This Privacy Notice applies to:
- individuals who choose to give evidence to an independent health inquiry following a potential or actual clinical incident (“Incident or Independent Review“);
- individuals who are the subject of an Incident or Independent Review;
- individuals who are referred to in the course of evidence gathered as part of an Incident or Independent Review.
This Privacy Notice explains what personal information we collect from you, why we need to collect and use it, what legal grounds we rely on to enable us to process this data and what your rights are under the Data Protection Law.
ABOUT US and THIS NOTICE
This Privacy Notice is provided by Donna Ockenden Limited (“we“, “our” or “us“) who is a controller for the purposes of the Data Protection Law.
We take your privacy very seriously. We ask that you read this Privacy Notice carefully as it contains important information about our processing activities and your rights.
How to contact us
If you would like this Privacy Notice in another format (for example: audio, large print, braille) please contact us at the details below.
|Data Protection Officer:||Donna Ockenden|
|Address:||Donna Ockenden Ltd First Floor 31 North St Chichester West Sussex PO19 1LX|
|Telephone number:||01243 786993|
Changes to this Privacy Notice
The latest version of the Privacy Notice can be found at our website at http://www.donnaockenden.com/. We may change this Privacy Notice from time to time. We will alert you by posting a notice on our website when changes are made.
Current version: August 2022
USEFUL WORDS AND PHRASES
Please familiarise yourself with the following words and phrases (used in bold) as they have particular meanings in the Data Protection Law and are used throughout this Privacy Notice:
|controller||This means any person who determines the purposes for which, and the manner in which, any personal data is processed.|
|Data Protection Law||This means the laws which govern the handling of personal data. This includes the UK General Data Protection Regulation as defined by the Data Protection Act 2018 and further laws and statutory instruments relating to such regulations from time to time.|
|data subject||This means the individual to whom the personal data relates.|
|ICO||This means the UK Information Commissioner’s Office which is responsible for implementing, overseeing and enforcing the Data Protection Law.|
|personal data||This meansany information from which a living individual can be identified. It will include information such as telephone numbers, names, addresses, e-mail addresses, photographs and voice recordings. It will also include expressions of opinion and indications of intentions about data subjects (and their own expressions of opinion/intentions).|
Furthermore, it will also cover information which on its own does not identify someone but which would identify them if put together with other information which we have or are likely to have in the future.
|processing||This covers virtually anything anyone can do with personal data, including:|
– obtaining, recording, retrieving, consulting or holding it;
– organising, adapting or altering it;
– disclosing, disseminating or otherwise making it available; and
– aligning, blocking, erasing or destroying it.
|processor||This means any person who processes personal data on behalf of the controller.|
|special categories of data||This means any information relating to:|
– racial or ethnic origin;
– political opinions;
– religious beliefs or beliefs of a similar nature;
– trade union membership;
– physical or mental health or condition;
– sexual life; or
– genetic data or biometric data for the purpose of uniquely identifying you.
WHAT PERSONAL DATA DO WE COLLECT?
- Personal information provided by you (where given)
The following types of personal data could relate to you or any third party (including respondents and relatives) whose information is volunteered by you:
|Identification information: e.g. name, contact details, address, telephone number;|
Biographical information including date of birth, gender, marital status, employment status if relevant (including place of work and job position);
Core Personal Data relating to the Incident or Independent Review including:
– opinions including professional experience and competence of respondents and third parties;
– data about the impact of the incident; Ø
– Information about the provision of medical care and support before, during and after the incident; Ø
– other matters within the terms of reference of the Incident or Independent Review.
Ø may include special categories of data (see below)
|Ø Special categories of data|
|– Medical conditions and health data relating to the impact of the incident |
– Religious beliefs
– Sexuality and sex life
– Racial or ethnic origin
– Genetic data (if relevant)
When you provide personal data about respondents and third parties you confirm that: they are aware that you have given us their data; and you have provided them with a copy of this Privacy Notice.
- Personal information provided by others (e.g. NHS Trusts that appoint us to provide our Services)
Whilst most of the personal data processed by us will be provided directly by you, we may also receive personal data about you from other sources, including (for example): NHS Trusts, healthcare providers, NHS England, the Department of Health and Social Care , other public and government authorities, individuals and witnesses who have included information about you in their evidence to the Incident or Independent Review.
In most cases information will be provided to the Incident or Independent Review on a voluntary basis, but in exceptional circumstances, we may require personal data for the purposes of discharging a statutory function
WHY DO WE PROCESS YOUR PERSONAL DATA?
We use your personal data for the following purposes listed in this section. We are allowed to do so on certain legal bases as provided below.
Where we are permitted to process your personal data based on our ‘legitimate interests’ (see the table below to see when this happens) we have considered the impact on your interests and rights, and have placed appropriate safeguards to ensure that the intrusion on your privacy is reduced as much as possible. You can object to processing that we carry out on the grounds of legitimate interests. See the section headed “Your Rights” to find out how.
|Type of data||Why do we need it?||Legal basis for processing|
|Incident or Independent Review |
-Processing undertaken in connection with the Incident or Independent Review and in particular the preparation of the report of findings including (without limitation):
– collating evidence including conducting interviews with families, NHS staff and other witnesses, recording interviews and preparing attendance notes and transcripts (in both written and electronic form) and other interactions,
– reviewing evidence against relevant governance processes and procedures,
– undertaking clinical reviews and reviewing medical records, reports, reviews and board/committee minutes, and online media,
– information management, governance and administration in relation to the handling of personal data collected for the Incident or Independent Review;
|To provide our professional assessment of an Incident or Independent Review as part of our services provided to our clients (either as natural persons or organisations such as NHS Trusts).||Personal Data: |
– Contract Performance (where we are contractually required to provide the Incident or Independent Review directly to data subjects)
– Legitimate Interests (where we are required to provide the Incident or Independent Review to an organisation)
Special Categories of Data:
Depending on the nature of the Incident or Independent Review:
– Processing is necessary to provide health care related services, or in certain circumstances is also necessary for reasons of public interest in the area of public health and in both cases the information is used under an obligation of confidentiality under an enactment or rule of law;
– Processing is necessary for the reasons of substantial public interest to protect the public against dishonesty, malpractice, or other seriously improper conduct, unfitness or incompetence, mismanagement in the administration of a body or association or failures in services provided by a body or association.
– Processing is necessary for the purposes of the prevention or detection of an unlawful act, must be carried out without consent of the data subject so as not to prejudice those purposes and is necessary for reasons of substantial public interest.
– Where the above does not apply, we will ask for the data subject’s express consent either directly or through the organisation to whom we provide the Incident or Independent Review
|Referrals to specialist health care providers for the purposes of completing an investigation report or independent review||To make referrals to specialist healthcare providers for professional advice when we believe, in our professional capacity, it is in the data subject’s best interests to do so.||Personal Data: |
– Legitimate interests
Special categories of data:
– Necessary for Health and Social Care Purposes for the provision of health care treatment or professional advice by a health professional.
– Where the above does not apply, we will ask for the data subject’s express consent either directly or through the organisation to whom we provide the Incident or independent Review
|General Advice||To provide our professional advice throughout the duration of an investigation/ independent review||Personal Data:|
– Legitimate Interests
Special Categories of Data:
– Processing is necessary to establish, exercise or defend Legal Claims or legal rights
|Assessing and responding to general enquiries raised by individual data subjects||To assist and respond to your enquiries about us and our Services||Personal Data:|
– Legitimate Interests
Special Categories of Data:
– Processing is necessary to establish, exercise or defend Legal Claims or legal rights
WHO WILL HAVE ACCESS TO YOUR PERSONAL DATA?
We use processors to support our IT systems, and other ad hoc services. If you would like to know the names of our other service providers, please contact us using the details at the start of this Privacy Notice
We also share your personal data with the following external entities who act as separate controllers of your personal data:
- Service providers we have retained in connection with our Services such as barristers, solicitors, consultants or experts and other specialists for obtaining their services/professional advice;
- Providers of healthcare services not retained by us where we identify a need for specialist services following Incident or Independent Reviews;
- If we have collected your personal data in the course of providing Services to our clients (being a natural person or organisation), we will disclose such data to that client and where permitted by law to others for the purpose of providing the Services; and
- Courts, police, other law enforcements or regulators where we are required by law to do so, where the sharing is in the substantial public interest or where we have obtained your consent to do so.
Please note that we may continue to share your personal data with third parties for a period of time following the winding down of any Incident or Independent Review (provided that such disclosures are both necessary and proportionate).
Transfers of your personal data outside the UK or the EEA
We do not transfer your personal data outside the UK or the European Economic Area (“EEA“).
How we keep your personal information secure
We strive to implement appropriate technical and organisational measures in order to protect your personal data against accidental or unlawful destruction, accidental loss or alteration, unauthorised disclosure or access and any other unlawful forms of processing. We aim to ensure that the level of security and the measures adopted to protect your personal data are appropriate for the risks presented by the nature and use of your personal data. We follow recognised industry practices for protecting our IT environment and physical facilities.
WHEN WILL WE DELETE YOUR DATA?
The following categories of personal data and special categories of data will be kept for the following periods.
|Personal data||Retention period|
|Incident or Independent Reviews||For 20 years after the Incident or Independent Review is completed|
|General Advice||For 20 years after the issue relating to the General Advice is completed|
|General enquiries||For at least 12 months from the time the enquiry is resolved or such longer period of time as may be instructed by the Police or other competent body|
Upon expiry of the applicable retention period, we will securely destroy your personal data.
As a data subject, you have the following rights under the Data Protection Law:
- Right to object to processing of your personal data;
- Right of access to personal data relating to you (known as data subject access request);
- Right to correct any mistakes in your information;
- Right to prevent your personal data being processed;
- Rights in relation to automated decision making (note this does not apply).
- Right to have your personal data ported to another controller;
- Right to withdraw your consent; and
- Right to erasure.
These rights are explained in more detail below. If you want to exercise any of your rights, please contact us (please see “How to contact us”).
We will respond to any rights that you exercise within a month of receiving your request, unless the request is particularly complex, in which case we will respond within three months.
Please be aware that there are exceptions and exemptions that apply to some of the rights which we will apply in accordance with the Data Protection Law.
- Right to object to processing of your personal data
You may object to us processing your personal data where we rely on a legitimate interest as our legal grounds for processing.
If you object to us processing your personal data we must demonstrate compelling grounds for continuing to do so. We believe we have demonstrated compelling grounds in the section headed “How is processing your personal data lawful”.
- Right to access personal data relating to you
You may ask to see what personal data we hold about you and be provided with:
- a copy of the personal data;
- details of the purpose for which the personal data is being or is to be processed;
- details of the recipients or classes of recipients to whom the personal data is or may be disclosed, including if they are overseas and what protections are used for those overseas transfers;
- the period for which the personal data is held (or the criteria we use to determine how long it is held);
- any information available about the source of that data; and
- whether we carry out an automated decision-making, or profiling, and where we do information about the logic involved and the envisaged outcome or consequences of that decision or profiling.
To help us find the information easily, please provide us as much information as possible about the type of information you would like to see.
- Right to correct any mistakes in your information
You can require us to correct any mistakes in your information which we hold. If you would like to do this, please let us know what information is incorrect and what it should be replaced with.
- Right to restrict processing of personal data
You may request that we stop processing your personal data temporarily if:
- you do not think that your data is accurate. We will start processing again once we have checked whether or not it is accurate;
- the processing is unlawful but you do not want us to erase your data;
- we no longer need the personal data for our processing, but you need the data to establish, exercise or defend legal claims; or
- you have objected to processing because you believe that your interests should override our legitimate interests.
- Right to data portability
You may ask for an electronic copy of your personal data which we hold electronically and which we process when we have entered into a contract with you. You can also ask us to provide this directly to another party.
- Right to withdraw consent
You may withdraw any consent that you have given us to process your personal data at any time. This means that we will not be able to carry out any processing which required use of that personal data.
- Right to erasure
You can ask us to erase your personal data where:
- you do not believe that we need your data in order to process it for the purposes set out in this Privacy Notice;
- if you had given us consent to process your data, you withdraw that consent and we cannot otherwise legally process your data;
- you object to our processing and we do not have any legitimate interests that mean we can continue to process your data; or
- your data has been processed unlawfully or have not been erased when it should have been.
What will happen if your rights are breached?
You may be entitled to compensation for damage caused by contravention of the Data Protection Law.
Complaints to the regulator
It is important that you ensure you have read this Privacy Notice – and if you do not think that we have processed your data in accordance with this notice – you should let us know as soon as possible. You may also complain to the ICO. Information about how to do this is available on its website at www.ico.org.uk.