Primary Care Contractor Organisation Data Protection Notice regarding Independent Contractors Introduction During the course of NHS Lothian activities we will collect, store and process personal information about our prospective, current and former staff. For the purposes of this privacy notice, ‘staff’ includes applicants, employees, workers (including agency, casual and contracted staff), volunteers, trainees and those carrying out work experience. We recognise the need to treat staff personal data in a fair and lawful manner. No personal information held by us will be processed unless the requirements for fair and lawful processing can be met. This privacy notice provides a summary of how we will ensure that we do that, by describing: the categories of personal data we may handle the purpose(s) for which it is being processed, and the person(s) it may be shared with. This notice also explains your rights regarding your personal information. What laws are relevant to the handling of personal information? The law determines how organisations can use personal information. The key legislation governing the use of information is listed below: Data Protection Act 2018 General Data Protection Regulation (GDPR (EU) 2016/679) The Human Rights Act 1998 Freedom of Information (Scotland) Act 2002 Computer Misuse Act 1998 Regulation of Investigatory Powers Act 2000, and Access to Health Records Act 1990. NHS Lothian is the ‘Data Controller’ (the holder, user and processor) of staff information. The Health Board has an express statutory function under the National Health Service (Scotland) Act 1978 to maintain the lists of independent contractors. The PCCO operates within the Regulations issued for the primary care environment as follows: The National Health Service (Performers List)(Scotland) Regulations 2004 as amended The National Health Service (General Medical Services Contracts)(Scotland) Regulations 2018 The National Health Service (Primary Medical Services Section 17C Agreements) (Scotland) Regulations 2018 The National Health Service (General Dental Services)(Scotland) Regulations 2010 as amended The National Health Service (General Ophthalmic Services)(Scotland) 2006 as amended The National Health Service (General Pharmaceutical Services)(Scotland) 2009 as amended What types of personal information do we handle? In order to carry out our activities and statutory obligations to maintain a Performer’s List, Dental List, Ophthalmic List and Pharmaceutical List we handle data in relation to: Primary care contractors (dentists, GPs, pharmacists, optometrists) or their staff providing services to patients in NHS Lothian The types of personal data may include but is not limited to: Primary care contractor information name, home address, telephone, personal email address, date of birth, employee identification number and marital status, and any other information necessary for our business purposes, which is voluntarily disclosed in the course of an employee’s application for inclusion on the relevant health board list national insurance number professional registration number bank details email address telephone number sensitive personal data: for example, data about race, ethnic origin, religious or philosophical beliefs, trade union membership, health, and sexual orientation (collected only where required by law and used and disclosed only to fulfill legal requirements) absence information, e.g. claims for sickness absence, study leave, adoption leave, maternity leave, paternity leave occupational health clearance information qualification and training information; and statutory and voluntary registration data Health information Dental treatment applied for or provided under General Dental Services Eye examinations applied for or provided under General Ophthalmic Services Prescription data, records of drugs prescribed by Community Pharmacies GP records relating to treatment provided under the GMS contract When you are no longer included on the relevant contractor list, we may continue to share your information as described in this notice, ie so long as this is fair and lawful. What is the purpose of processing data? Your personal data is collected by NHS Lothian and shared with NHS National Services Scotland for the purposes of maintaining the lists of independent contractors as required by statute. It will be captured and stored on electronic systems and will be used and shared by PCCO staff in NHS Lothian and other health board where you are working in any capacity. Occupational health clearance information – referred to as the Occupational Health Passport “fit slip” – is shared with the PCCO by NHS Lothian and NHS Borders Occupational Health Departments. PCCO will not share this information with any other person or organisation. We use information about you in order to: evaluate applications for admission to the various lists of independent contractors manage all aspects of your independent contractor status with us, including but not limited to, payments, appraisal, disciplinary procedures, pensions administration, and other general administrative and human resource related processes comply with applicable laws (e.g. health and safety), share “employers” information as appropriate with the professional bodies or in the monitoring of conditions imposed by those bodies. Sharing your information There are a number of reasons why we share information. This can be due to: our obligations to comply with current legislation, and our duty to comply with any Court Order which may be imposed. Any disclosures of personal data are always made on case-by-case basis, using the minimum personal data necessary for the specific purpose and circumstances and with the appropriate security controls in place. Information is only shared with those agencies and bodies who have a “need to know,” or where you have consented to the disclosure of your personal data to such persons. In order to comply with our obligations we will need to share your information as follows: Depending on the situation, where necessary we will share appropriate, relevant and proportionate personal information in compliance with the law, with the following: Our patients and their chosen representatives or carers Staff Current, past and potential employers Healthcare social and welfare organisations Suppliers, service providers, legal representatives Auditors and audit bodies Educators and examining bodies Research organisations People making an enquiry or complaint Financial organisations Professional bodies Trade Unions Business associates Police forces Security organisations Central and local government Voluntary and charitable organisations Reasons why we share your personal informationWho we share your information with (the list below is not exhaustive)For the purposes outlined abovePCCO staff, occupational health and NHS National Services ScotlandProfessional registration purposesRegulatory bodies such as the General Medical Council, General Dental Council, General Optical Council, General Pharmaceutical CouncilContractual terms and conditions of serviceNHS National Service Scotland – Practitioner ServicesAppraisalNational reportingNHS National Services Scotland – Information Services DivisionMedical, Dental, Ophthalmic and Pharmaceutical ListsGeneral public and internally to NHS Scotland employees in other Health BoardsOther Legal ObligationsAny relevant organisation that have a legal right to receive information, for example: Counter Fraud Services, Courts. Background on sharing and our responsibilities Privacy laws do not generally require us to obtain your consent for the collection, use or disclosure of personal information for the purpose of establishing, managing or terminating your employment. In addition, we may collect, use or disclose your personal information without your knowledge or consent where we are permitted or required by law or regulatory requirements to do so. Data Protection Legislation requires personal data to be processed fairly and lawfully. In practice, this means that NHS Lothian must: have a legal basis for collecting and using personal data; not use the data in ways that have unjustified adverse effects on the individuals concerned; be transparent about how it intends to use the data – and give individuals appropriate privacy notices when collecting their personal data; handle people’s personal data only in ways they would reasonably expect; and make sure it does not do anything unlawful with the data. NHS Lothian’s legal basis for collecting and using staff personal data and/or special category data such as health information, is because it is necessary to do so when contractors are on the relevant Health Board List or wish to be included on the relevant Health Board List. Information about the rights of individuals under the Data Protection Legislation can be found within the NHS Lothian Data Protection Policy. Security of your Information We take our duty to protect your personal information and confidentiality very seriously and we are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper. At director level, we have appointed a Senior Information Risk Owner (SIRO) who is accountable for the management of all information assets and any associated risks and incidents, and a Caldicott Guardian who is responsible for the management of patient information and patient confidentiality. We also have a Data Protection Officer who advises the Board on data protection compliance and who liaises with the SIRO and Caldicott Guardian. All staff are required to undertake regular information governance training and to be familiar with information governance policies and procedures. All NHS staff are also subject to the common law duty of confidentiality. How do we collect your information? Some of the information you provide on your application for admission to the Performers List, Dental List, Ophthalmic List or Pharmaceutical List will be included on the national general practitioner database (for GPs and optometrists) and local PCCO database for general dental practitioners. These databases are maintained in order to fulfil the statutory requirements for a Health Board to maintain a general medical practitioner performers list, dental list and pharmaceutical list. We also collect information in a number of other ways, for example correspondence, forms, interview records, references, surveys. Retaining information We only keep your information for as long as it is necessary to fulfil the purposes for which the personal information was collected. As directed by the Scottish Government in the Records Management Code of Practice, we maintain a retention schedule as part of our Records Management Policy detailing the minimum retention period for the information and procedures for the safe disposal of personal information. We may, instead of destroying or erasing your personal information, make it anonymous so that it cannot be associated with or tracked back to you. How can you get access your personal data? You have the right to access the information which NHS Lothian holds about you, and why, subject to any exemptions. Requests can be made in a number of ways, including in writing or verbally. You will need to provide: adequate information [for example full name, address, date of birth, staff number, etc.] so that your identity can be verified and your personal data located. an indication of what information you are requesting to enable us to locate this in an efficient manner. We may ask you to complete an application form to collect the data we need, although you are not obliged to do so. You should direct your request to the Data Protection Officer – details can be found below. Once we have received your request and you have provided us with enough information for us to locate your personal information, we will respond to your request without delay, within one month (30 days). However If your request is complex we may take longer, by up to two months, to respond. If this is the case we will tell you and explain the reason for the delay. What if the data you hold about me is incorrect? It is important that the information which we hold about you is up to date. Changes can be notified to the PCCO in order that the relevant database or list might be updated. Complaints about how we process your personal information In the first instance, you should contact the Data Protection Officer – contact details can be found below. Information about the rights of individuals under the Data Protection Act can be found online at www.ico.org.uk Data Protection Registration NHS Lothian is registered with the Information Commissioner’s Office as a data controller. Registration number Z5757124 The details are publicly available from the:- Information Commissioner’s OfficeWycliffe HouseWater Lane,Wilmslow SK9 5AFwww.ico.org.uk Data Protection Officer If you wish to contact the Data Protection Officer you can contact them at: Data Protection OfficerIT GovernanceWoodlands House74 Canaan LaneEdinburghEH9 2TBPhone – 0131 465 5444 Email: Loth.DPO@nhslothian.scot.nhs.uk Primary Care Contractor Organisation If you wish to contact the PCCO you can contact them at: Primary Care Contractor OrganisationNHS LothianWaverley Gate2-4 Waterloo PlaceEdinburghEH1 3EG 0131 537 8422 GMS.Contract@nhslothian.scot.nhs.uk With acknowledgments to NHS Scotland and NHS England