primary Care, Radiology, Dermatology or Endoscopy services (includes recording for training and legal defence purposes).
- To provide our services and report to our Commissioners about the service we provide to you.
- To anonymise and use your data for research into better care and practice.
- To keep our patients, visitors and staff safe when visiting site with the use of CCTV, for example.
- We also process personal data as part of this website, please see the separate notice at the bottom of the screen to find out about this.
In the sections below we will provide more detail about what we collect, what we use it for, and our lawful basis to use it. The UK General Data Protection Regulation (UK GDPR or GDPR) defines several lawful bases and Controller must specify in webpages such as this one which lawful basis we are relying on when using your information.
To provide you with healthcare
What do we use your information for?
Your doctor, radiologist, dermatologist and other health professionals caring for you, such as nurses and reception staff, all need to keep records about your health and treatment so that they are able to provide you with the best possible care. These records are called your ‘health care record’ and may be stored in paper form or on computer and other electronic systems.
As part of this, we use your information to:
- Refer you to other healthcare providers when you need other service or tests
- Discuss or share information about your health or care with other health or social care providers
- Share samples with laboratories for testing (like blood samples)
- Share test results with hospitals or community services (like blood test results)
- Allow out of hours or extended hours GPs to look at your health record when you are going to an appointment
- Send prescriptions to a pharmacy
- Text you in relation to healthcare services and appointments
- Provide your samples to the courier for delivery to pathology
- Share reports with the coroner
- Receive reports of appointments you have attended elsewhere such as with the community nurse or if you have had a stay in hospital
- Produce medical reports on request from third parties such as the DVLA or your employer, but only when you have provided prior consent
- Movement of your patient records to Primary Care Support England
What information do we collect?
We collect the following:
- basic details about you, such as address, date of birth, NHS number, and next of kin
- contact we have had with you, such as clinical visits
- notes and reports about your health
- details and records about your treatment and care
- results of x-rays, laboratory tests etc
- information about your sexual life or home life
- information about ethnicity and religion
What is our lawful basis for using your information?
Healthcare providers are permitted to collect, store, use and share this information under Data Protection Legislation (the UK General Data Protection Regulation)which has a specific section related to healthcare information.
This is called a ‘lawful basis’. Where we are deemed to be a data controller, our lawful basis for using your personal data is UK GDPR Article 6(1)(e) – a task carried out in the public interest or in the exercise of official authority. We have an NHS contract to provide our services.
We can also only use your health and other ‘special category’ or sensitive information if we apply an exception. These are in UK GDPR and we use Article 9(2)(h) – for the provision of healthcare.
Please be aware that administrative staff will often access information addressed to a particular clinician to allow us to manage high volumes of communication. They are bound by confidentiality in the same way as the clinician is and will keep your information private.
About children and young people
Young people from aged 16 are allowed to make decisions about how their health information is used and shared. They are deemed competent from this age to make decisions about their own healthcare. Under these circumstances, unless the young person agree, a parent or guardian will not be provided with information about the care of the young person .
Where the young person is under 16, case law allows the health care professional to decide that the individual is competent enough to make a decision about their own healthcare. Equally, under those circumstances, a parent or guardian will not be provided with access to information about the care of the young person.
Conversely, should a health care professional deem that the young person who is under 16 years of age cannot make the decision themselves, then parents or guardians will be invited into the discussion.
Parents or guardians of those under 16 should note that the application of competency (sometime called Gillick competency) may apply to some or all elements of the confidential information about the young person.
To provide our services, report to our commissioners and contribute to national NHS data sharing initiatives
What do we use your information for?
Along with activities related directly to your care, we also use information in ways which allow us to check that care is safe and provide data for the improvement and planning of services.
- Quality/ payment/ performance reports are provided to service commissioners
- Undertaking clinical audits locally to ensure safety and efficiency
- Sending practice information to other NHS bodies for national audits that are required by law (e.g., NHS Digital Audit Data Collection )
- Sending patient information to NHS Digital for Research and Planning Purposes. Find Out More about how Patient Data is Used for Planning Research.
- You can opt out if you wish.
- Supporting staff training
- Incident and complaint management
- As part of ad hoc clinical research – information that identifies you will be removed, unless you have consented to being identified
What is our lawful basis for using your information?
When we use your information to conduct audits and manage our services to you, our lawful basis is UK GDPR Article 6(1)(e) – a task carried out in the public interest or in the exercise of official authority. When use your health information for this purpose, we rely on the exception of the management of healthcare systems in Article 9(2)(h).
When we anonymise your information to use it for an ad-hoc clinical research purpose, we rely on our legitimate interests (Article 6(1)(f)) to understand and develop new methods of care for individuals and the research exception in Article 9(2)(j).
Do we transfer any of your information outside of the UK?
For your radiology service, we employ the services of Apollo Radiology International (ARI) to provide out of hours support and to allow us to provide a round the clock service. The radiologists are based in India and have ‘view only’ remote access to your personal data to the same systems (based here in the UK) that our UK radiologists use. No data are allowed to be taken out of the system, and we have strong security controls around access. All radiologists are registered with the Royal College of Radiologists.
As required by UK GDPR, we have put contracts in place with ARI (called International Data Transfer Agreements) which are mandated by the Information Commissioners Office and which protect your personal data.
To help keep our visitors and staff safe
What do we use your information for?
DMC Healthcare Ltd has installed CCTV at the following locations;
Dulwich Medical Centre – SE22 9EP
Chadwick Road Surgery – SE15 4PU
External Front Entrance
External Front Car Park
External Rear Car Park
External Back Entrance
Upstairs Waiting Room
Reception & Waiting Room
Our purpose for using CCTV is in order to protect patients, staff and visitors from abuse or incidents of crime. This is a common measure employed by organisations as a deterrent for anti-social behaviour and allows DMC Healthcare Ltd to assist police where an event does occur. The ability to employ measures to protect individuals on the premises and ensure that staff and patients feel safe on site is crucial to allow DMC Healthcare Ltd to deliver services to data subjects and so is lawful in order to support our legitimate interests.
What is our lawful basis?
Under UK GDPR our lawful basis for the use of CCTV is therefore Article 6(1)(f) – legitimate interests. DMC Healthcare Ltd has also ensured that the CCTV is only in place in the more public areas of the premises and that surveillance does not extend to clinical areas or washroom areas where the individual would have a reasonable expectation of privacy. The recordings are kept securely, with limited access for 28 days. You can ask for a copy of recordings or raising objections or concerns by contacting our Data Protection Officer.
Sharing your information when required to by Law
Sometimes we will be required by law to share your information and will not always be able to discuss this with you directly. Examples might be for the purposes of detection or prevention of crime, where it is in the wider public interest, to safeguard children or vulnerable adults, reporting infectious diseases or where required by court order.
Care Quality Commission access to health records
The CQC has powers under the Health and Social Care Act 2008 to access and use your health information where it is necessary to carry out their functions as a regulator. This means that inspectors may ask to look at certain records to decide whether we are providing safe, good quality care. More information about the CQC can be obtained on their website https://www.cqc.org.uk/about-us/our-policies/privacy-statement
To share with the CQC we will rely on the lawful basis of UK GDPR Article 6(1)(e) – a task carried out in the public interest or in the exercise of official authority, and the Article 9(2)(i) exemption of ensuring high standards of quality and safety of healthcare.
The suppliers we use to support our services (data processors)
We use a number of providers who process your personal data on our behalf. All providers are bound by contract to keep your information safe and in line with UK GDPR requirements.
|SRCL Clinical Waste||http://www.srcl.com/|
|Couriers / Delivery|
|Prescribing Services Eclipse Live||https://www.prescribingservices.org/|
|Website Hosting / Mailing|
|Clarity Team Net||https://clarity.co.uk/teamnet/|
|IT Service Provider|
|Digital Redaction / Scanning|
|Payroll / Finance|
|Associations / Groups / Providers|
|Medical Defence Union||https://www.themdu.com/|
|Provision of Clinical System|
|Invicta Health e-learning||https://invictahealth.co.uk/provide/invicta-health-learning/|
|HR / Employment|
|Vision Primary Care Training||https://visionpct.co.uk|
|Hitec- Retina Security||http://hi-techsecurityandfire.co.uk/|
|Hornsey Consulting Ltd.||https://hornseyconsulting.co.uk/|
Newly added providers
Insource Ltd (Data Analytics) https://www.insource.co.uk/ Added 14th August 2021
Apollo Radiology International Apollo Radiology International | Hyderabad | India (apolloradiologyintl.com)
Data protection law provides you with a number of rights that we are committed to supporting you with;
Right to Access
You have the right to obtain:
- Confirmation that your information is being used, stored or shared by us
- A copy of information held about you
We will respond to your request within one month of receipt or will tell you when it might take longer.
We are required to validate your identity including the identity of someone making a request on your behalf
Right to Object or Withdraw Consent
- We mainly use, store and share your information because we are permitted in order to deliver your healthcare but you do have a right to object to us doing this.
- Where we are using, storing and sharing your information based on explicit consent you have provided, you have a right to withdraw that consent at any time.
- You can choose to opt out of sharing your confidential patient information for research and planning. There may still be times when your confidential patient information is used: for example, during an epidemic where there might be a risk to you or to other people’s health. You can also still consent to take part in a specific research project.
- Visit nhs.uk/your-nhs-data-matters to opt out.
Our Data Protection Officer will be happy to speak with you about any concerns you have.
Right to Rectification
If information about you is incorrect, you are entitled to request that we correct it. There may be occasions, where we are required by law to maintain the original information – our Data Protection Officer will talk to you about this and you may request that the information is not used during this time. We will respond to your request within one month of receipt or will tell you when it might take longer.
We will use third parties to provide services that involve your information such as;
- Removal and destruction of confidential waste
- Provision of clinical systems
- Provision of connectivity and servers
- Digital dictation services
Data analytics or warehousing (these allow us to make decisions about care or see how effectively the organisation is run – personal data will never be sold or made available to organisations not related to your care delivery).
We have contracts in place with these third parties that prevent them from using it in any other way that instructed. These contracts also require them to maintain good standards of security to ensure your confidentiality.
Keeping Your Information Safe
We are committed to ensuring the security and confidentiality of your information.
There are a number of ways we do this;
- Staff receive annual training about protecting and using personal data
- Policies are in place for staff to follow and are regularly reviewed
- We check that only the minimum amount of data is shared or accessed
- We use restricted access to systems, this helps to ensure that the right people are accessing data – people with a ‘need to know’
- We use encrypted emails and storage which would make it difficult for someone to ‘intercept’ your information
- We report and manage incidents to make sure we learn from them and improve
- We put in place contracts that require providers and suppliers to protect your data as well
- We do not send your data outside of the EEA
How Long Do We Keep Your Information?
In line with the Department of Health Code, we will retain / store your health record for your lifetime. When a patient dies, we will send your record to Primary Care Services England review the record and generally it will be destroyed 10 years later, unless there is a reason to keep it for longer. If you move away or register with another provider, we will send your records to the new provider. Our CCTV is kept for no longer than 30 days and then overwritten.
Asking questions about our use of your personal data and making a complaint
If you have any questions or wish to make a request in relation to your personal data, please contact us using the details on our main page or contact our Data Protection Officer at firstname.lastname@example.org. Our Data Protection Officer (DPO) service is provided by Kaleidoscope Consultants Ltd. When we ask for their support, we will aim to remove any reference to individual patients. Where this is not possible, we will use the minimum necessary to allow us to obtain advice and support. You can find out more about Kaleidoscope Consultants Ltd at www.kaleidoscopeconsultants.com.
You also have the right to complain, and you can do that in the first instance through our DPO. If you are not happy with the response, you also have the right to complain to the UK Information Commissioner’s Office, their details are as follows:
- Telephone – 0303 123 1113
- Website – Make a complaint | ICO (including a live chat service)