IPRS Health is an independent provider of healthcare and wellbeing services. You have received this notice because IPRS Health has been contracted to provide clinical services to you, on behalf of one of the following:
To allow us to provide these services, we need to collect, process and store your personal and health-related information. This notice is to tell you why we need to do this, how the processing takes place and what we are allowed to do with your data – with and without your consent.
IPRS Health is registered in the UK with the Information Commissioner’s Office (ICO) as a Data Controller, and is permitted to process personal and special categories of information (health data, for instance) in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act 2018 (DPA).
As part of its responsibilities IPRS Health has a Data Protection Officer, who is responsible for monitoring the compliance of IPRS Health’s data protection activities. If you have any questions or concerns about your data protection, please contact DataProtectionOfficer@iprsgroup.com or contact 0800 072 1227.
To be able to manage your health or wellbeing referral to the best of our abilities, and to ensure that we provide the most appropriate care for your needs, we need to collect your personal data and certain health-related information. This information may take the form of electronic health records, held on our secure, UK-based servers, or may be paper files, stored securely in locked cabinets. Whichever format your information is held in, its security is paramount, and access to it is tightly controlled and is restricted to those staff who need access for the sole purpose of managing your referral. We will not release your data to anyone without your explicit consent to do so. We will not use your data for marketing purposes, or allow any of our processors (authorised third parties providing services on our behalf) to do so either.
Any personal information we hold about you is processed under three lawful bases, under Article 6 of the GDPR:
1) Consent – We ask for your explicit agreement as to how we manage and share your data. Our consent process is thorough, transparent and specific, and we will only process your data in line with the terms you agree.
The process also informs you of your right to withdraw your consent, without prejudice, though this may sometimes affect our ability to manage your referral if we are unable to share information with your funding approver.
Your details will never be shared with any person or organisation outside of the relationship between your referrer and IPRS Health (including its authorised suppliers) without your explicit written consent (for example, if you wish to release your health records as evidence for a legal claim) unless we are legally obliged to do so by a court order or to protect public health.
The specific consent you give about the parties with whom you agree IPRS Health may share your data is documented in detail in your health record. You have the right to request access to this record.
2) Legitimate interests – We process your data in order to be able to carry out our lawful business, which is the management and delivery of your health or wellbeing referral. As we have been appointed by an organisation to provide services to you, we need to communicate with that organisation about you; and with the suppliers who deliver services on our behalf. This requires us to share your information:
These are our legitimate interests (and those of the organisation that referred you or that provide care to you) and these interests will continue providing that they do not countermand your own interests, rights or freedoms as an individual.
3) Legal Obligation – In certain circumstances we may have a legal obligation to process your data, specifically in the “establishment, exercise or defence of legal claims” or in the interest of public health. Under particular, but rare, conditions, this may be done without your consent.
In addition to your personal data, we also need to process your ‘special category’ data, which is information about your health status. Any information we collect or hold about your health, and your treatment and care, is processed for the purposes of ‘preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services’ under Article 9 of the GDPR and chapter 2, section 9 of the Data Protection Act 2018.
We collect your personal and health-related information in a number of ways, including:
The personal data we process may include your:
In addition to the above, we will also hold specific information about your health and wellbeing, which may include:
These data will only be collected and processed where this is necessary and relevant to the management and delivery of services provided to you by IPRS Health.
We will never collect information which is not justified by our legitimate interests, and we will never use your health or wellbeing data for direct marketing.
Your information is only used by IPRS Health to manage and deliver your health or wellbeing services, or to report to those parties you have agreed. This ensures that:
The information we collect and hold about you may also be used to:
We always use the least amount of personal data that we can to achieve our aims, and will try to anonymise or pseudonymise your information whenever possible, so as to give the greatest possible protection to your confidentiality.
Your data is never used for marketing or advertising purposes, and would not be released to any third party without your explicit consent, unless there is a legal requirement to do so, such as a court order.
As previously mentioned, your data may be held in both electronic and paper forms. All data are held securely, and are retained for a specified period of time, as laid out in our data retention schedules. Different types of data would be held for different retention periods, as required by law, or by IPRS Health’s legitimate purposes.
Health records (containing the information pertaining to your health and wellbeing services) are retained by IPRS Health for a period of ten years from the date of your discharge from IPRS Health's care. If
you were a minor (under 18) at discharge, the record will be kept for ten years from you reaching your majority (ten years from your eighteenth birthday). This duration is required by our liability insurance provider, in anticipation of a need for health records being required for legal claims.
Once the retention period for your data expires, it will be destroyed or deleted in a secure manner. We will not keep your personal data for longer than is necessary to fulfil our legitimate purposes. Wherever possible, your personal data will be archived unless it is required for active referrals. If we wish to retain data for research or analytical purposes for longer periods, this will be retained as anonymous statistical data, and will no longer be ‘identifiable’ to you personally.
Your data are processed and stored in accordance with UK data protection legislation, currently the UK Data Protection Act 2018 and the General Data Protection Regulation. In addition to this statute law, health information is also protected by the Common Law Duty of Confidentiality, other assorted healthcare professional standards of conduct (such as those set by the Health and Care Professions Council), or national standards as set by the Information Commissioner’s Office.
These combined requirements mean that we must:
Under the GDPR and DPA you have certain rights as an individual, regarding your personal data held or processed by IPRS Health. You have the right to:
Should you want to exercise your rights concerning your personal data, please contact IPRS Health’s Data Protection Officer at DataProtectionOfficer@iprsgroup.com or by telephone on 0800 072 1227.
If you have any concerns about what IPRS Health doing with your data, please contact the Data Protection Officer in the first instance.
IPRS Health is regulated in all matters of data protection by the Information Commissioner’s Office (ICO). If you are dissatisfied with our response to your concerns, or believe that IPRS Health is processing your data otherwise than in accordance with the law, you have to right to make a complaint to the ICO, as below.
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number
Fax: 01625 524 510