Skip to main content

Providing independent clinical excellence since 2005

Privacy Policy

Privacy notice

At Surrey Cardiovascular Clinic (SCVC) we take data privacy issues very seriously and carefully balance the requirement for timely access to vital medical information against risk of data privacy breach.

Although most of SCVCs private consultants keep their own healthcare information/records on their patients they see or review imaging information about patients at SCVC, so we are required to provide an electronic record for every registered patient that we provide imaging or tests on.

SCVC (the data controllers) store the following sensitive information about all our registered patients held on servers of our designated records provider, who also provide backup (encrypted) files and archives.

a/ In databases or spreadsheet format

  • Name, address, date of birth, GP, phone numbers, email address
  • Next of kin details
  • Insurance details including Insurance company and membership number
  • Allergies
  • Next of kin, if provided by the patient at Registration

c/ In image, PDF, DICOM and Word format (stored within our cloud based electronic record ‘Virtual Clinic EPR’  )

All medical correspondence, relevant results and letters sent or received concerning the patient and medically important incoming and outgoing emails, held in chronological order within a secure, auditable, electronic patient record. It is accessible by our clinical faculty (doctors, nurses, radiographers and technicians) with either active practising privileges or employed by  Surrey Cardiovascular Clinic and (subcontracted) imaging facilities including VCL Surrey and Inhealth ltd using individual access rights that are revocable. 

We operate a data sharing policy so that with appropriate data sharing consent from the patient, data managers may make the medical record and CT images of a selected patient accessible to other healthcare providers on receipt of a written request from the data subject, or after verbal consent in the event of urgent care or emergency admission.

d/ In paper format stored in lockable filing on our premises

  • Credit Card receipts (for up to 12 months then destroyed)
  • Patient paper files going back 7 years- we periodically check and destroy medical files that have not been required for 7 years

 

Email security

We do not send sensitive information by email between organisations or to patients, unless it is encrypted or password protected.

SCVC (the data controller) contracts out all of its IT systems to MedicalSpaces Ltd (a data processor) that operates all IT and record infrastructure on behalf of SCVC

SCVC therefore controls the following information on cloud computers held outside our secure buildings:

Clinical information on ‘Virtual Clinic EPR’  (VC-EPR): a secure web based system owned, operated by MedicalSpace (the data processor) where sensitive patient information is held for up to 7 years following an episode of clinical care at SCVC.

Diagnostic data processing: for those patients requiring CT Imaging, SCVC has a Data sharing contracts in place with its imaging provider VCL Group and third party software companies including PostDicom.com, TeraRecon and Heartflow inc imaging, whereby sensitive patient information including Date of Birth and Name are stored in secure cloud servers within the European union in order to identify diagnostic information properly. This information is kept live for clinical reasons but deleted if unused for 7 years.

Accounts information (held by our data processor Xero.com) for up to 7 years

Your name, address, Date of Birth, GP, Phone numbers, email address, Medical Insurance details, Invoices and services rendered. No Bank or Card details are held outside VCL-SURREY.

Admin information: Egnyte is our secure cloud provider (European Server) where we store and archive sensitive information.

Personal Data held on Egnyte  includes: your name, address, Date of Birth, GP, Phone numbers, email address, Any medical history, information or medication that we or your GP has provided at time of the referral.

Microsoft Teams is also our secure cloud provider (European Server) where sensitive information is kept as an auditable part of patient health record. This information includes messages about patients between members of our team,  results, medical dictations, audio recordings and screen video with audio recordings of any MDT meetings concerning the patient’s care. We hold for up to 10 years or until asked to delete.

https://eu.jotform.com is our data capture system which we use to collect information about patients including medical history, medication and safety checklists for processing and storing in our patient record. Sensitive data may be held on Jotform servers in London for or up to 7 years including personal and medical data about you that is relevant to your medical diagnosis. All data held on Jotform encrypted.

REFERENCES

Records and Information Management Policies

GMC Confidentiality Guidance 2009

Confidentiality NMC 2008 – updated 2012

GDPR

Data Protection