The Medical Secretariat Limited takes its responsibilities with regard to the management of the requirements of the new General Data Protection Regulations (GDPR) rules extremely seriously. This document provides our framework for managing the new GDPR requirements as effectively as we can and to the best of our understanding.
We have implemented policies, procedures and training of our staff to encourage their awareness of the requirements of GDPR and to ensure their compliance.
Our GDPR documentation demonstrates the technical and organisational measures which we have taken to safeguard the data of the consultants (Data Controllers) to whom The Medical Secretariat Limited provides a service.
Data is processed at The Medical Secretariat Limited’s operating offices and in any other places where the parties involved in the processing are located.
We restrict access to personal information to The Medical Secretariat Limited’s employees, contractors and agents who need to work with that information in order to operate, develop or improve our services. These individuals are bound by confidentiality obligations and may be subject to discipline, including termination and criminal prosecution, if they fail to meet these obligations.
We have set out below how we collect, store and handle the data of our consultants’ patients in our role as the consultants’ Data Processor(s).
Data protection laws require us to take appropriate technical and organisational measures to prevent unlawful access or processing of personal information that the Data Controller is responsible for implementing.
The level of technical safeguarding of data should be appropriate to the nature of information in question, and the harm that might result from its improper use, or from its accidental deletion or destruction.
The following list shows some of the technical and organisational measures which we have put in place to ensure the safety and integrity of your data.
• We are trained in the appropriate handing of personal information and how to respond to a data breach
• We practise common sense cybersecurity requirements, such as locking screens when away from them, ensuring Windows updates are installed on release
• Where possible, we use two-factor authentication for key systems
• We ensure passwords are changed regularly on our systems
• We don’t use systems aimed purely at consumers, such as Gmail personal, Dropbox personal and Hotmail
• Our third-party providers of systems used to process your personal data are compliant with data protection laws and requirements, and also have effective data restore capabilities to ensure your data can be recovered
As our Data Controller, we want to show you that we are ‘safe hands’ whom you can trust implicitly to obtain, hold, handle and process your patients’ data in order to:-
- Assist you to meet your responsibilities with the provision of healthcare (for clinical practices)
- Assist you in your role of the establishment and defence of legal claims (for medico-legal practices)
All members of The Medical Secretariat Limited Team are appropriately trained in data protection, having attended training provided by Spire Healthcare. We also have an in-house ongoing programme of training and education to enhance The Medical Secretariat Limited’s commitment to GDPR.
We have updated our policies and procedures in line with GDPR legislation and carry out regular risk assessments and initiate upgrades and refinements to our systems to ensure that we have a very high level of demonstrable compliance with the new legislation. We have taken advice from the Information Controller’s Office and have invested heavily in our IT systems to provide a high level of securityto protect our Data Controllers’ data.
All members of The Medical Secretariat Limited Team have signed confidentiality agreements which formsan important part of their induction.
All members of The Medical Secretariat Limited are required to adhere to the eight principles of data protection as laid down by the Act. In accordance with those principles, it is stated that personal and special category data shall be:-
- Processed fairly and lawfully;
- Processed for specified purposes only;
- Adequate, relevant and not excessive;
- Accurate and up-to-date;
- Not kept longer than necessary;
- Processed in accordance with data subjects’ rights;
- Processed and held securely;
- Not transferred outside the countries of the European Economic Area without adequate protection.
THE MEDICAL SECRETARIAT LIMITED’S EFFORTS TO PROTECT OUR DATA CONTROLLERS’ DATA
- We are required to have in place an adequate level of technical and organisational security measures to ensure that personal information is protected from unlawful or unauthorised access and from accidental loss, destruction or damage.
The Medical Secretariat Limited is able to provide our Data Controllers with assurances about the measures which we have put in place to safeguard their data and have implemented a high level of security for that data. Our Compliance Plan is available to view on request but, to summarise:-
- Our Data Controllers’ data is stored securely and in compliance with GDPR;
- Our premises at BMI The Edgbaston Hospital are protected with a burglar alarm with the access code known by those personnel with a legitimate reason to access the premises. Our premises at our satellite office are also protected with a burglar alarm with the access code known only to those personnel with a legitimate reason to access the premises. All papers are locked away and desks are cleared at the end of the working day;
- Our computers are password-protected with strong passwords changed regularly;
- We have protected our devices and software against viruses and malware using business-grade antivirus installed on all workstations. This is maintained and kept up-to-date;
- We have secured our internet connection at The Lodge, BMI The Edgbaston Hospital and at our satellite office;
- Our router and each endpoint workstation runs a firewall which is never turned off or suspended;
- Windows updates are set to automatically install on each computer to ensure that they have the latest security patches when they are released by Microsoft;
- Two-factor verification has been implemented to enhance the security of our E-mail accounts – we have also invested in purchasing the encrypted E-mail provider service (Egress Switch) for sending and receiving information by E-mail;
- Files are accessible only by individuals named in The Medical Secretariat Limited’s Compliance Plan and Record of Processing. These individuals are appropriately trained in data protection, having attended training provided by Spire Healthcare. Data is accessible only by those who have a legitimate reason to access those files and their content;
- Sensitive documents are password-protected with the password known only by the Data Controller and relevant Medical Secretariat personnel;
- All practical and reasonable steps are taken to ensure that our Data Processors do not have access to any personal data beyond what is essential for their work to be carried out properly;
- Patient data is not left unattended – computers are locked if leaving the desk unattended;
- Files which we hold for our Data Controllers are backed up on a daily basis to individual external hard drives which are backed up and encrypted with AES (Advanced Encryption Standard) and kept securely in a lockable metal cabinet. The previous day’s external hard drive is kept off-site to provide protection to our Data Controllers’ data in the event of a fire, flood or other damage at our main office at The Lodge, BMI The Edgbaston Hospital.
- We have a clear plan of action in the event a data breach, suspected or actual, and all Medical Secretariat Limited’s Team members are trained to act quickly and appropriately in accordance with our Data Breach Response. Our Data Breach Response policy is available to view on request.
THE SCOPE OF THIS DATA PROTECTION POLICY
All employees and self-employed contractors of The Medical Secretariat Limited must comply with the requirements of GDPR when processing the personal and special category data of our Data Controllers.
This policy applies regardless of where the data is held, ie if it is held on equipment owned by The Medical Secretariat Limited and held within our offices at The Lodge, BMI The Edgbaston Hospital, 22 Somerset Road, Edgbaston, Birmingham B15 2QQ, within our satellite office in South Birmingham, or outside these premises.
As part of our duties, we need to obtain and process information on behalf of our data controllers. This information includes any data that makes a person identifiable such as:
Name, address, date of birth, telephone number, E-mail address, name and address of general practitioner, NHS number, name and address of private medical insurer, insurance policy or membership number.
It also includes highly sensitive personal information which is disclosed in reports or letters dictated by the Data Controller and typed by the designated Data Processor.
Our company collects this information in a transparent way and only at the request of our Data Controller(s) in order to assist the controller to meet his or her responsibilities to their patient(s) with the provision of healthcare.
The Medical Secretariat Limited Data Processors must ensure that:
- All of our Data Controllers’ personal data is kept securely;
- No personal data is disclosed either verbally or in writing, accidentally or otherwise, to any unauthorised third party;
- Personal data is kept in accordance with each Data Controller’s retention schedule;
- Any queries regarding Data Protection, including subject access requests and complaints, are promptly directed to the Data Controller;
- Any Data Protection breaches, confirmed or suspected, are swiftly brought to the attention of the Data Protection Officer and the relevant Data Processor and that they support the Data Protection Officer and Data Controller in resolving breaches;
- Where there is uncertainty around a Data Protection matter, advice is sought from the Data Controller.
ACTIONS BY THE MEDICAL SECRETARIAT LIMITED TO PROTECT OUR DATA CONTROLLERS’ DATA
In an attempt to demonstrate its Compliance with the requirements of GDPR, The Medical Secretariat Limited is committed to:
- Restricting and monitoring access to our Data Controllers’ sensitive data;
- Developing clear collection procedures for our Data Controllers’ data;
- Conducting regular assessments of the processes which we carry out for our Data Controllers, upgrading and refining our GDPR compliances where indicated;
- Increasing the personal knowledge of our Data Processors contracted to The Medical Secretariat Limited in online privacy and security measures in order that we are all clear and confident in our obligations to our Data Controllers in the processing of their data in compliance with GDPR;
- Implementing a high level of security to safeguard our Data Controllers’ data from virus or malware;
- Establishing clear procedures for reporting privacy breaches or data misuse;
- Establishing Data Protection practices (document shredding, secure locks, data encryption, frequent backups, access authorization etc).
Our Data Protection provisions will appear in our GDPR documentation and will be appearing on The Medical Secretariat Limited’s website.
IN THE EVENT OF A DATA BREACH
Where a data breach occurs or is suspected, it should be reported immediately in accordance with The Medical Secretariat Limited’s Data Breach Response. Our Data Breach Response policy is available to view on request. This states:
- Contain the breach if possible;
- Sue Wilcox is to be informed as soon into the breach episode as possible – someone is to be sent to fetch or tell Sue Wilcox if the individual is better used at his or her computer;
- Sue Wilcox will inform the relevant Data Controller, but if Sue Wilcox is not available, the Data Processor on duty must inform the relevant Data Controller “without undue delay”;
- The Medical Secretariat Limited’s Data Processor may need to inform the patient – but this will be the Data Controller’s decision;
- It will be the Data Controller’s decision about whether or not the breach is reported to the ICO. Not all breaches are reportable to the ICO, but The Medical Secretariat Limited’s Data Processor must report all breaches or suspected breaches to our Data Controllers;
- Breaches should be reported to the ICO within 72 hours of the event “unless it can be demonstrated that it is unlikely to result in a risk to the individual’s rights and freedoms”.
- Provide the Data Controller with the contact details for the ICO:
0303 123 1113 or via the ICO website https://ico.org.uk/for-organisations/report-a-breach/
If the breach has involved a patient who has been seen at a Spire Hospital, this must also be reported to the Spire Data Protection Officer and Spire Hospital Manager who must be informed within 24 hours of the breach – please therefore provide the Data Controller with this information and the contact details below:
firstname.lastname@example.org 020 7427 9071
This Privacy Statement will be reviewed again in May 2021, or sooner if indicated.