UK General Data Protection Regulation and Management (2023)
UK GDPR came into force on 31st December 2020 with an Act of Parliament. This means that in the UK we now have UK GDPR. Therefore, Totally as a healthcare provider organisation has considered making changes to reflect this in their policies.
Totally trades within the UK and Ireland.
The Board of Totally recognises the significance of data protection. The purpose of this policy is to protect all personal information controlled or processed by the organisation and ensure an adequate level of awareness to ensure data protection principles are applied across all areas of operation within Totally.
Compliance with our Data Protection Policy is achieved by a stringent set of controls, including policies, processes, procedures and software and hardware functions. These controls are monitored, reviewed, and improved by the Board to ensure that specific data protection, security and business objectives are met. This is operated in conjunction with other business management processes, and incorporates the applicable statutory, regulatory, and contractual requirements.
Totally is committed to comply with data protection and the general data protection regulation requirements and good practice. These include:
- Processing personal information only where this is strictly necessary for legal and regulatory purposes, or for legitimate organisational purposes.
- Processing only the minimum personal information required for these purposes.
- Providing clear information to natural persons (including children) about how their personal information can be used and by whom.
- Only processing relevant and adequate personal information.
- Processing personal information fairly and lawfully.
- Maintaining a documented inventory of the categories of personal information processed by the organisation.
- Keeping personal information accurate and, where necessary, up-to-date.
- Retaining personal information only for as long as is necessary for legal or regulatory reasons or for legitimate organisational purposes and ensuring timely and appropriate disposal.
- Respecting natural persons’ rights in relation to their personal information.
- Keeping all personal information secure.
- Only transferring personal information outside the UK in circumstances where it can be adequately protected.
- Developing and implementing the ISO 27001 certificate to enable the data protection policy to be implemented.
- Where appropriate, identifying internal and external interested parties and the degree to which they are involved in the governance of the organisation’s ISO.
- Identify workers with specific responsibility and accountability for the ISO.
- Maintain records of processing of personal information.
- The organisation may also utilise automated decision-making document screening processes, subject to manual interpretation, as part of the safer recruitment process.
Our Data Protection Policy and Data Awareness Program is incorporated in our staff induction and training program. The Data Protection policy is readily accessible internally and presented to existing and prospective clients upon request. In addition to employees, suppliers, contractors, and sub-contractors of Totally are expected to adhere to our Data Protection Policy.
Totally is committed to continual improvement and all employees are empowered to take responsibility for data protection, with a robust process for identifying and reporting data breaches in place and subject to regular review.
Through compliance of applicable statutory, regulatory, and contractual requirements, and the requirements of the General Data Protection Regulations (GDPR) for the Protection of Personal Information, Totally will demonstrate confidence, integrity, and credibility both internally and externally.
Chief Executive Officer
Please read this Privacy Notice Policy carefully to understand our views and practices regarding your Personal Data and how we will treat it.
The Data Controller is Totally Plc, a registered company whose address is:
Cardinal Square West
10 Nottingham Road
Our ICO registration number is Z3148154.
As a data controller, we fully comply with the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 and the UK General Data Protection Regulations (UKGDPR). We will also comply with all applicable clinical confidentiality guidelines.
Any questions relating to Data Privacy with Totally plc or this Policy should be sent by email to firstname.lastname@example.org, or by writing to Totally plc, Cardinal Square West, 10 Nottingham Road, Derby, DE1 3QT
Alternatively, you can call our Data Protection Officer on 020 3866 3330.
What personal information is held?
We may collect and process the following data from you:
- Information you provide to Totally that is required to carry out our obligations arising from any interaction, contact or contracts entered between you and us, or potential interaction that may be in liaison between you and us. This may include special category data that you have provided.
- Information that you provide by filling in forms on our website, or as part of any direct marketing or sales activities. This includes and is not limited to personal information about you such as your name, telephone contact number, geographical address/location, email address and interests.
- If you contact us by telephone or in writing, we may keep a copy of your correspondence or communication for record purposes.
If you have provided us with the personal data of another person, there is a clear requirement imposed by Totally plc for you to confirm that they consent to the processing of their personal data and that you have informed them of our identity as a Data Controller and the nature of the processing taking place. Records will be retained as evidence of this consent by the relevant teams.
Sometimes our staff and other third parties listen to calls for training and learning purposes. All requests for third parties will be approved by the Caldicott Guardian who is the Group Medical Director and who will consider the application of Caldicott principles in such cases.
Special Category Data:
In relation to providing health care as well as for recruitment purposes, special category data may be processed. Where this is collected, we will rely on a second legal basis for processing your data. Please note that you will always be aware when this data is processed and your consent will be collected.
All personal data is processed in the UK, however, for IT hosting and maintenance your information may be situated outside the European Economic Area (EEA).
How will we use the information we hold about you?
We use information held about you in the following ways:
- Performance of a contract – We use information held about you to carry out our obligations arising from any contracts entered between you and us; and to notify you about changes to our services.
- Processing – this will include using the information to fulfil any request made by you or someone on your behalf to purchase a product or receive one of our health or care services.
- Public Task – we will process your personal information when carrying out the performance of a task in the public interest which includes the provision of direct health care or social care. This may also include processing personal information for research and to train and educate health care professionals.
- Necessary for the purpose of preventative or occupational medicine – to assess whether you are able to work, the provision to you of health or social care, a medical diagnosis, or the management of health and social care systems.
- Necessary to defend legal claims or a court action.
- Vital interests – where it is necessary to protect your vital interests or those of another person.
- Public interest – this is usually in line with any applicable laws such as protecting against dishonesty, malpractice or other seriously improper behaviour.
- Information you have made public.
- Legitimate Interests – We use information held about you to provide you with information, products and/or services that you request from us or which we feel may interest you if relevant to the products or services currently being supplied as part of a contract with Totally plc, or in relation to a previous contract with Totally plc whereby you are happy to continue to receive such information.
These legitimate interests will also include:
- Providing you with information on products, services or feedback.
- Keeping our records up to date.
- For statistical research and analysis and to enable us to monitor and improve services.
- To monitor how we are meeting our clinical and non-clinical performance in the case of health care providers.
- Sharing your personal information with people or organisations in order to comply with any legal or regulatory obligations or to enable us to run our organisation.
- To fulfil laws that apply to us and the third parties we work with.
- To take part in or be the subject of any merger, sale or purchase of all or part of our business.
- Managing our relationships with you and third parties who assist us to provide the services to you.
Consent (Direct Marketing) – We use information held about you to provide you with information on products and/or services that you request from us, or which we feel may interest you where you have consented to be contacted for such purposes. Where consent has been provided to Totally, it is a recognised right of the Data Subject that this consent can also be withdrawn.
Should you wish to withdraw consent, please email email@example.com, or by writing to – Totally plc, Cardinal Square West, 10 Nottingham Road, Derby, DE1 3QT.
Alternatively, you can call our Data Protection Officer on 020 3866 3330.
We will not share your data with third parties for other marketing purposes unless we have your express consent to do so.
Profiling – we may make use of profiling and screening methods to provide a better service to patients. Profiling helps us target resources more effectively through gaining an insight into the background of patients and helping us build relationships that are appropriate to their needs.
Who will see the information?
Your information will only be accessible to our staff and only where it is appropriate in respect of the role they are carrying out. We will never sell your information or let other organisations use it for their own purposes.
We will only share your personal information:
- If consent is necessary, we will have taken your consent to us doing so and will provide information for the specific reason your consent was given. You will have the opportunity to withhold consent when you complete the form on which we collect the data or you can do so by contacting us at the address shown in the paragraph above at any time.
- Doctors, clinicians, hospitals, clinics, diagnostic and treatment centres and other health care providers to provide our services and continuity of health care. This also includes processing personal information to enable organisations to carry out research and processing personal information to train and educate health care professionals.
- Your GP – where clinically necessary we may share your information with your GP. You can ask us not to do so and we will respect this unless legally required to provide the information. You should be aware it may be detrimental to your health if your GP does not have your full medical history.
- First responders, ambulance service, safeguarding agencies, undertakers, coroner and care homes.
- Where it is necessary to protect your vital interest (i.e., your life or health)
- Other organisations you belong to confirm your entitlement to our services
- Organisations or people who by law or regulations we must share your personal information with. This can be national data bases, screening registers government authorities and NHS organisations.
- The police or other law enforcement agencies to assist them perform their duties if we must do this by law or under a court order.
- Where we use other organisations to provide services on our behalf, for example, for processing, mailing, delivering, answering patient’s questions about products or services, sending mail and emails, external reception and appointment services, data analysis, assessment and profiling or processing credit/debit card payments.
- To organisations who you have requested us to supply information so that they can provide services or products you have requested.
- To any organisation requesting a reference when you have applied for a position with the organisation or to join the organisation in some capacity.
- Organisations providing IT systems, IT support and hosting in relation to IT systems on which information is stored.
- When using auditors and professional advisors.
- With our subsidiaries and affiliate companies.
- When we are legally required to, or because of a lawful request by a governmental or law enforcement authority.
- If we merge with another organisation, form a new entity, sell our business or purchase a business.
Where a third-party data processor is used, we ensure they operate under a contract which includes confidentiality and security of personal data and their obligations under the Data Protection legislation.
Your rights relating to Personal Data and GDPR
You have the following rights:
- Transparency over how we use your personal information (right to be informed).
- To request a copy of the personal information we hold about you, which will be provided to you within one month (right of access).
- An update or amendment of the personal information we hold about you (right of rectification).
- To ask us to stop using personal information (right to restrict processing).
- Ask us to remove your personal information from our records (right to be forgotten).
- Request us to remove your personal information for marketing purposes (right to object).
- To obtain and reuse your personal data for your own purposes (right to portability).
- Not to be subject to a decision based on automated processing.
You can contact us about any of these rights at the address in paragraph shown above. To protect your privacy, we may ask you to prove your identity before we agree to respond to any request. There is no charge for a request, and we will respond to the request within one month.
If you are not satisfied with the way in which we deal with your request, you can contact the Information Commissioners Office on 0303 123 1113 or at their website www.ico.org.uk.
Retention of your information
We take appropriate measures to ensure that any information collected from you is kept secure. Totally plc holds UKAS accredited certification to ISO 27001:2013 and is subject to both internal and external audits to ensure that information security is upheld.
Totally operates a clear Records Management and Retention policy and associated Retention Schedule to ensure personal data is kept only for so long as is necessary for the purpose for which such information is used.
We retain your records in accordance with UK legislation for the specific service provided. We also align our retention policy with the NHS Records Management Guidance.
If any of your personal data changes, or if you have any questions about how we use data which relates to you, please contact us by email at firstname.lastname@example.org. We normally update your personal data within seven (7) working days of any new or updated personal data being provided to us, to ensure that the personal data we hold about you is as accurate and up to date as possible.
National Data Opt-Out programme
The national data opt-out is a service that allows patients to opt out of their confidential patient information being used for research and planning.
The national data opt-out was introduced to enable patients to opt out from the use of their data for research or planning purposes, in line with the recommendations of the National Data Guardian. By 2020 all health and care organisations are required to be compliant with the national data opt-out policy, where confidential patient information is used for research and planning purposes.
Totally plc is not currently engaged in routine activities that involve processing of patients’ data for purposes not involved in their direct care. This statement therefore acts as a backstop in the event that should such processing occur in the future, a mechanism exists to ensure that those patients who wish to opt out will have their wishes respected where this is not already anonymised.
Department of Health and Social Care – August 2021