1.1. EMA Patient Transport and Training Services (“EMA”) provide secure transport to patients experiencing mental health. We are the largest provider in Dorset and our service continuously evolves and develops to meet the needs of the local community and our professional colleagues.
1.3. All information handled by EMA is in compliance with the Data Protection Act 2018 (“DPA”) and the General Data Protection Regulations (“GDPR”). We recognise the importance of the correct and lawful processing of personal data and maintaining confidence in our operations. We fully endorse and adhere to the principals set out in the GDPR.
1.4. The aim of this policy is to demonstrate our commitment to our values and to being transparent and open.
1.5. EMA respects your rights to data privacy and data protection when you communicate (online or offline) with us through our website, contact centre, our ambulance and/or our staff as they complete their work.
1.6. To ensure that we process your personal data fairly and lawfully we are required to inform you:
1.6.1. Why we need your data;
1.6.2. How it will be used;
1.6.3. Where it will be stored; and
1.6.4. Who it will be shared with.
2. ROLES AND RESPONSIBILITIES
2.1. The Managing Director is appointed as the Senior Information Risk Owner (SIRO) and is accountable for the management of all information assets and any associated risks and incidents.
2.2. The HR & Compliance Manager is delegated responsibility by the Managing Director and acts as the Company’s Data Protection Officer ensuring processes, procedures and policies are compliant with the DPA and GDPR and that information is collected, retained and processed in line with EMA’s lawful reasons for processing. The HR & Compliance Manager is also responsible for ensuring staff are trained on the importance of Data Protection and the systems, procedures and safeguards EMA have in place.
2.3. EMA have an external consultant who is appointed the “Caldicott Guardian” and who is responsibility for advising on the management of patient information and patient confidentiality.
.1. EMA is a Data Controller under the DPA and holds information for the reason given to the Information Commissioner and may use the information for any of those reasons.
3.2. The Information Commissioner describes the processing in a register which is available to the public for inspection at http://www.ico.org.uk/. EMA’s entry on this register can be viewed at https://ico.org.uk/ESDWebPages/Entry/ZA123036.
4. WHAT INFORMATION WE COLLECT
4.1. We only collect and use your information for the lawful purposes of administering the business of EMA and to support us to provide a high-quality service and care. These purposes include:
4.1.1. Planning and booking patient ambulance journeys and the continuation of care;
4.1.2. Accounting and auditing;
4.1.3. Crime prevention and prosecution of offenders;
4.1.4. Health administration and services;
4.1.5. Information and databank administration;
4.1.6. Patient experience feedback outcomes information you provide;
4.1.7. Staff administration.
4.2. The records we keep may include the following:-
4.2.1. Basic details, such as name, date of birth and address;
4.2.2. Contact we have had, such as transfers;
4.2.3. Notes and reports about interaction with you and any care or support we have provided to you; and/or
4.2.4. Information from people who care for you and know you well such as other professionals involved in your care, and your family.
4.3. Records may also include:
4.3.1. Personal sensitive information such as sexuality, race, your religious beliefs;
4.3.2. Lifestyle and social circumstances;
4.3.3. Visual images, personal appearance and behaviour;
4.3.4. Physical or mental health details; and/or
4.3.5. Details relating to health and diagnosis.
4.4. It is important for us to have a complete picture, as this information helps our staff involved in your care to give personalised care and support to meet your needs.
5.1. We process personal data and sensitive personal data to enable us to support the provision of safe planning and transportation to patients, maintain our own accounts and records, promoting our service, and to support and manage our employees. We also process personal information about health care workers that deliver services throughout EMA details of which can be found in the staff handbook.
5.2. EMA’s legal basis for processing is that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in EMA;
5.3. In terms of Special Categories of Data collected, processing is necessary to protect the vital interest of a data subject or another individual where the data subject is physically or legally incapable of giving consent.
5.4. We do not rely on consent to use your information as a legal basis for processing.
6. HOW EMA USES INFORMATION
6.1. Your information is used to run and improve EMA. It may be used to:
6.1.1. Check and report on how EMA is being effective;
6.1.2. Investigate complaints, legal claims or important incidents;
6.1.3. Make sure services are planned to meet patients’ needs in the future;
6.1.4. Review the service provided to make sure it is of the highest possible standard;
6.1.5. To improve the efficiency of healthcare services, by sharing information with the NHS for a specific, justified purpose and approved by EMA’s Caldicott Guardian;
6.1.6. To make sure your care is safe and effective;
6.1.7. To work effectively with other organisations who may be involved in your care.
7. HOW WE CONTROL DATA
7.1. EMA has an extensive Business Management System (BMS) which has policies, procedures and work instructions, detailing how we provide strict controls on both Data Security and Information Governance. The specific sections of our BMS that covers these areas are:
7.1.1. Information Governance
7.1.2. Information Lifecycle Management Policy
7.1.3. Record keeping
7.1.4. Confidentiality and Disclosure Policy
7.1.5. Network Security Policy
7.1.6. Risk Management
7.1.7. Staff Handbook
8. STORING AND PROTECTING YOUR INFORMATION
8.1. The GDPR regulates the process of personal data and sensitive personal data. Strict principles govern our use of information and our duty to ensure it is kept safe and secure.
8.2. EMA are committed to keeping your information secure and take our duty to protect your personal data and confidentiality seriously. We are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible.
8.3. Information is retained in secure electronic records with restricted access to key personnel only. This access is regularly monitored to ensure no breaches.
8.4. Everyone working for EMA is subject to the Common Law Duty of Confidentiality, the DPA and GDPR. Information provided in confidence will only be used for the purpose for which have consented, unless there are other circumstance covered by the law.
9.1. The Managing Director is ultimately responsible for ensuring that staff receive appropriate training however authority and responsibility is delegated to the HR & Compliance Manager.
9.2. The HR & Compliance manager ensures staff undertake annual training in:-
9.2.1. Data Protection,
9.2.3. IT/Cyber security
9.3. Staff have the responsibility to ensure they attend and fulfil training needs.
10. SHARING YOUR INFORMATION
10.1. We do not share your information with any third party unless in exceptional circumstances such as:
10.1.1. Under obligation to comply with current legislation;
10.1.2. In the best interests of a vulnerable person;
10.1.3. Under a duty to comply with a Court Order; and/or
10.1.4. If the information is essential for the investigation of a serious crime.
11. SHARING INFORMATION FOR IMPROVING SERVICES
11.1. To help us monitor our performance, evaluate and develop the services we provide we need to review and share minimal information with organisations that commission our services (such as Dorset Clinical Commissioning Group) and organisations that regulate and monitor our services (such as CQC) however data is always anonymised so no identifiable information is used.
12. YOUR RIGHTS
12.1. You have the following rights in relation to the personal data we hold on you:
12.1.1. The right to be informed about the data we hold on you and what we do with it;
12.1.2. The right of access to the data we hold on you. We operate a separate Subject Access Request policy and all such requests will be dealt with accordingly;
12.1.3. The right for any inaccuracies in the data we hold on you, however they come to light, to be corrected. This is also known as ‘rectification’;
12.1.4. The right to have data deleted in certain circumstances. This is also known as ‘erasure’;
12.1.5. The right to restrict the processing of the data;
12.1.6. The right to transfer the data we hold on you to another party. This is also known as ‘portability’;
12.1.7. The right to object to the inclusion of any information;
12.1.8. The right to regulate any automated decision-making and profiling of personal data.
12.2. In addition to the above rights, you also have the unrestricted right to withdraw consent, that you have previously provided, to our processing of your data at any time. Withdrawing your consent means that we will stop processing the data that you had previously given us consent to use. There will be no consequences for withdrawing your consent. However, in some cases, we may continue to use the data where so permitted by having a legitimate reason for doing so.
12.3. If you wish to exercise any of the rights explained above, please contact the Data Protection Officer on the contact details under clause 13 below.
13. CONTACTING US ABOUT YOUR INFORMATION
13.1. We try to meet the highest standards when collecting and using personal data. We encourage people to bring concerns to our attention and we take any complaints we receive very seriously. You can submit a complaint via telephone, email or writing as follows:-
13.1.1. EMA Patient Transport and Training Services, Unit 10 Didcot Road, Bournemouth Dorset BH17 0GD, telephone number 0800 634 1478 – option 1 or via email to firstname.lastname@example.org
13.2. If you are still dissatisfied with EMA’s decision following your complaint, you may wish to contact:
13.2.1. Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. You can find more information on their website at www.ico.gov.uk. Please note that the Information Commissioner will not normally consider an appeal until you have exhausted your rights of redress and complaint to EMA.
13.3. If you have any questions or concerns about the information held, the use of your information or would like to discuss further, please contact the Information Governance team on 0800 634 1478 option 1.
14. RIGHT OF ACCESS (SUBJECT ACCESS REQUEST)
14.1. The Data Protection Act and the General Data Protection Regulations gives you the right to see the information that EMA holds about you and why. These are commonly referred to as Subject Access Requests and these requests must be made in writing to EMA at the address set out in Clause 13 above. Subject Access Requests must contain the following information:-
14.1.1. Your full name, address, date of birth and NHS number. This is so your identify can be verified and information located.
14.1.2. Two forms of identification, one of which must contain a photograph. Acceptable forms of ID are Photo Driving Licence or Passport and the second form of ID should be a bank statement or utility bill showing your address not older than 3 months.
14.1.3. Details of the information required.
14.2. Where a fee is applicable under the terms of the Data Protection Act and subsequent legislation, we will inform you in writing.
14.3. We will acknowledge the request upon receipt then endeavour to deal with all requests within 1 month, unless the request is highly complex, where we may need to extend this period. If this occurs, we will ensure contact is made with an explanation as to the delay and a timeframe for the information to be provided.
15. DATA BREACHES UNDER GDPR
15.1. Under the GDPR we have a duty to report certain types of data breach (where information has not been appropriately protected) to the Information Commissioner’s Office (ICO). If the breach creates a risk to your rights we will notify you without undue delay and the ICO within 72 hours of becoming aware of the breach, where possible.
15.2. If the breach is likely to bring a high risk of adversely affecting your rights and freedoms, we will also inform you without undue delay.
16.1. The law determines how organisations can use personal information. The key laws are:
16.1.1. The Data Protection Act 2018
16.1.2. General Data Protection Regulations
16.1.3. Human Rights Act 1993
16.1.4. Common Law Duty of Confidentiality