Smart Imms Clinic Privacy Policy

Introduction

We take privacy seriously and you can find out more here about your privacy rights and how we gather, use and share your personal information and the personal information of patients you store within our solution – that includes the personal information we already hold about you or your patients now and the further personal information we might collect about you or your patients either from you or from a third party. How we use personal information will depend on the products and services we provide to you.

Our Data Protection Officer (DPO) provides help and guidance to make sure we apply the best standards to protecting your information. Our DPO can be reached by post at Hayward Lodge, The Green, Woolpit, Bury St Edmunds, Suffolk, IP30 9RQ, England or by e-mail on GDPR@smartimms.com if you have any questions about how we use your personal information.

This privacy notice provides up to data information about how we use personal information and will replace any previous information we have given you about using personal information. If we make any changes affecting how we use personal information, we will update on the date displayed at the top of this webpage, so please check back regularly for updates. Our website will always show the most up to date version of our privacy notice.

About us

We are a controller of personal information we gather and use. When we say we or us in this privacy notice we mean TailorMade Information Technology Solutions Ltd. This company is registered with the data protection supervisory authority, The Information Commissioners Office (ICO) as data controllers.

Your privacy rights

You have the right to object to how we use your personal information. You also have the right to see what personal information we hold about you, to ask us to correct any inaccuracies and to ask for some of your personal information to be provided to someone else. In addition, when permitted by law, you can ask us to delete or restrict personal information we hold about you.

To exercise any of your rights in relation to your personal information, please contact our DPO by post at Hayward Lodge, The Green, Woolpit, Bury St Edmunds, Suffolk, IP30 9RQ, England or by e-mail on GDPR@smartimms.com

You can contact our DPO to exercise any of your other privacy rights as follows:

  • Right to object – you can object to our processing of your personal information by providing details of your objection to the DPO
  • Access to your personal information – you can request access to a copy of your personal information that we hold, along with information on what personal information we use, who we share it with, how long we keep it for and whether it has been used for any automated decision making. You can make a request for access free of charge by contacting our DPO by post at Hayward Lodge, The Green, Woolpit, Bury St Edmunds, Suffolk, IP30 9RQ, England or by e-mail on GDPR@smartimms.com. Please make all requests in writing and provide us with evidence of your identity. See Proof of identity checklist – https://www.gov.uk/government/publications/proof-of-identity-checklist/proof-of-identity-checklist for information on documents you will need to provide.
  • Right to withdraw consent – if you have given us your consent to use personal information, you can withdraw your consent at any time
  • Rectification – you can ask us to change or complete any inaccurate or incomplete personal information we hold about you
  • Erasure – you can ask us to delete your personal information where it is no longer necessary for us to use it, you have withdrawn consent or where we have no lawful basis for keeping it. We have the right to refuse to comply with a request for erasure where the personal data is processed for one of the following reasons:
    • We need to use the information to perform a task carried out in the public interest, to provide healthcare or treatment or it is necessary for the reasons of public health in the public health arena;
    • We need to use the information to comply with our legal obligations;
    • Archiving purposes in the public interest, scientific research, historical research or statistical purposes; or
    • The exercise or defence of legal claims.
    • Portability – you can ask us to provide you or a third party with some personal information that we hold about you in a structured, commonly used, electronic form so it can be easily transferred
    • Restriction – you can ask us to restrict the personal information we use about you where you have asked for it to be erased or where you have objected to our use of it
    • Make a complaint – you can make a Hayward Lodge, The Green, Woolpit, Bury St Edmunds, Suffolk, IP30 9RQ, England or by e-mail on GDPR@smartimms.com. You can also make a complaint to the data protection supervisory, the ICO at https://ico.org.uk/

We will not make any charge for responding to any initial request from you to exercise your privacy rights and we will respond to your requests in accordance with our obligations under data protection law.

What kinds of personal information we hold?

Personal information includes your information (referred to as “Account”) in this document, and the personal information of your patients (referred to as “Patient”) that has been uploaded or you have access to within a secure area that we offer you to utilise the products and services we provide.

Personal “Account” information

We use a variety of personal information depending on the products and services we deliver to you;

  • To provide most of our products and services we need your name, address, date of birth, contact details (phone number and/or e-mail address) and details of your organisation
  • To provide our products and services to you we may need to obtain your payment details. No credit/ debit card payment details are stored by us.
  • Sometimes where we ask for your personal information it is needed to fulfil a contract with you or to meet a legal obligation (such as recording clinical data) and we will not be able to provide some of our products or services without that information.

Personal “Patient” information

This information is provided by you to assist in the use of the products and services we deliver to you;

  • To provide most of our products and services we need patient name, address, date of birth, sex, contact details (phone number and/or e-mail address) and GP / Surgery details
  • To provide many of our products and our services which are healthcare related we may need information about health, medication and an NHS number; and
  • Sometimes where we ask for this personal information to fulfil a contract or to meet a legal obligation, as we will not be able to provide some of our products or services without this information.

How we gather personal “Patient” information.

  • NHS bodies and other private clinical providers must be signed up to use or products and services. These organisations will upload patient personal information so that they may use our digital services for recording clinical data or providing services, within a secure and protected area.
  • To help identify patients and provide accurate services, and if we have patient consent to do so, we may provide NHS services to assist these organisations, such as viewing a patients Summary Care Record or Patient Demographic Service
  • Some organisations such as a GP surgery may hold your personal and clinical information on their own products, which we may gather and provide access to within a secure area. This data is only accessed on a read-only basis for the period of time a patient record is classed as open and is not retained on our system.
  • Information provided by other people on the patients’ behalf, for example, if someone books an appointment on their behalf. We may need to ask them basic details, which may include health details.

How we gather personal “Account” information

  • Directly from you, for example when you fill out an account form to receive a product or service
  • We collect certain usage information when you utilise our website such as Internet Protocol (IP) addresses, log files, unique device identifiers, pages viewed, browser type, any links you click on to leave or interact with our website and the products and services we offer, and other usage information collected from cookies and other tracking technologies. For example we collect IP addresses to track and aggregate non-personal information, such as using IP addresses to monitor the regions from which users navigate our website. We may also collect IP addresses from users when they log in to our website as part of our log in and security features
  • From other organisations which hold commercially-available data such as the electoral roll and companies that collate and update data. This helps us to keep our records up to date and learn more about our customers so we can improve our products and services

How we use personal “Patient” information

  • This is controlled by each organisation that provided the personal data to help identity each patient, so as to provide the correct level of healthcare service to each patient
  • Personal information recorded directly into our system by an account holder of the service we provide is retained for a 90-day period, which provides sufficient time to transfer this data to the account holder’s own solution.
  • Our account holders may need to share personal patient information with other organisations in the wider NHS or private healthcare sector, such as but not restricted to: General Practices, Pharmacies, Hospital, Schools, Care Homes, and sometimes local authorities to provide patients with a portable, diverse and professional healthcare service. The sharing of patient information between other account holders within the services we provide is setup and agreed between themselves. We only provide and maintain the means to accommodate this service.
  • To fulfil our contractual requirements. We may need to share personal information with our account holders and others in the wider NHS such as the NHS Business Services Authority, and sometimes local authorities to negotiate and check the accuracy of our payments and to ensure that we maintain appropriate professional and service standards and that your declarations and ours are accurate

How we use your personal “Account” information

We use your personal information:
  • To provide our products and services, respond to queries and comments, to collaborate with others to improve our products and services and to provide you with the best level of customer service. We may use it to contact you about our products and services or to send you reminders (e.g. about patient data that is due to be deleted due to an inactivity period, or running low on vaccines, etc.)
  • To learn more about you. We’ll consolidate the information we hold about you across the different channels you use to interact with us (e.g. In store, by phone, correspondence, etc.) we do this to keep our records accurate and up to date, provide you with a seamless and consistent service and to build a clearer picture of our customers. By understanding you better we can offer you the best and most personalised service we can. However, we will only send you marketing material if you have agreed we can
  • To protect our customers, our staff and our business. We may use your personal information to help prevent and detect crime.

Our legal basis for using personal “Patient” information

We only use personal patient information where that is permitted by the laws that protect your privacy rights. We only use personal patient information where –
  1. We have your consent (if consent is needed)
  2. We need to use the information to perform a task carried out in the public interest, to provide health care or treatment or if necessary, for reasons of public health in the public health arena
  3. We need to use the information to comply with our legal obligations
  4. It is fair to use the personal patient information either in our interests or someone else’s interests where there is no disadvantage to you
Special protection is given to certain kinds of personal information that is particularly sensitive. This is information about a patient’s health status, medication, racial or ethnic origin, religious or similar beliefs and sex life or sexual orientation. We will only use this kind of information where –
  1. Required to deliver accurate healthcare services
  2. We have a legal obligation to do so (e.g. to protect vulnerable people)
  3. It is necessary for us to do so to protect vital interests (for example a severe and immediate medical need)
  4. It is in the substantial public interest
  5. You have specifically given us explicit consent to use the information

Our legal basis for using personal “Account” information

We only use your personal account information where that is permitted by the laws that protect your privacy rights. We only use personal account information where –
  1. We have your consent (if consent is needed)
  2. We need to use the information to perform a task carried out in the public interest, to provide health care or treatment or if necessary, for reasons of public health in the public health arena
  3. We need to use the information to comply with our legal obligations
  4. We need to use the information to perform a contract with you
  5. It is fair to use the personal information either in our interests or someone else’s interests where there is no disadvantage to you

Health and medication information

We will use health and medication information to provide healthcare services you have requested. We will never use this information for marketing, although we may use it to advise you of other health services / products that might be useful or relevant to you

Sharing personal “Account” information with or getting your personal information from others

We will share personal information with other organisations where we need to do to make our products and services available to you, to contact you about appropriate products and services, to meet or enforce a legal obligation or where it is fair or reasonable for us to do so. We will only share your information to the extent needed for those purposes.

Who we share your personal information with depends on the products and services we provide to you and the purposes we use your personal information for. For some products and services, we will share your personal information with our service providers such as couriers, manufacturers and suppliers.

Most of the time the personal information we have about you is information you have given us, or is gathered by us in the course of providing products and services to you. We also sometimes gather personal information from and send personal information to third parties (such as NHS bodies) where necessary so we can fulfil our legal obligations as a provider of healthcare products and services.

Transfers outside the UK

We may need to transfer your information outside the UK to service providers, agents and subcontractors in countries where data protection laws may not provide the same level of protection as those in the European Economic Area, such as the USA.

We may need to transfer your personal information to territories that are outside the EEA. We will only transfer your personal information outside the EEA where either the transfer is to a country which the EU Commission has decided ensures an adequate level of protection for your personal information or we have put in place our own measures to ensure adequate security as required by data protection law. These measures include ensuring that your personal information is kept safe by carrying out strict security checks on our overseas partners and suppliers, backed by strong contractual undertakings approved by the relevant regulators such as the EU style model clauses. We also use the EU Commission approved EU-US Privacy shield when personal information is transferred to the USA.

You can find out more information about standard contractual clauses as detailed by the ICO. Visit their website https://ico.org.uk/ and search for international transfers. Details of third-party data processor we use can be obtained by contacting our DPO by post at Hayward Lodge, The Green, Woolpit, Bury St Edmunds, Suffolk, IP30 9RQ, England or by e-mail on GDPR@smartimms.com

How long will we keep your personal “Account” information for?

We need your personal information for as long as we have a legal or business reason to do so, which generally means as long as you remain a customer or as requested to meet our legal obligations, resolve disputes or enforce our agreements. To fulfil our obligations to the NHS, regulatory or similar bodies, health related personal information may need to be retained for a period of time after you cease to be a customer. We will always store it securely and not use it for any other purpose.

Keeping you up to date

We will communicate with you about products and services we are delivering using any contract preferences you have given to us – for example by post, e-mail, text message, and social media. Where you have given us consent to receive marketing, you can update your contact preferences or withdraw consent by contacting our DPO by post at Hayward Lodge, The Green, Woolpit, Bury St Edmunds, Suffolk, IP30 9RQ, England or by e-mail on GDPR@smartimms.com