Privacy Policy
1. Lawful Reason to Use Your Personal Information
HS Health Group Limited is committed to handling your personal information lawfully and transparently. We collect and process your data primarily for providing direct care under:
GDPR Article 6(1)(e): Performance of a task carried out in the public interest.
GDPR Article 9(2)(h): Medical diagnosis, provision of healthcare, or management of healthcare systems.
In certain cases, we may require your explicit consent to process your data:
GDPR Article 6(1)(a): Explicit consent.
GDPR Article 9(1)(a): Explicit consent for special category data.
Your consent will be recorded in our SystmOne. HS Health Group clinicians and other staff have a duty to care for you safely. If they cannot ensure your care safety with the withdrawal of your information which they need, they may need to discharge you from the Service and ask you to return to your GP.
2. National Data Opt-Out
We comply with the National Data Opt-Out policy. This means that if there is a data request that is in scope of the National Data Opt-out, and you have provided your NHS number to us and registered your choice with the National Data Opt-out programme, your data would not be shared by us. To manage your opt-out preferences and to find out more, please visit www.nhs.uk/your-nhs-data-matters or call 0300 3035678.
Your choice will only apply to the health and care systems in England. Your individual care will not be affected if you have applied the National Data Opt-out.
3. What data do we collect
In order to provide a safe and professional service, we need to keep certain records about you and we therefore may process the following types of data:
Your basic details and contact information e.g. your name, address, date of birth and next of kin;
Health and social care data about you, which might include both your physical and mental health data.
We may also record data about your race, ethnic origin, sexual orientation or religion.
Any contact the service has had with you, such as appointments and clinic visits
Notes and reports about your health
Details about your treatment and care
Results of investigations such as laboratory tests and x-rays
Relevant information from other health professionals, relatives or those who care for you
We need this data so that we can provide high-quality care and support. By law, we need to have a lawful basis for processing your personal data.
We process your data because we have a legal obligation to do so – generally under the Health and Social Care Act 2012 or Mental Capacity Act 2005.
We process your special category data because
It is necessary due to social security and social protection law (generally this would be in safeguarding instances);
It is necessary for us to provide and manage social care services;
We are required to provide data to our regulator, the Care Quality Commission (CQC), as part of our public interest obligations.
We may also process your data with your consent. If we need to ask for your permission, we will offer you a clear choice and ask that you confirm to us that you consent. We will also explain clearly to you what we need the data for and how you can withdraw your consent at any time.
4. Where do we process your data?
To provide high quality care and support we need specific data. This is collected from or shared with:
You or your legal representative(s);
We do this face to face, via phone, via email, via our website, via post.
Third parties are organisations we have a legal reason to share your data with. These may include:
Other parts of the health and care system such as local hospitals, the GP, the pharmacy, social workers, and other health and care professionals;
The Local Authority;
The police or other law enforcement agencies if we have to by law or court order.
5. Maintaining Confidentiality
We protect your privacy by adhering to the following laws and guidelines:
General Data Protection Regulation (GDPR) 2018.
Data Protection Act 2018.
Human Rights Act 1998.
Common Law Duty of Confidentiality
Health and Social Care Act 2012
NHS Codes of Confidentiality and Information Security
Information Governance: To Share or Not to Share Review.
Staff members only access your records with a legitimate purpose. All access is logged for monitoring and audit purposes. Unauthorised access is treated as a serious breach.
5. Sharing Information
We only share your data with other healthcare providers involved in your care or with your explicit consent, except in exceptional circumstances (e.g., life-threatening situations).
6. Accessing Your Records
Every member of staff who works for HS Health Group Ltd has a legal obligation to keep information about you confidential. Individual staff may only view your records with a legitimate reason for a legitimate purpose. This would of course include the clinician(s) directly involved in your care or other staff who might be ordering or receiving results linked to your care.
Other administration or management staff may need to access and use your records to contact you regarding appointments or your treatment. SystmOne, where your records are stored creates a record of who has accessed your record for control and audit purposes.
Accessing or allowing someone else to access, your record without a legitimate purpose by a member of our staff is a serious data breach and is dealt with under our disciplinary procedures and reported to the Information Commissioners Office.
We will only ever use or pass on information about you if others involved in your care have a genuine need for it only with your explicit consent. We will not disclose your information to any 3rd party without your explicit consent unless there are exceptional circumstances (i.e., life or death situations), where the law requires information to be passed on and / or in accordance with the new information sharing principle following Dame Fiona Caldicott’s information sharing review (Information to share or not to share) where ‘The duty to share information can be as important as the duty to protect patient confidentiality.’ This means that healthcare professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles. This is supported by our policies, regulators and professional bodies.
7. Subject Access Request:
You have the right to access your personal information under GDPR, 2018. A Subject Access Request (SAR) is an important facet of GDPR and is likely a future privacy law. It is what allows you to request and receive a copy of your personal data. We must comply with an SAR without undue delay and at the latest within one month of receiving your request at no extra cost.
To request your records:
Complete our Enquiry form on our website or email us at [email protected]
8. Retention of Records
Health records are retained as follows:
A minimum of 8 years after discharge.
9. Communication Preferences
We will contact you via your preferred method (telephone, SMS, email, or post). Let us know if your preferences change.
10. Security Measures
We store your data securely on UK-based systems with multiple layers of encryption and restricted access. Data transmission complies with NHS encryption standards.
11. Your Rights
You have the following rights under GDPR:
Access: View or obtain copies of your data.
Rectification: Correct inaccurate or incomplete data.
Objection: Object to data processing in specific circumstances.
Restriction: Limit data processing under certain conditions.
12. CCTV Data
If visiting premises with CCTV:
Images are collected for security purposes and retained for 28 days.
Access is restricted to authorised staff.
You can request access to CCTV data by emailing us on [email protected]
You have the right to block the processing of your personal data at any time by sending an email request to [email protected]
You can also block the processing activity when the operation is unlawful, and you oppose to the erasure of the data. However, blocking is not possible in case of an official investigation.
You can also request for deletion of your data by sending your request to [email protected]
Your data is not shared unless we have the request and permission from you.
13. Complaints and Concerns
If you have concerns about data handling, contact:
Data Protection Officer: FAO: DPO [email protected]
Information Commissioner’s Office (ICO): 0303 123 1113 or www.ico.gov.uk.
14. Updates to This Privacy Policy
We may update this policy to reflect changes in legislation or practice. Please review it regularly for updates.
If you have any questions or concerns, contact us at [email protected]. Thank you for trusting us with your care.