Patient Privacy Notice
Who are we?
IPRS Aeromed is one of the UK’s leading suppliers of travel, court and event related medical services but we are also an independent provider of healthcare services. You have received this notice because IPRS Aeromed has been contracted to provide clinical services to you, on behalf of one or more of the following:
- Your employer
- Your employer’s Occupational Health provider
- Your employer’s insurer
- Your Private Medical Insurance provider
- Your Cash Health Plan provider
- Your insurer or a third party’s insurer
- Your solicitor or a third party’s solicitor
- The Home Office
- Security services, including the police services
- The Ministry of Justice or
- Other statutory bodies, such as the DVLA
To allow us to provide these services, we need to collect, process and store your personal and health-related information. This notice is to tell you why we need to do this, how the processing takes place and what we are allowed to do with your data – with and without your consent.
IPRS Aeromed is registered in the UK with the Information Commissioner’s Office (ICO) as a Data Controller, and is permitted to process personal and special categories of information (health data, for instance) in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act 2018 (DPA).
As part of its responsibilities, IPRS Aeromed has a Data Protection Officer, who is responsible for monitoring the compliance of IPRS Aeromed’s data protection activities. IPRS Aeromed also has a Caldicott Guardian, who is responsible for protecting the confidentiality of your health and care information and making sure it is used properly. If you have any questions or concerns about your data protection, please contact email@example.com or telephone 08707 596999.
Why do we collect information from you.
To be able to manage your health or wellbeing referral to the best of our abilities, and to ensure that we provide the most appropriate care for your needs, we need to collect your personal data and certain health-related information. This information may take the form of electronic health records, held on our secure, UK-based servers, or may be paper files, stored securely in locked cabinets. Whichever format your information is held in, its security is paramount, and access to it is tightly controlled and is restricted to those staff who need access for the sole purpose of managing your referral. We will not release your data to anyone without your explicit consent to do so. We will not use your data for marketing purposes or allow any of our processors (authorised third parties providing services on our behalf) to do so either.
What is our lawful basis for collecting our data?:
Any personal information we hold about you is processed under three lawful bases, as set out in Article 6 of the GDPR:
1) Consent – We ask for your explicit agreement as to how we manage and share your data. Our consent process is thorough, transparent and specific, and we will only process your data in line with the terms you agree.
The process also informs you of your right to withdraw your consent at any time, without prejudice, although you must be made aware that this may sometimes affect our ability to manage your referral if we are unable to share information with your funding approver; the body that requested the assessment or those responsible for your ongoing management.
Your details will never be shared with any person or organisation outside of the relationship between your referrer and IPRS Aeromed (including its authorised suppliers) without your explicit written consent (for example, if you wish to release your health records as evidence for a legal claim) unless we are legally obliged to do so by a court order or to protect public health.
The specific consent you give about the parties with whom you agree IPRS Aeromed may share your data is documented in detail in your health record. You have the right to request access to this record.
2) Legitimate interests – We process your data in order to be able to carry out our lawful business, which is the management and delivery of your referral. As we have been appointed by an organisation to provide services to you, we need to communicate with that organisation about you; and with the suppliers who deliver services on our behalf. This requires us to share your information:
1. for the purpose of managing your referral;
2. for financial purposes in the payment and submission of invoices, and
3. for communicating statistical information about you and your care.
These are our legitimate interests (and those of the organisation that referred you or that provide care to you) and these interests will continue providing that they do not countermand your own interests, rights or freedoms as an individual.
3) Legal Obligation – In certain circumstances we may have a legal obligation to process your data, specifically in the “establishment, exercise or defence of legal claims” or in the interest of public health. Under particular, but very rare, conditions, this may be done without your consent.
In addition to your personal data, we also need to process your ‘special category’ data, which is information about your health status. Any information we collect or hold about your health, and your treatment and care, is processed for the purposes of ‘preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services’ under Article 9 of the GDPR and chapter 2, section 9 of the Data Protection Act 2018.
What information do we collect about you and how do we collect it?
We collect your personal and health-related information in a number of ways, including:
- Referral details from your referring organisation
- Directly from you (or your authorised representative) by completion of forms (including online forms), during telephone calls, or during face to face encounters
- Information from our authorised suppliers, who will also only share the details of your treatment and care with IPRS Aeromed, unless you agree otherwise
The personal data we process may include your:
- Full name and preferred name
- Telephone numbers
- Date of birth
- Email address
- Work or employment details
- Insurance policy details
- Other identifying information
In addition to the above, we will also hold specific information about your health and wellbeing, which may include:
- An electronic health record detailing the significant events and correspondence related to your referral to IPRS Aeromed
- Health notes and reports, including details of treatment and care
- Information about any physical and mental Health conditions, but only as relevant to your referral
- Results of investigations or procedures
- Information from other healthcare professionals involved in your care
- Other health related data about your smoking status, alcohol consumption, any disabilities you may have, and your family, lifestyle and social circumstances.
These data will only be collected and processed where this is necessary and relevant to the management and delivery of services provided to you by IPRS Aeromed. We will never collect information which is not justified by our legitimate interests, and we will never use your health data for direct marketing.
What we do (and can we) do with your personal data?
Your information is only used by IPRS Aeromed to manage and deliver your health services, or to report to those parties to which you have agreed. This ensures that:
- Staff involved in delivering your care have accurate and up-to-date information to provide the most appropriate evidence, advice or care
- Staff involved in managing your care are able to do so efficiently
- Your referring organisation has sufficient information to manage your needs; help find you the most appropriate work duties or to effectively administer your insurance case or claim, depending upon the nature of your referral to IPRS Aeromed.
The information we collect and hold about you may also be used to:
- Tell you about any arrangements that IPRS Aeromed has made on your behalf
- Provide you with the contact details of our providers so that you can communicate with them directly
- Investigate complaints and report to the appropriate authorities when required to do so by law or with your consent
- Send you copies of reports, letters or any documentation you request in relation to your health or wellbeing services
- Contact you regarding patient satisfaction surveys, the results of which will be used to further improve IPRS Aeromed’s services to future users.
We always use the least amount of personal data that we can to achieve our aims and will try to anonymise or pseudonymise your information whenever possible, so as to give the greatest possible protection to your confidentiality.
Your data is never used for marketing or advertising purposes and would not be released to any third party without your explicit consent, unless there is a legal requirement to do so, such as a court order.
How do we maintain your data records?
As previously mentioned, your data may be held in both electronic and paper forms. All data is held securely and retained for a specified period of time, as laid out in our data retention schedules. Different types of data are held for different retention periods, as required by law or by IPRS Aeromed’s legitimate purposes.
Health records (containing the information pertaining to your health and wellbeing services) are retained by IPRS Aeromed for a period of ten years from the date of your discharge from IPRS Aeromed’s care. If you were a minor (under 18) at date of discharge, the record will be kept for ten years from your age of majority (ten years from your eighteenth birthday). This duration is required by our liability insurance provider, in anticipation of a need for health records being required for legal claims.
Once the retention period for your data expires, it will be destroyed or deleted in a secure manner. We will not keep your personal data for longer than is necessary to fulfil our legitimate purposes. Wherever possible, your personal data will be archived unless it is required for active referrals. If we wish to retain data for research or analytical purposes for longer periods, this will be retained as anonymous statistical data and will no longer be ‘identifiable’ to you personally.
Your data is processed and stored in accordance with UK data protection legislation, currently the UK Data Protection Act 2018 and the General Data Protection Regulations. In addition to this statute law, health information is also protected by the Common Law Duty of Confidentiality, other assorted healthcare professional standards of conduct (such as those set by the Health and Care Professions Council or the General Medical Council) or national standards as set by the Information Commissioner’s Office.
These combined requirements mean that we must:
- Maintain your data records fully and correctly
- Keep your data confidential and secure
- At your request, give you access to your data in a format which is accessible by you
What are your individual rights concerning your data?
Under the GDPR and the DPA, you have certain rights as an individual, regarding your personal data being held or processed by IPRS Aeromed. You have the right to:
- Be kept informed about any processing that takes place
- Know what information IPRS Aeromed holds about you and to have access to that information
- Request the correction of inaccurate or incomplete data held in your IPRS Aeromed record
- Withdraw or decline your consent for the sharing of your information at any point during the delivery of your health services
- Under specific conditions, request that your personal data be transferred to other organisations
- Restrict or object to IPRS Aeromed’s processing of your personal data, in certain circumstances.
Should you want to exercise your rights concerning your personal data, please contact firstname.lastname@example.org or telephone 08707 596999.
Who do you contact if you are unhappy with IPRS Aeromed’s management of your data?
If you have any concerns about what IPRS Aeromed doing with your data, please contact the Data Protection Officer in the first instance.
IPRS Aeromed is regulated in all matters of data protection by the Information Commissioner’s Office (ICO). If you are dissatisfied with our response to your concerns or believe that IPRS Aeromed is processing your data otherwise than in accordance with the law, you have to right to make a complaint to the ICO, as below:
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number
Fax: 01625 524 510