Privacy Notice

The Auditory Implant Service (USAIS) is part of the University of Southampton and are commissioned by the NHS to provide clinical care services in an environment which also supports research and continuous evidence-based improvement of practice.

The purpose of this notice is to explain to you how we will handle your personal information.

WHAT INFORMATION WE COLLECT, USE AND WHY

When you become a patient of ours, we collect and use information about you to/for:

  • provide patient care, services, pharmaceutical products and other goods
  • make sure that our health professionals involved in your care have accurate information to assess your health, decide what ongoing care you need and/or to assess the type and quality of care you have received
  • make sure we can contact you, arrange your appointments and keep your patient record up to date
  • make sure any concerns can be properly investigated if you have a complaint
  • comply with legal obligations
  • medical research or archiving purposes

THE INFORMATION WE COLLECT IS:

Biographic details – name, title, date of birth, age and gender

  • Biographic details – name, title, date of birth, age and gender
  • Your contact details – including home address, business, email, telephone and details of your next of kin
  • Records of all contact we have had
  • Identification numbers (such as your NHS number) and online identifiers
  • Opinions about you/your treatment and our plans for your treatment and care
  • Health and Safety information, such as if you need certain adjustments in place when we meet with you or talk to you
  • Biometric information, such as details of your ear, blood type
  • Details of any medical treatment/care you have had
  • Results of medical investigations
  • Medical information from other educational and/or health professionals
  • Relevant medical information from people who care for you and/or family
  • Racial and ethnic origin

Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information.  There is a list of possible lawful bases in the UK GDPR.  You can find out more about lawful bases on the ICO’s website.

Which lawful basis we rely on may affect your data protection rights which are in brief set out below:

  • Your right of access.  You have the right to ask us for copies of your personal information.  You can request other information such as details about where we get personal information from and who we share personal information with.  There are some exemptions which mean you may not receive all the information you ask for
  • Your right to rectification.  You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete
  • Your right to erasure.  You have the right to ask us to delete your personal information.
  • Your right to restriction of processing.  You have the right to ask us to limit how we can use your personal information
  • Your right to object to processing.  You have the right to object to the processing of your personal data
  • Your right to data portability.  You have the right to ask that we transfer the personal information you gave us to another organisaton, or to you
  • Your right to withdraw consent.  When we use consent as our lawful basis you have the right to withdraw your consent at any time

Because we are part of the University of Southampton, if you want to make a request for any of these rights you should contact our Data Protection Officer via data.protection@soton.ac.uk

You can find out more about how the University manages these requests and your rights by going to the University’s Privacy Notice:

https://www.southampton.ac.uk/about/governance/regulations-policies/privacy-policy

OUR LAWFUL BASES FOR THE COLLECTION AND USE OF YOUR DATA

Our lawful bases for collecting or using personal information to provide patient care, services, pharmaceutical products and other goods are:

  • Contract – we have to collect or use the information so we can enter into or carry out a contract with you.  All of your data protection rights may apply except the right to object.

Our lawful bases for collecting or using personal information to comply with legal requirements are:

  • Legal obligation – we have to collect or use your information so we can comply with the law.  All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.

Our lawful bases for collecting or using personal information for medical research or archiving purposes are:

  • Public task – we have to collect or use your information to carry out a task laid down in law, which the law intends to be performed by an organisation such as ours.  All of your data protection rights may apply, except the right to erasure and the right to portability.
  • Where your information is used for research, it will be two separate types:
    1. Data from you that does not contain any identifying information (information about your medical treatment but not your name, or anything else that can identify you)
    2. Where you are a participant in a research project (we may have sent you a letter or email asking if you want to join a project or you may have seen an advert asking for participants in research projects).  In this type you will sign up and be given information specific to the project, and data collected about you will only be used by the project team and not seen or collected by us.

WHERE DO WE GET IT FROM?

In most cases, the information we collect comes directly from you or your parent/guardian and from your Doctor or Healthcare team (either the NHS or Private) who referred you to us for treatment or from where you have requested your records to be sent to us.

HOW LONG WE KEEP YOUR INFORMATION

We will only retain your personal data for as long as necessary to fulfil the purposes we collect it for, including for the purposes of satisfying any legal, accounting, insurance or reporting requirements.  Details of retention periods for different aspects of your personal data are available in our record management policy.  After this period, we will securely destroy your personal data in accordance with your record retention schedule.

WHO WE SHARE INFORMATION WITH

Sometimes, we need to share your personal data with third parties.  We will only do so where it is necessary in line with the purposes described above.  Third parties include:

Companies who provide Software as a Service or “on-demand” software to the Auditory Implant Service or to the University that we use to keep records of you/your treatment needs/the details of your cochlear implant.  These companies are Data Processors, which means that they process information on instruction from us.  All third-party data recipients are required to take appropriate security measures to protect your data in line with our policies.  We do not allow our third-party data recipients to use your personal data for their own purposes unless they have been approved by us as lawful in compliance with Data Protection Legislation.  We only permit them to process your personal data for specified purposes and in accordance with our instructions.

At USAIS we have the following Data Processors: Riomed (patient database), Restore (off-site storage for archived patient data), Implant manufacturers and implant software (Cochlear, Advanced Bionics, MED-EL, Oticon and NOAH).  We also work with NHS departments or Private Hospitals to facilitate your care or treatment.

We also share your information if USAIS requests that you are seen by another medical professional, or if we refer you to another part of the NHS.  In addition, we will provide information to the NHS if needed to obtain funding for your care.

DUTY OF CONFIDENTIALITY

We are subject of a common law duty of confidentiality.  However, there are circumstances where we will share relevant health and care information.  These are where:

  • you have provided us with your consent (we have taken it as implied to provide you with care, or you have given it explicitly for other uses)
  • we have a legal requirement (including court orders) to collect, share or use the data
  • on a case-by-case basis, the public interest to collect, share and use the data overrides the public interest served by protecting the duty of confidentiality (for example sharing information with the police to support the detection or prevention of serious crime)
  • If in England or Wales – the requirements of The Health Service (Control of Patient Information) Regulations 2002 are satisfied

NATIONAL DATA OPT-OUT POLICY

We comply with England’s national data opt-out because we are using confidential patient information for purposes beyond individual care, such as research.  To find out more or to register your choice to opt out, please visit https://www.nhs.uk/your-nhs-data-matters/.  If you have opted out via this scheme please inform us on your consent form.

If you are a Private Healthcare recipient, the data we collect may be used for research purposes unless you indicate you do not wish us to do so via our consent form.

Your choices are kept on the USAIS patient database.  You can change your mind at any time my emailing us at ais@soton.ac.uk.

HOW TO COMPLAIN

If you have any concerns about our use of your personal data, you can make a complaint to us using these contact details:

patais@soton.ac.uk

Or you can contact our Data Protection Officer at data.protection@soton.ac.uk

If you remain unhappy with how we have used your data after raising a complaint with us, you can also complain to the ICO.

The ICO’s address:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
SK9 5AF

Helpline number 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint

We keep this Privacy Notice under regular review and it may be amended from time to time.  You can obtain a current version at:

http://ais.southampton.ac.uk/about-ais