Medical Diagnostic & Treatment Solutions

Medical Diagnostic & Treatment Solutions Limited (MDTS)
Privacy Notice Effective from 25th May 2018

What is a Privacy Notice?

A privacy notice is a statement of how Medical Diagnostic & Treatment Solutions collects, uses, retains and discloses your personal information. Personal information is information that identifies you and is about you.

To ensure that we process your personal data fairly and lawfully we are required to inform you:

Why we need your data
How it will be used and
Who it will be shared with
What rights you have in relation to the personal data we collect from you

The law determines how organisations can use personal information. The key laws are: the Data Protection Act, EU General Data Protection Regulation, the Human Rights Act, relevant health service legislation, and the common law duty of confidentiality.

Within these pages we describe instances where Medical Diagnostic & Treatment Solutions is the "Data Controller" (the organisation who decides what data we collect and how it is used), and where we direct or commission the processing of patient data to assist the management of eyecare services.

Medical Diagnostic & Treatment Solutions is committed not only to the letter of the law, but also to the spirit of the law and places high importance on the correct, lawful, and fair handling of all personal data, respecting the legal rights, privacy, and trust of all individuals with whom it deals.

This notice applies to iRIS licensees, contracted clients and their Patients, Staff Members, Clinicians, Consultants, Contractors, Vendors and Suppliers to Medical Diagnostic & Treatment Solutions & iRIS.

Your information

What information do we collect about you?

We only collect and use your personal information where at least one of the legal basis applies and for the lawful purposes of administering the business of Medical Diagnostic & Treatment Solutions. The legal basis are as follows;

Under consent - where you have given your consent to the processing of your personal data.
Performance of a contract - where the processing of your data is necessary for the fulfilment of a contract, for example e-referrals of NHS patients is subject to a contract.
Compliance with a legal obligation - processing of your data is required by law and we are required to comply.
In the vital interest - we may process your personal data in order to protect your vital interests, for example in providing information for emergency treatment or care should it be required.
Public interest - we may process personal data in order to complete a task carried out in the public interest.
Legitimate interest - we may process your personal data as we hold a legitimate 'business' interest in processing that information.

The table below shows the purposes and the associated legal basis under which we process your personal data;

Purpose of processing	Legal basis for processing
Accounting and Auditing	Compliance with a legal obligation and Legitimate interest
Accounts and Records	Compliance with a legal obligation and Legitimate interest
Advertising and Public Relations	Under Consent and Legitimate interest
Consultancy and Advisory Services	Performance of a Contract and Legitimate interest
Crime Prevention and Prosecution of Offenders	Compliance with a legal obligation
Education	Legitimate interest
Healthcare Administration and Services	Under Consent, Performance of a Contract and Legitimate interest
Information and Databank Administration	Performance of a Contract and Legitimate interest
Research	Legitimate interest and Under Consent
Sharing and matching of personal information for national fraud initiative	Compliance with a legal obligation
Staff administration and Employment	Compliance with a legal obligation and Legitimate interest

What types of personal data do we handle?

We process personal information to enable us to support the provision of eyecare services to patients, maintain our own accounts, promote our services and to support and manage our employees. We also process personal information about healthcare professionals that deliver services through iRIS and within Medical Diagnostic & Treatment Solutions.

The types of personal information we use include:

Personal identity - such as title, name, gender, date of birth
Contact details - such as addresses, telephone & mobile numbers, email address
Family details - such as family history of eye disease/condition
Financial details - such as bank sort code/ account number, Payment card number, payroll, tax information
Employment details - such as salary, annual leave, pension, benefits, discipline and grievance, performance data, occupational health data and security clearance data
Education and training details of staff and consultants - such as Training records, Qualification verification
Eye correction prescription, and the results of routine eye tests specifically to assess for glaucoma related eye conditions
Details held in the patient's record, where we hold or manage the patient's record - such as NHS Number, GP Details, medication/treatment history, medical images.
Lifestyle and social circumstances - such as questions about smoking, drinking and general lifestyle
Responses to surveys where individuals have responded to surveys about issues

We also process special category of information for patients, staff and consultants, that may include:

Racial and ethnic origin
Data concerning health
Offences (including alleged offences), criminal proceedings, outcomes and sentences
Employment tribunal applications, complaints, accidents, and incident details

How will we use information about you?

Your information is used to run and improve Medical Diagnostic & Treatment Solutions and to provide data for contracted eyecare services. In respect of patient data, their data may be used to:

Register all patients onto our Community Eyecare System, iRIS
Register referrals for patients on our systems, add & update demographic details and health records with new referral details
Allow for the assessment and treatment of patients with eye conditions by iRIS licensees & users
Create notes and letters for communicating outcomes with your GP and eye care specialists
Create prescriptions to treat eye conditions
Allow for the onwards referral for treatment of eye conditions to other eyecare providers
Record telephone calls made to Medical Diagnostic & Treatment Solutions in relation to appointment or patient enquiries
Allow the preparation of health record folder (notes) for the patient
Investigate complaints, legal claims or important incidents
Make sure services are planned to meet patients' needs in the future
Check and report on how effective Medical Diagnostic & Treatment Solutions and the services it licences & commissions has been
Help patients to make informed choices for treatment by processing anonymised statistical information on licensor/user service performance
To address customer service enquiries made via the website

We may keep your information in a written form or on a computer. Whenever possible all information that identifies you will be removed.

For our staff, licensees, contractors, consultants, clinical agency staff, vendors and suppliers, personal data may be used to;

Verify employment history, qualifications and experience
Validate 'right to work'
Assess suitability for employment during selection process
Personal development of employees
Payroll
NI and tax accounting
Disciplinary and grievances
Undertake due diligence and risk assessment of supply chain

iRIS – IOP Referral Refinement & Community Glaucoma Network

Medical Diagnostic & Treatment Solutions is the data controller for our Community Eyecare System, iRIS, which electronically delivers IOP Referral Refinement & Community Glaucoma Network schemes on behalf of our eyecare clients. iRIS holds personal details of all patients that have been either referred by an IOP Referral Refinement clinic, referred by a GP, referred by an Optometrist or referred by an NHS or private Hospital.

The information held on iRIS is used primarily for the purpose of administering community eyecare services, it may however be used for other non-health related purposes and shared with statutory bodies/organisations to enable them to fulfil their statutory obligations. 'Non-health related purposes' relate to processing such as contracted reporting to the Private Hospitals Information Network (PHIN) using pseudonymised data which allows patients to make informed choices of where they may want accept treatment. We may also use the information within the administration system for statistical analysis to see how our clients are performing with respect to KPI’s, contractual targets and objectives.

The information will only be shared with other organisations where there is a statutory obligation to do so, or with the agreement of Medical Diagnostic & Treatment Solutions Data Protection Officer and our clients Caldicott Guardian. A Caldicott Guardian is a senior person responsible for protecting the confidentiality of patient and service user information and enabling appropriate information-sharing.

Sharing your information

We may disclose your personal information for a number of reasons (to the extent necessary). This can be due to:

Our obligation to comply with current UK legislation
Our duty to comply with a court order
A contractual commitment to report statutory information
Providing us with your consent to the disclosure of your data

In fulfilling our obligation to licence iRIS to provide eyecare services we may share your data with the following organisations:

Our licenced client, with the contractual commitment to deliver eye care services in your region
National Health Service (NHS)
NHS General Practitioners (your Doctor)
Specialist eyecare consultants (your Optometrist/Ophthalmologist)
PHIN (Private Healthcare Information Network)
Contracted 3rd parties providing medical services (such as specialist Ophthalmologists & Optometrists)
Healthcare insurance providers
Where we are required to do so by law
In the event that sharing your data will ultimately benefit you as the data subject

Sharing your Information outside of the EEA?

We may from time to time be required to share your information with other service providers who are outside of UK and the EU. The sharing of your information with these providers is necessary in order to provide the necessary medical device or service. The transfer of personal data internationally will be conducted with the appropriate legal mechanisms in place.

How long will we keep your data for?

We will keep your personal information in accordance with our Documented Information Retention Policy and for as long as is lawfully necessary to conduct our business with you, and/or in accordance with our legal obligations for data retention.

What rights do I have regarding your use of my information?

You have the following rights in relation to the personal data that we hold on you:

You have a right to make a subject access request
You have the right to rectify/amend your personal information if it is incorrectly recorded. Accounting for the purposes of processing you have the right to have incomplete personal data completed, including by means of providing a supplementary statement
You may have the right for your personal data to be deleted
You have the right to restrict the processing of your data, if you believe that the personal data being processed is inaccurate or is being processed unlawfully
You may have the right to data portability. This is the transfer of your data to another data controller, where you have provided your consent and the processing is carried out by automatic means
You have the right to make an objection to the processing of your personal data relating to your particular situation, at any time, based on processing of data in the public interest or for the purposes of legitimate interests pursued by Medical Diagnostic & Treatment Solutions
Where personal data is processed for marketing purposes you have the right to object to the processing of your personal data and to withdraw your consent, at any time, to direct marketing

To enquire about or exercise any of your rights please contact us using the details provided below.

Do I have a choice?

Providing Medical Diagnostic & Treatment Solutions with your personal data helps us to fulfil our contracts to provide our customers with iRIS to help deliver you with relevant eyecare services. When providing our services, we will have entered into a contractual agreement with either specialist eyecare organisations, the NHS or other Health care Providers.

Failure to provide Medical Diagnostic & Treatment Solutions with your personal data may impact on the level of eyecare which can be provided, it may even result in non-acceptance for your eyecare treatment.

For staff, consultants, contractors, vendors and suppliers the restriction on processing of personal data may impact any contractual agreements in place between either party, that may result in failure to meet the contractual obligation.

Data Protection Notification

Medical Diagnostic & Treatment Solutions is a 'data controller' under the Data Protection Act. Our registration Number is: ZA010769. We have notified the Information Commissioner's Office that we process personal data and the details are publicly available from the:

information Commissioner's Office Wycliffe House
Water Lane
Wilmslow
SK9 5AF
ico.orq.uk

Changes to our privacy notice

We keep our privacy notice under regular review and we will place any updates on the MDTS/iRIS website.

Complaints about how we process your personal information.

In the first instance, you should contact the Data Controller on the details below.

Warren Diddams, Chief Executive Officer & Data Controller
Telephone: 07789 033025
Email: warren@mdtsolutions.co.uk
Post: Medical Diagnostic & Treatment Solutions, 10 Eaton Close, Billericay, Essex CM12 0UR.

Our office opening hours are: 9am to 5pm Monday to Friday.

You may also refer any complaints directly to the ICO on the contact details provided above.

Data Protection Policy

Data Retention Policy

IT Security Policy