Privacy Policy
Document Control
- Confidentiality Notice
This document and the information contained therein is the property of Muse Studios Limited (“the organisation”) trading as Drs Tatiana + Rishi Advanced Aesthetics
This document contains information that is privileged, confidential or otherwise protected from disclosure. It must not be used by, or its contents reproduced or otherwise copied or disclosed without the prior consent in writing from Muse Studios Limited.
This policy governs the use by Drs Tatiana + Rishi Advanced Aesthetics or one of its subsidiaries or Affiliates (“we/us/our“) of your (“you/your/yourself“) data which is available to us in connection with your use of this website (the “Site“).
By using the Site, you are deemed to have full knowledge of and accept this Privacy Policy. If you do not agree to be bound by the terms of this Privacy Policy, please do not use the Site.
We reserve the right to alter this Privacy Policy at any time. Such alterations will be posted on the Site.
We collect information to process your order, deal with your queries, guide and enhance your online experience, supply you with information in which you have expressed an interest and for record keeping. We are committed to protecting your privacy and will only use your information in accordance with the Data Protection Act 2018.
You have the option at login, to elect not to receive marketing information (from us, our business partners or selected third parties) and also to tag your account as non marketable to prevent exchange of the data collected with third parties.
At any time you can change these options by editing your account details/emailing customer services.
DATA COLLECTED & PURPOSE OF COLLECTION
When you log in we collect name and address, telephone, email address, user name and password. This provides us with default details for your order processing and sets up security (so viewing of your account details, designs and order history is password protected).
To help you choose the right product and design to suit your purpose we ask you to make selections and choices. Only the design details are collected if you choose to save the details or place an order.
When you place an order we allocate you a customer number, capture order details, invoicing address and credit card details to process and fulfil your order. Invoicing address is retained so you do not have to enter them again. Order details are retained so you can view your order history.
You acknowledge that many parts of the service provided on the Site may be provided by third-party service providers and not by us (for example, see section 8 below). You consent to us transferring your information to such third-party service providers for the purposes of dealing with your queries, orders and for record keeping.
When you enter credit card details you are in communication over a secure link with the Stripe merchant system (or such other financial system as may be used, from time to time). It retains details of the credit card transaction. You must enter the details for each purchase for security reasons.
To assist you with your promotions and marketing and tailor our service to your needs we will ask you for feedback, about you and any products or treatments you may require. Supply of this information is optional and not mandatory. All this data will be stored so we can effectively meet your needs.
You are entitled to ask for a copy of the information held about you at any time by contacting us. We may charge a small fee for this.
You consent to us (and our representatives) disclosing information to third parties: (i) if we are under a duty to disclose or share your information in order to comply with any legal obligation, or in order to enforce or apply our Terms of Use and any other contract entered into with us, or to protect the rights, property, or safety of our customers, ourselves or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction; and (ii) if we determine that such disclosure is necessary in connection with any investigation or complaint regarding your use of the Site.
SECURITY
The Site has numerous security measures in place to protect the loss, misuse and alteration of information under our control, such as passwords and firewalls. We cannot, however, guarantee that these measures are, or will remain, adequate. We do take data security very seriously and will use all reasonable endeavours to protect the integrity of the information you provide.
Access to your account data is password protected. You must keep all passwords confidential and not disclose or share them with anyone. You are responsible for all activities that occur under your passwords. You must notify us in the event you know or suspect someone else knows your passwords. If we have reason to believe there is a breach of security or misuse of the Site, we may require you to change your passwords or we may suspend your account without notice.
Our Site may, from time to time, contain links to and from other websites. If you follow a link to any of these websites, please note that these websites have their own privacy policies and we do not accept any responsibility or liability for these policies. Please check such policies before submitting any information to these websites.
Credit card details are processed by a secure server (see section 8 above).
COOKIES
WHAT ARE COOKIES?
We use cookies to personalise your interface with the site, and to remember you when you return to our site. They are small packets of data stored by your browser on your computer’s hard drive to identify yourself to us and help us to keep track of what you have in your basket. Your browser may have a feature to disable cookies or you can delete them if you wish and your interface will not be severely restricted.
Please note that cookies can’t harm your computer. We don’t store personally identifiable information such as credit card details in cookies we create, but we do use encrypted information gathered from them to help improve your experience of the site. For example, they help us to identify and resolve errors, or to determine relevant related products to show you when you’re browsing. Each browser is different, so check the ‘Managing cookies’ information below of your particular browser (or your mobile phone’s handset manual) to learn how to change your cookie preferences.
We’re giving you this information as part of our initiative to comply with relevant legislation, and to make sure we’re honest and clear about your privacy when using our website.
COOKIES WE STORE
Here’s a list of the main non-functional cookies we use, and what we use them for:
Cookie: Google Analytics
Name: _utma _utmb _utmc _utmz test_cookie
Purpose: These cookies are used to collect information about how visitors use our site. We use the information to compile reports and to help us improve the site. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited.
FURTHER INFORMATION ABOUT COOKIES
If you’d like to learn more about cookies in general and how to manage them, visit aboutcookies.org (opens in a new window – please note that we can’t be responsible for the content of external websites).
THIRD-PARTY COOKIES
When you visit our sites you may notice some cookies that aren’t related to w3p. If you go on to a web page that contains embedded content, for example from Google, you may be sent cookies from these websites. We don’t control the setting of these cookies, so we suggest you check the third-party websites for more information about their cookies and how to manage them.
Some of the business partners that may set cookies on w3p sites include:
Cookie: Google Maps
Name: PREF NID
Purpose: These are Google Maps third party cookies, which are unique identifiers to allow traffic analysis to Google Maps.
‘SHARE’ TOOLS
If you take the opportunity to ‘share’ content with friends through social networks – such as Facebook and Twitter – you may be sent cookies from these websites. We don’t control the setting of these cookies, so please check the third-party websites for more information about their cookies and how to manage them.
MANAGING COOKIES
If cookies aren’t enabled on your computer, it will mean that your shopping experience on our website will be limited to browsing and researching; you won’t be able to add products to your basket and buy them.
TO ENABLE COOKIES
If you’re not sure of the type and version of web browser you use to access the Internet:
- For PCs: click on ‘Help’ at the top of your browser window and select the ‘About’ option
- For Macs: with the browser window open, click on the Apple menu and select the ‘About’ option
HOW TO CHECK COOKIES ARE ENABLED FOR PCS
Google Chrome
- Click on ‘Tools’ at the top of your browser window and select Options
- Click the ‘Under the Hood’ tab, locate the ‘Privacy’ section, and select the ‘Content settings’ button
- Now select ‘Allow local data to be set’
Microsoft Internet Explorer 6.0, 7.0, 8.0
- Click on ‘Tools’ at the top of your browser window and select ‘Internet options’ , then click on the ‘Privacy’ tab
- Ensure that your Privacy level is set to Medium or below, which will enable cookies in your browser
- Settings above Medium will disable cookies
Mozilla Firefox
- Click on ‘Tools’ at the top of your browser window and select Options
- Then select the Privacy icon
- Click on Cookies, then select ‘allow sites to set cookies’
Safari
- Click on the Cog icon at the top of your browser window and select the ‘Preferences’ option
- Click on ‘Security’, check the option that says ‘Block third-party and advertising cookies’
- Click ‘Save’
HOW TO CHECK COOKIES ARE ENABLED FOR MACS
Microsoft Internet Explorer 5.0 on OSX
- Click on ‘Explorer’ at the top of your browser window and select ‘Preferences’ options
- Scroll down until you see ‘Cookies’ under Receiving Files
- Select the ‘Never Ask’ option
Safari on OSX
Click on ‘Safari’ at the top of your browser window and select the ‘Preferences’ option
Click on ‘Security’ then ‘Accept cookies’
Select the ‘Only from site you navigate to’
Mozilla and Netscape on OSX
- Click on ‘Mozilla’ or ‘Netscape’ at the top of your browser window and select the ‘Preferences’ option
- Scroll down until you see cookies under ‘Privacy & Security’
- Select ‘Enable cookies for the originating web site only’
Opera
Click on ‘Menu’ at the top of your browser window and select ‘Settings’
Then select ‘Preferences’, select the ‘Advanced’ tab
Then select ‘Accept cookies’ option
All other browsers
Please consult your documentation or online help files.
BANNER ADVERTISING ON OTHER WEBSITES
This type of advertising is designed to provide you with a selection of products based on what you’re viewing. The adverts may highlight alternative styles and colours as well as products from other categories deemed relevant to your browsing history. The technology behind these adverts is based on cookies. Find out more about cookies, and why and how we use them, via the ‘What are cookies’ section above.
COMMENTS OR QUESTIONS?
We are interested in your comments and will be pleased to answer any questions concerning our privacy policy. Please contact us.
PRIVACY NOTICE FOR OUR PATIENTS/SERVICE USERS
HOW WE USE AND SHARE YOUR INFORMATION TO HELP YOU
We need to keep a record of the care you receive to ensure that:
- Professionals involved in your care have accurate and up-to-date information
- We have all the information necessary for assessing your needs and providing excellent care
- Your concerns can be properly investigated if you raise a complaint
- Accurate information about you is available if you:
- Move to another area
- Need to use another service
- See a different healthcare professional.
YOUR RECORD
We have a duty to:
- Maintain full and accurate records of the care we provide to you
- Ensure that your records are confidential, secure and accurate
- Provide a copy at your request that is an accessible format (e.g. in large type if you are partially sighted).
- Your record may include some or all of the following:
- Your name, address and date of birth
- Your email address and telephone number
- Contacts we have had with you, such as appointments
- Notes and reports on your health
- Details of treatment and care, images and test results
- Information on medicines, side effects and allergies
- Relevant information from people who care for you and know you well, such as health professionals and relatives.
- The staff who see you may also add notes on their professional opinion.
If you wish us to, and it is practical, we will discuss and agree with you what we are going to enter on your record and show you what we have recorded.
IDENTIFYING YOU AS AN INDIVIDUAL
We have many patients/service users with similar names so it vitally important for all patients/service users to be properly identified as individuals. In order to be absolutely sure that you have been correctly identified we may ask you for a number of pieces of information. Suitable items include:
- Full name
- Date of birth
- Passport as photo ID
- Driving licence as photo ID
- Permanent (home, not a temporary) address
- Email address
- Contact number
HOW YOU CAN HELP US TO KEEP YOUR HEALTH RECORD ACCURATE
- Let us know when you change address, telephone number or name
- Tell us if any information in your record is incorrect
- Give your consent so that we can share information about you with other health professionals to make sure you receive the right healthcare
- Tell us if you change your mind about how we share the information in your record.
HOW MUSE STUDIOS LIMITED USES YOUR CONTACT DETAILS
We take your privacy seriously so please let us know how you want us to contact you.
- Telephone
It is important for us to have a valid contact number for you. We may ring, leave a message or text you with information relevant to your treatment such as appointment confirmation, pre-care advice and post-treatment follow-up. Please let us know if you do not wish to be contacted by telephone. - Email
It is important for us to have a valid email address for you. We use this to send information relevant to your treatment such as appointment confirmation, pre-care information and aftercare advice. We may also use your email to send you a regular newsletter about the clinic and our services; however, you can opt out of this if you do not wish to receive this.
Please read the following before providing us with your email address.- Emails can be quick and convenient and will allow you to keep a record (unlike a phone call). However, although our own systems are secure, it may be possible to intercept your email when it is being sent over the internet.
- Be aware also that if you share your computer others may read your emails.
- You could use email to contact staff in relation to a query or to ask about an appointment.
- Do not give more personal information than we need to process your request.
- Do not ask us to send you medical details that you would not want seen by other people.
If you have an urgent question or feel unwell after going home after treatment contact the clinic on 0044 7718219145 (Monday-Saturday 10AM to 7PM) or an emergency service e.g. 111 NHS emergency service or 999 for life threatening conditions by telephone, do NOT email.
HOW YOUR RECORDS ARE KEPT
Our guiding principle is that we hold your records in strict confidence.
Muse Studios Limited is registered under the Data Protection Act 2018. It abides by the law and observes good practice in maintaining confidentiality and appropriate information security.
We will fulfil its obligations under this Act to the fullest extent, including ensuring that the following eight principles governing the processing of personal data are observed.
- personal data shall be processed fairly and lawfully;
- personal data shall be obtained only for specified and lawful purposes, and shall not be processed in any manner incompatible with those purposes;
- personal data shall be adequate, relevant and not excessive in relation to the purposes for which it is processed;
- personal data shall be accurate and, where necessary, kept up to date;
- personal data shall be kept for no longer than is necessary for the purposes for which it is processed;
- personal data shall be processed in accordance with the rights of data subjects under the Act;
- personal data shall be subject to appropriate technical and organisational measures to protect against unauthorised or unlawful processing and accidental loss, destruction or damage;
- personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of data protection
Information about you and the services you receive may be held in a number of formats and will be kept for the specific retention periods outlined by the relevant professional bodies. We use secure electronic systems to store user records, images and details of prescriptions. Patient data held on paper or disk will be processed in accordance with the Data Protection Act and destroyed using secure documented procedures after the time periods set out by the Department of Health.
HOW YOUR RECORDS ARE USED
We use your records to:
- Ensure that any treatment or advisory services we provide to you are based on accurate information.
- Send a letter about your care to your GP or other health professional at the end of your treatment, unless you tell us not to do so.
- Work effectively with other services providing you with treatment or advice.
- Monitor the quality of our care and help us to understand the outcomes of care.
- Investigate any concerns or complaints you or your family have about your health care.
- Provide information that is needed for financial transactions in relation to payment for treatment, such as billing. For private patients/service users this may include details shared with your insurance company. If you have any concerns about this, please contact your insurer.
ANONYMISED DATA
We may remove your name and other details that could identify you so that we can use the information in your record anonymously to:
- Monitor and improve the quality of care received by patients/service users
- Protect the health of the general public, for example we may share anonymous and aggregated patient information with organisations such as the National Institute for Clinical Excellence and the Cancer Registry for research or statistical purposes
- Train and educate staff.
Wherever possible, we anonymise your data or use a quasi- identifier such as a patient number.
SHARING YOUR HEALTH RECORD
Muse Studios Limited has a designated Information Lead/Data Protection Officer who is responsible for protecting the confidentiality of patient information and making sure that information is shared where this is appropriate.
To make sure you receive all the care and treatment you need, we may need to share the information in your health record with other staff and organisations. This could include:
- Other healthcare professionals, such as doctors, pharmacists, and pathology and radiology staff involved in the analysis and reporting of diagnostic tests
- Other hospitals and private sector organisations involved in your care
- Local authority departments
- Voluntary organisations providing on-going support
- Administrative support staff
Note that anyone who receives information from us also has a legal duty to keep it confidential.
We may also share information that identifies you where:
- You ask us to do so
- We ask for specific permission and you agree to this
- We are required to do this by law
- We have special permission because we believe that the reasons for sharing are so important that they override our obligation of confidentiality (e.g. to prevent someone from being seriously harmed).
- We do not give the names and addresses of patients/service users to other organisations except under the circumstances described in this Privacy Notice. Unless you have signed an additional consent, we will not contact you after your visit for purposes other than:
- Follow up of care
- Collecting your views about your stay with us
- Settlement of any account that may be due, if appropriate
- Complaints and concerns handling.
SPECIAL SITUATIONS
Sometimes we have a legal duty to provide information about people; examples are reporting some infectious diseases, and when a court order instructs us to do so. Records may also be shared without the patient’s consent in exceptional situations, such as to safeguard adults or children.
SHARING YOUR RECORDS OUTSIDE THE EU
If your permanent address is outside the EU, or your treatment is continuing outside the EU, we may send details of your treatment to individuals based outside the EU specifically to promote your ongoing care. This would normally be the doctor who referred you to us for treatment. If you wish, we can give you the documents so that you have physical control over this information.
In the usual course of our business, we may use third parties to process and store your data on our behalf. We normally store your data on secure servers in the European Economic Area (EEA). Such processing is subject to contractual restrictions with regard to confidentiality and security in addition to the obligations imposed by the Data Protection Act 1998.
Exceptionally we may make use our suppliers are based outside the EEA for processing and storing your data. We have strict controls over how and why your data can be accessed. By submitting your personal data, you agree to this.
Where necessary we may transfer personal information overseas for processing to support the long- term effectiveness of treatment and monitor patient outcomes. Personal information will be processed in this way where it is not possible to achieve this purpose with the use of anonymised or pseudonymised information only.
HOW CAN I STOP MY INFORMATION FROM BEING SHARED?
Muse Studios Limited acts to provide information principally for other health and social care professionals who have requested this since they require further detailed investigations on their patients/service users. So naturally we will normally need to share this information with your doctor who has referred you to our service.
If you do not want us to share your information with your GP, other healthcare providers or carers, please tell the team looking after you. But please note that not sharing your information may affect the care that can be provided for you.
You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered. Where your wishes cannot be followed you will be told the reasons including the legal basis. You may at any time withdraw any consent you have previously given to us to process information about you.
If you wish to exercise your right to opt-out, withdraw consent to use your information, or to speak to somebody to understand what impact this may have, please discuss your concerns with your professional, or email us typing ‘Opt Out Request’ in the subject line of the email.
YOUR LEGAL RIGHTS
Muse Studios Limited is the Data Controller of the data it holds about its patients/service users and staff.
You have the right to confidentiality under the Data Protection Act 2018 (DPA), the Human Rights Act 1998 and the Common Law Duty of Confidentiality. The Equality Act 2010 may also apply.
You have the right to know what information we hold about you, what we use it for and if the information is to be shared, who it will be shared with.
You have the right to apply for access to the information we hold about you. Other people can also apply to access your health records on your behalf. These include anyone authorised by you in writing (such as a solicitor), or any person appointed by a court to manage your affairs where you cannot manage them yourself. Access covers:
- The right to obtain a copy of your record in permanent form;
- The right to have the information provided to you in a way you can understand, and explained
where necessary, for example where abbreviations have been used. You would not be entitled to see information that:
- Has been provided about you by someone else if they haven’t given permission for you to see it
- Identifies another person who has not given permission for you to see the information about them
- Relates to criminal offences
- Is being used to detect or prevent crime
- Could cause physical or mental harm to you or someone else. If you are currently receiving services from us and wish to view the record without obtaining a copy, discuss your request with the professional in charge of your care.
OBTAINING A COPY OF YOUR RECORD
If you wish to apply for access to the information we hold about you:
- You should send your request in writing to us.
- You should provide enough information to enable us to correctly identify your records, for example include your full name, address, date of birth, any unique identifier number.
- We will take every reasonable step respond to you within 40 days of receiving your request
- You may be required to provide a form of ID before any information is released to you. Once you receive your records, if you believe any information is inaccurate or incorrect, please inform us.
This Privacy Policy is effective immediately and will remain in effect until further notice.
We reserve the right to update or change our Privacy Policy at any time and you should check this Privacy Policy periodically. Your continued use of the Service after we post any modifications to the Privacy Policy on this page will constitute your acknowledgment of the modifications and your consent to abide and be bound by the modified Privacy Policy.
Confidentiality Policy
1.INTRODUCTION
The reasons for the policy:
- All information about the organisation (in particular user data) is confidential, whether held electronically or in hard copy
- Other information about Muse Studios Limited (for example its financial matters) is confidential
- Staff will of necessity have access to such confidential information from time to time.
A duty of confidentiality arises when one person discloses information to another in circumstances where it is reasonable to expect that the information will be held in confidence. This duty of confidence is derived from:
- Common law – the decisions of the Courts
- Statute law which is passed by Parliament.
2.RELEVANT CQC FUNDAMENTAL STANDARD/H+SC ACT REGULATION (2014)
- Regulation 10: “Dignity and Respect”.
3.APPLICABILITY
The policy applies to all employees and contractors engaged by Muse Studios Limited (collectively referred to herein as ‘members of staff’).
4.POLICY
- Members of staff must not under any circumstances disclose service user information to anyone outside Muse Studios Limited, except to other health professionals on a need-to-know basis, or where the user has provided written consent, or for some other legal reason (e.g. Court Order regarding disclosure).
- All information about users is confidential: from the most sensitive diagnosis, to the fact of having visited the clinic or being registered with the organisation.
- Members of staff must not under any circumstances disclose other confidential information about the company to anyone outside Muse Studios Limited unless with the express consent of the CQC Registered Manager or representative.
- Members of staff should limit any discussion about confidential information only to those who need to know within Muse Studios Limited.
- The duty of confidentiality owed to a person under 16 is as great as the duty owed to any other person.
- All users can expect that their personal information will not be disclosed without their permission (except in the most exceptional circumstances when disclosure is required when somebody is at grave risk of serious harm).
- Electronic transfer of any confidential information must be via the clinic email address only (which is HIPAA compliant). Members of staff must take particular care that confidential information is not transmitted in error.
- Members of staff must not take data from the organisation’s computer systems (e.g. on a memory stick or removable drive) off the premises.
- Members of staff who suspect a breach of confidentiality must inform the CQC Registered Manager or representative immediately.
- Any breach of confidentiality will be considered as a serious disciplinary offence and may lead to dismissal.
- Members of staff remain bound by the requirement to keep information confidential even if they are no longer employed at Muse Studios Limited.
- Any breach, or suspected breach, of confidentiality after the worker has left Muse Studios Limited’s employment will be passed to the organisation’s lawyers for action.
- Any user wishing to have access to their own records will be treated in accordance with statutory requirements.
- PLEASE ENSURE THAT ALL PATIENT RECORDS ARE NOT VISIBLE TO OTHER PATIENTS ON THE CLINIC COMPUTERS. ALWAYS DOUBLE CHECK THIS.
5.RESPONSIBILITIES OF MEMBERS OF STAFF
All health professionals must follow their professional codes of practice and the law. This means that they must make every effort to protect confidentiality. It also means that no identifiable information about a user is passed to anyone or any agency without the express permission of that user, except when this is essential for providing care or necessary to protect somebody’s health, safety or well-being.
All health and social care professionals are individually accountable for their own actions. They should, however, also work together as a team to ensure that standards of confidentiality are upheld, and that improper disclosures are avoided.
Additionally, the organisation:
- is responsible for ensuring that everybody employed or engaged by Muse Studios Limited understands the need for, and maintains, confidentiality.
- has overall responsibility for ensuring that systems and mechanisms are in place to protect confidentiality.
Standards of confidentiality apply to all staff who are bound by contracts of employment, Contracts For Service or other forms of engagement to maintain confidentiality. They must not reveal, to anybody outside the organisation, personal information they learn in the course of their work, or due to their presence in the surgery, without the user’s consent. Nor will they discuss with colleagues any aspect of a user’s attendance at the surgery in a way that might allow identification of the user unless to do so is necessary for the user’s care. These requirements will be conveyed to all staff as part of their induction when first joining the organisation.
6.GENERAL PRINCIPLES
The general principle to remember is that nothing is to be revealed to an enquirer. The identity of callers must be established and, if necessary, return calls made to confirm this.
Personal visits from either the police or press should be handled with courtesy. Following confirmation of their identity, they should then be referred to the CQC Registered Manager or deputy.
Any clinical details or personal information contained within the user’s medical records must not be discussed with friends or relatives. This includes confirming a user has attended the clinic for whatever reason. A user’s reason to attend the clinic may be something they do not wish to discuss with their family, or require others to know about.
It is important to note that individual users are not identified for purposes of training or any other activity.
7.IF DISCLOSURE TO THIRD PARTIES IS NECESSARY
If a user or another person is at grave risk of serious harm which disclosure to an appropriate person would prevent, the relevant health professional should take advice from the CQC Registered Manager or representative, and/or from a professional / regulatory / defence body, in order to decide whether disclosure without consent is justified to protect the user or another person. If a decision is taken to disclose, the user should always be informed before disclosure is made, unless to do so could be dangerous.
Any decision to disclose information to protect health, safety or well-being will be based on the degree of current or potential harm, not the age of the user.
In addition, there may be instances where disclosure is necessitated by reason of legal process (e.g. Court Order). In addition, on occasions the Police may approach Muse Studios Limited for information about a user e.g. in case of serious crime. Such situations will call for careful judgement, and will normally need to be subject to confirmation by a Director. Medical staff involved will also be well advised to consult their professional indemnity organisation in advance of any disclosure.
Information relating to a user may be disclosed for the following reasons:
- Information relating to a user may be disclosed provided the user has given his/her written authorisation for his/her legal representative to obtain it.
- Where a user has died, consent to release information should be sought from the Executor of the estate.
- Where the user has died intestate, consent to release information should be sought from the next of Kin.
- When healthcare professionals involved with the users’ care require to share clinical information in the strictest confidence.
- When adverse drug reactions may be reported by any authorised professional staff to the Committee on Safety of Medicines.
Release Of Information As A Legal Requirement
- Certain infectious diseases must be notified under the public Health (Infectious Disease) Regulations 1968. Failure to comply is a criminal offence (Infection Control Office).
- If a user is suspected of addiction to a scheduled drug, a doctor is required to inform the Chief Medical Officer of the Home Office Drugs Branch (Misuse of Drugs Notification & Supply to Addicts Regulation 1985).
- The Road Traffic Act 1972 requires information to be given to the police, which may lead to the identification of the driver of a vehicle. Only the name and address may be given.
- Any individual must give information to the police which may prevent an act of terrorism or lead to the apprehension of a person involved in such an act (The Prevention of Terrorism (Temporary Provisions) Act 1989).
- A professional member of staff’s duty of confidentiality may be overridden when failure to disclose information would expose the user, or someone else, to the risk of death or serious harm. Where a professionally qualified person feels unable to disclose, the police or Crown Prosecution Service may apply for a Court Order under the Police & Criminal Evidence Act 1984.
- In the event of sudden, suspicious or unexplained deaths, the Coroner may wish to investigate. Information should be disclosed, to determine whether an inquest should be held.
- Any person must obey a written legal order to attend court and produce confidential evidence.
- Identifiable information, relating to users being treated for sexually transmitted diseases, shall not be disclosed, except for the purpose of treatment or prevention.
- If a healthcare professional has reason to suspect child abuse, it is legitimate to supply information to appropriate authorities, to ensure the safety of the child is maintained.
- Access to computer held information under the Data Protection Acts.
- In general terms, it is accepted that in the UK, the physical records, i.e. the cover, papers, forms etc, shall not be disclosed, except for the purpose of treatment or prevention.
- If a healthcare professional has reason to suspect child abuse, it is legitimate to supply information to appropriate authorities, to ensure the safety of the child is maintained.
- Access to computer held information under the Data Protection Act 1984.
8.CONFIDENTIALITY GUIDELINES FOR MEMBERS OF STAFF
- Be aware that careless talk can lead to a breach of confidentiality – discuss your work only with authorised personnel, preferably in private.
- Always keep confidential documents away from prying eyes.
- Always remember to ensure that no patient files are visible on the computer when a patient is in the room.
- Verbal reporting about users should be carried out in private. If this is not possible, it should be delivered in a volume such that it can only be heard by those for whom it is intended.
- When asking for confidential information in circumstances where the conversation can be overheard by others, conduct the interview in as quiet and discreet a manner as possible and preferably find somewhere private for the discussion.
- Information should be given over the telephone only to the user or, in the case of children, to their parent or guardian. Precautions should be taken to prevent the conversation being overheard. Care must be taken to ensure that the duty of confidentiality to a minor is not breached, even to a parent.
- The duty of confidentiality owed to a person under 16 is as great as the duty owed to any other person.
- When using computers, unauthorised access should be prevented by password protection and physical security such as locking the doors when offices are left unattended. Unwanted paper records should be disposed of safely by shredding on site.
- If unsure about authorisation to disclose, or a person’s authorisation to receive confidential information, always seek authorisation from the CQC Registered Manager or representative before disclosing any personal health information.
9.LEGISLATION
All relevant staff must understand their responsibilities relating to confidentiality, and where appropriate be aware of the following legislation:
The Data Protection Act 1998
This Act governs the processing of information that identifies living individuals. Processing includes holding, obtaining, recording, using and disclosing of information and the Act applies to all forms of media, including paper and electronic.
The Mental Capacity Act (2005)
This provides a legal framework to empower and protect people who may lack capacity to make some decisions for themselves. The assessor of an “individual’s capacity to make a decision will usually be the person who is directly concerned with the individual at the time the decision needs to be made” this means that different health care workers will be involved in different capacity decisions at different times.
The Freedom of Information Act 2000
This Act grants people rights of access to information that is not covered by the Data Protection Act 1998, e.g. information which does not contain a person’s identifiable details.
The Computer Misuse Act 1990
This Act secures computer programs and data against unauthorised access or alteration. Authorised users have permission to use certain programmes and data. If the users go beyond what is permitted, this is a criminal offence.
Disclosure
Disclosure means the giving of information. Disclosure is only lawful and ethical if the individual has given consent to the information being passed on. Such consent must be freely and fully given. Consent to disclosure of confidential information may be:
- Explicit
- Implied
- Required by law or
- Capable of justification by reason of the public interest.
Disclosure with Consent
Explicit consent is obtained when the person in the care of a professional staff agrees to disclosure having been informed of the reason for that disclosure and with whom the information may or will be shared. Explicit consent can be written or spoken. Implied consent is obtained when it is assumed that the person understands that their information may be shared within the clinical team. Professional staffs should make the people in their care aware of this routine sharing of information, and clearly record any objections.
Disclosure without Consent
The term ‘public interest’ describes the exceptional circumstances that justify overruling the right of an individual to confidentiality in order to serve a broader social concern. Under common law, staff are permitted to disclose personal information in order to prevent and support detection, investigation and punishment of serious crime and/or to prevent abuse or serious harm to others. Each case must be judged on its merits. These decisions are complex and must take account of both the public interest in ensuring confidentiality against the public interest in disclosure. Disclosures should be proportionate and limited to relevant details.
Professional staffs should be aware that it may be necessary to justify disclosures to the courts or to the appropriate statutory regulator and must keep a clear record of the decision making process and advice sought. Courts tend to require disclosure in the public interest where the information concerns misconduct, illegality and gross immorality.
Disclosure to Third Parties
This is where information is shared with other people and/or organisations not directly involved in a person’s care. Professional staffs must ensure that the people in their care are aware that information about them may be disclosed to third parties involved in their care. Users generally have a right to object to the use and disclosure of confidential information. They need to be made aware of this right and understand its implications. Information that can identify individual people in the care of a nurse, doctor or dentist must not be used or disclosed for purposes other than healthcare without the individual’s’ explicit consent, some other legal basis, or where there is a wider public interest.
Confidentiality after Death
The duty of confidentiality does continue after death of an individual to whom that duty is owed.
Information Disclosure to the Police
In English law there is no obligation placed upon any citizen to answer questions put to them by the police. However, there are some exceptional situations in which disclosure is required by statute.
Police Access to Medical Records
The police have no automatic right to demand access to a person’s medical records. Usually, before the police may examine a person’s records they must obtain a warrant under the Police and Criminal Evidence Act 1984. Before a police constable can gain access to a hospital, for example, in order to search for information such as medical records or samples of human tissue, he or she must apply to a circuit judge for a warrant. The police have no duty to inform the person whose confidential information is sought, but must inform the person holding that information.
This Act allows healthcare professionals to pass on information to the police if they believe that someone may be seriously harmed or death may occur if the police are not informed. Before any disclosure is made healthcare professionals should always discuss the matter fully with other professional colleagues and, if appropriate consult their statutory regulator or professional body or trade union. It is important that healthcare professionals are aware of their organisational policies and how to implement them. Wherever possible the issue of disclosure should be discussed with the individual concerned and consent sought. If disclosure takes place without the person’s consent they should be told of the decision to disclose and a clear record of the discussion and decision should be made as stated above.
Special Considerations to be Taken into Account when Disclosure is Being Considered
In some circumstances it may not be appropriate to inform the person of the decision to disclose, for example, due to the threat of a violent response. The professional staff may feel that, because of specific concerns, a supplementary record is required containing details of the disclosure. The Data Protection Act 1998 does allow for healthcare professionals to restrict access to information they hold on a person in their care, if that information is likely to cause serious harm to the individual or another person. A supplementary record should only be made in exceptional circumstances as it limits the access of the person to information held about them. All members of the healthcare team should be aware that there is a supplementary record and this should not compromise the persons’ confidentiality.
Acting as a Witness in a Court Case
If summoned as a witness in a court case he/she must give evidence. There is no special rule to entitle healthcare professionals to refuse to testify. If the individual refuses to disclose any information in response to any question put to him/her, then a judge may find the individual in contempt of court and may ultimately send him/her to prison.
Risk or Breach of Confidentiality
If a member of staff identifies a risk or breach of confidentiality they must raise their concerns with the CQC Registered Manager if they are unable to take affirmative action to correct the problem and record that they have done so. A risk or breach of confidentiality may be due to individual behaviour or as a result of organisational systems or procedures.
Confidentiality is a fundamental part of professional practice that protects human rights. This is identified in Article 8 (Right to respect for private and family life) of the European Convention of Human Rights which states:
The common law of confidentiality reflects that people have a right to expect that information provided is only used for the purpose for which it was given and will not be disclosed without permission. This covers situations where information is disclosed directly and also to information obtained from others. One aspect of privacy is that individuals have the right to control access to their own personal health information.
- All staff will respect people’s right to confidentiality.
- Staff must ensure people are informed about how and why information is shared by those who will be providing their care.
- Staff must disclose information if they believe someone may be at risk of harm, in line with the law of the country in which you are practicing.
The Data Protection Act 1998 requires every organisation that processes personal information to register with the Information Commissioner’s Office (ICO), unless they are exempt. Failure to do so is a criminal offence. Further details and registration forms can be found on: http://ico.org.uk/
The reasons for the policy:
- All information about the organisation (in particular user data) is confidential, whether held electronically or in hard copy
- Other information about Muse Studios Limited (for example its financial matters) is confidential
- Staff will of necessity have access to such confidential information from time to time.
A duty of confidentiality arises when one person discloses information to another in circumstances where it is reasonable to expect that the information will be held in confidence. This duty of confidence is derived from:
- Common law – the decisions of the Courts
- Statute law which is passed by Parliament.
10.RELEVANT CQC FUNDAMENTAL STANDARD/H+SC ACT REGULATION (2014)
- Regulation 10: “Dignity and Respect”.
11.APPLICABILITY
The policy applies to all employees and contractors engaged by Muse Studios Limited (collectively referred to herein as ‘members of staff’).
12.POLICY
- Members of staff must not under any circumstances disclose service user information to anyone outside Muse Studios Limited, except to other health professionals on a need-to-know basis, or where the user has provided written consent, or for some other legal reason (e.g. Court Order regarding disclosure).
- All information about users is confidential: from the most sensitive diagnosis, to the fact of having visited the clinic or being registered with the organisation.
- Members of staff must not under any circumstances disclose other confidential information about the company to anyone outside Muse Studios Limited unless with the express consent of the CQC Registered Manager or representative.
- Members of staff should limit any discussion about confidential information only to those who need to know within Muse Studios Limited.
- The duty of confidentiality owed to a person under 16 is as great as the duty owed to any other person.
- All users can expect that their personal information will not be disclosed without their permission (except in the most exceptional circumstances when disclosure is required when somebody is at grave risk of serious harm).
- Electronic transfer of any confidential information must be via the clinic email address only (which is HIPAA compliant). Members of staff must take particular care that confidential information is not transmitted in error.
- Members of staff must not take data from the organisation’s computer systems (e.g. on a memory stick or removable drive) off the premises.
- Members of staff who suspect a breach of confidentiality must inform the CQC Registered Manager or representative immediately.
- Any breach of confidentiality will be considered as a serious disciplinary offence and may lead to dismissal.
- Members of staff remain bound by the requirement to keep information confidential even if they are no longer employed at Muse Studios Limited.
- Any breach, or suspected breach, of confidentiality after the worker has left Muse Studios Limited’s employment will be passed to the organisation’s lawyers for action.
- Any user wishing to have access to their own records will be treated in accordance with statutory requirements.
- PLEASE ENSURE THAT ALL PATIENT RECORDS ARE NOT VISIBLE TO OTHER PATIENTS ON THE CLINIC COMPUTERS. ALWAYS DOUBLE CHECK THIS.
13.RESPONSIBILITIES OF MEMBERS OF STAFF
All health professionals must follow their professional codes of practice and the law. This means that they must make every effort to protect confidentiality. It also means that no identifiable information about a user is passed to anyone or any agency without the express permission of that user, except when this is essential for providing care or necessary to protect somebody’s health, safety or well-being.
All health and social care professionals are individually accountable for their own actions. They should, however, also work together as a team to ensure that standards of confidentiality are upheld, and that improper disclosures are avoided.
Additionally, the organisation:
- is responsible for ensuring that everybody employed or engaged by Muse Studios Limited understands the need for, and maintains, confidentiality.
- has overall responsibility for ensuring that systems and mechanisms are in place to protect confidentiality.
Standards of confidentiality apply to all staff who are bound by contracts of employment, Contracts For Service or other forms of engagement to maintain confidentiality. They must not reveal, to anybody outside the organisation, personal information they learn in the course of their work, or due to their presence in the surgery, without the user’s consent. Nor will they discuss with colleagues any aspect of a user’s attendance at the surgery in a way that might allow identification of the user unless to do so is necessary for the user’s care. These requirements will be conveyed to all staff as part of their induction when first joining the organisation.
14.GENERAL PRINCIPLES
The general principle to remember is that nothing is to be revealed to an enquirer. The identity of callers must be established and, if necessary, return calls made to confirm this.
Personal visits from either the police or press should be handled with courtesy. Following confirmation of their identity, they should then be referred to the CQC Registered Manager or deputy.
Any clinical details or personal information contained within the user’s medical records must not be discussed with friends or relatives. This includes confirming a user has attended the clinic for whatever reason. A user’s reason to attend the clinic may be something they do not wish to discuss with their family, or require others to know about.
It is important to note that individual users are not identified for purposes of training or any other activity.
15.IF DISCLOSURE TO THIRD PARTIES IS NECESSARY
If a user or another person is at grave risk of serious harm which disclosure to an appropriate person would prevent, the relevant health professional should take advice from the CQC Registered Manager or representative, and/or from a professional / regulatory / defence body, in order to decide whether disclosure without consent is justified to protect the user or another person. If a decision is taken to disclose, the user should always be informed before disclosure is made, unless to do so could be dangerous.
Any decision to disclose information to protect health, safety or well-being will be based on the degree of current or potential harm, not the age of the user.
In addition, there may be instances where disclosure is necessitated by reason of legal process (e.g. Court Order). In addition, on occasions the Police may approach Muse Studios Limited for information about a user e.g. in case of serious crime. Such situations will call for careful judgement, and will normally need to be subject to confirmation by a Director. Medical staff involved will also be well advised to consult their professional indemnity organisation in advance of any disclosure.
Information relating to a user may be disclosed for the following reasons:
- Information relating to a user may be disclosed provided the user has given his/her written authorisation for his/her legal representative to obtain it.
- Where a user has died, consent to release information should be sought from the Executor of the estate.
- Where the user has died intestate, consent to release information should be sought from the next of Kin.
- When healthcare professionals involved with the users’ care require to share clinical information in the strictest confidence.
- When adverse drug reactions may be reported by any authorised professional staff to the Committee on Safety of Medicines.
Release Of Information As A Legal Requirement
- Certain infectious diseases must be notified under the public Health (Infectious Disease) Regulations 1968. Failure to comply is a criminal offence (Infection Control Office).
- If a user is suspected of addiction to a scheduled drug, a doctor is required to inform the Chief Medical Officer of the Home Office Drugs Branch (Misuse of Drugs Notification & Supply to Addicts Regulation 1985).
- The Road Traffic Act 1972 requires information to be given to the police, which may lead to the identification of the driver of a vehicle. Only the name and address may be given.
- Any individual must give information to the police which may prevent an act of terrorism or lead to the apprehension of a person involved in such an act (The Prevention of Terrorism (Temporary Provisions) Act 1989).
- A professional member of staff’s duty of confidentiality may be overridden when failure to disclose information would expose the user, or someone else, to the risk of death or serious harm. Where a professionally qualified person feels unable to disclose, the police or Crown Prosecution Service may apply for a Court Order under the Police & Criminal Evidence Act 1984.
- In the event of sudden, suspicious or unexplained deaths, the Coroner may wish to investigate. Information should be disclosed, to determine whether an inquest should be held.
- Any person must obey a written legal order to attend court and produce confidential evidence.
- Identifiable information, relating to users being treated for sexually transmitted diseases, shall not be disclosed, except for the purpose of treatment or prevention.
- If a healthcare professional has reason to suspect child abuse, it is legitimate to supply information to appropriate authorities, to ensure the safety of the child is maintained.
- Access to computer held information under the Data Protection Acts.
- In general terms, it is accepted that in the UK, the physical records, i.e. the cover, papers, forms etc, shall not be disclosed, except for the purpose of treatment or prevention.
- If a healthcare professional has reason to suspect child abuse, it is legitimate to supply information to appropriate authorities, to ensure the safety of the child is maintained.
- Access to computer held information under the Data Protection Act 1984.
16.CONFIDENTIALITY GUIDELINES FOR MEMBERS OF STAFF
- Be aware that careless talk can lead to a breach of confidentiality – discuss your work only with authorised personnel, preferably in private.
- Always keep confidential documents away from prying eyes.
- Always remember to ensure that no patient files are visible on the computer when a patient is in the room.
- Verbal reporting about users should be carried out in private. If this is not possible, it should be delivered in a volume such that it can only be heard by those for whom it is intended.
- When asking for confidential information in circumstances where the conversation can be overheard by others, conduct the interview in as quiet and discreet a manner as possible and preferably find somewhere private for the discussion.
- Information should be given over the telephone only to the user or, in the case of children, to their parent or guardian. Precautions should be taken to prevent the conversation being overheard. Care must be taken to ensure that the duty of confidentiality to a minor is not breached, even to a parent.
- The duty of confidentiality owed to a person under 16 is as great as the duty owed to any other person.
- When using computers, unauthorised access should be prevented by password protection and physical security such as locking the doors when offices are left unattended. Unwanted paper records should be disposed of safely by shredding on site.
- If unsure about authorisation to disclose, or a person’s authorisation to receive confidential information, always seek authorisation from the CQC Registered Manager or representative before disclosing any personal health information.
17.LEGISLATION
All relevant staff must understand their responsibilities relating to confidentiality, and where appropriate be aware of the following legislation:
The Data Protection Act 1998
This Act governs the processing of information that identifies living individuals. Processing includes holding, obtaining, recording, using and disclosing of information and the Act applies to all forms of media, including paper and electronic.
The Mental Capacity Act (2005)
This provides a legal framework to empower and protect people who may lack capacity to make some decisions for themselves. The assessor of an “individual’s capacity to make a decision will usually be the person who is directly concerned with the individual at the time the decision needs to be made” this means that different health care workers will be involved in different capacity decisions at different times.
The Freedom of Information Act 2000
This Act grants people rights of access to information that is not covered by the Data Protection Act 1998, e.g. information which does not contain a person’s identifiable details.
The Computer Misuse Act 1990
This Act secures computer programs and data against unauthorised access or alteration. Authorised users have permission to use certain programmes and data. If the users go beyond what is permitted, this is a criminal offence.
Disclosure
Disclosure means the giving of information. Disclosure is only lawful and ethical if the individual has given consent to the information being passed on. Such consent must be freely and fully given. Consent to disclosure of confidential information may be:
- Explicit
- Implied
- Required by law or
- Capable of justification by reason of the public interest.
Disclosure with Consent
Explicit consent is obtained when the person in the care of a professional staff agrees to disclosure having been informed of the reason for that disclosure and with whom the information may or will be shared. Explicit consent can be written or spoken. Implied consent is obtained when it is assumed that the person understands that their information may be shared within the clinical team. Professional staffs should make the people in their care aware of this routine sharing of information, and clearly record any objections.
Disclosure without Consent
The term ‘public interest’ describes the exceptional circumstances that justify overruling the right of an individual to confidentiality in order to serve a broader social concern. Under common law, staff are permitted to disclose personal information in order to prevent and support detection, investigation and punishment of serious crime and/or to prevent abuse or serious harm to others. Each case must be judged on its merits. These decisions are complex and must take account of both the public interest in ensuring confidentiality against the public interest in disclosure. Disclosures should be proportionate and limited to relevant details.
Professional staffs should be aware that it may be necessary to justify disclosures to the courts or to the appropriate statutory regulator and must keep a clear record of the decision making process and advice sought. Courts tend to require disclosure in the public interest where the information concerns misconduct, illegality and gross immorality.
Disclosure to Third Parties
This is where information is shared with other people and/or organisations not directly involved in a person’s care. Professional staffs must ensure that the people in their care are aware that information about them may be disclosed to third parties involved in their care. Users generally have a right to object to the use and disclosure of confidential information. They need to be made aware of this right and understand its implications. Information that can identify individual people in the care of a nurse, doctor or dentist must not be used or disclosed for purposes other than healthcare without the individual’s’ explicit consent, some other legal basis, or where there is a wider public interest.
Confidentiality after Death
The duty of confidentiality does continue after death of an individual to whom that duty is owed.
Information Disclosure to the Police
In English law there is no obligation placed upon any citizen to answer questions put to them by the police. However, there are some exceptional situations in which disclosure is required by statute.
Police Access to Medical Records
The police have no automatic right to demand access to a person’s medical records. Usually, before the police may examine a person’s records they must obtain a warrant under the Police and Criminal Evidence Act 1984. Before a police constable can gain access to a hospital, for example, in order to search for information such as medical records or samples of human tissue, he or she must apply to a circuit judge for a warrant. The police have no duty to inform the person whose confidential information is sought, but must inform the person holding that information.
This Act allows healthcare professionals to pass on information to the police if they believe that someone may be seriously harmed or death may occur if the police are not informed. Before any disclosure is made healthcare professionals should always discuss the matter fully with other professional colleagues and, if appropriate consult their statutory regulator or professional body or trade union. It is important that healthcare professionals are aware of their organisational policies and how to implement them. Wherever possible the issue of disclosure should be discussed with the individual concerned and consent sought. If disclosure takes place without the person’s consent they should be told of the decision to disclose and a clear record of the discussion and decision should be made as stated above.
Special Considerations to be Taken into Account when Disclosure is Being Considered
In some circumstances it may not be appropriate to inform the person of the decision to disclose, for example, due to the threat of a violent response. The professional staff may feel that, because of specific concerns, a supplementary record is required containing details of the disclosure. The Data Protection Act 1998 does allow for healthcare professionals to restrict access to information they hold on a person in their care, if that information is likely to cause serious harm to the individual or another person. A supplementary record should only be made in exceptional circumstances as it limits the access of the person to information held about them. All members of the healthcare team should be aware that there is a supplementary record and this should not compromise the persons’ confidentiality.
Acting as a Witness in a Court Case
If summoned as a witness in a court case he/she must give evidence. There is no special rule to entitle healthcare professionals to refuse to testify. If the individual refuses to disclose any information in response to any question put to him/her, then a judge may find the individual in contempt of court and may ultimately send him/her to prison.
Risk or Breach of Confidentiality
If a member of staff identifies a risk or breach of confidentiality they must raise their concerns with the CQC Registered Manager if they are unable to take affirmative action to correct the problem and record that they have done so. A risk or breach of confidentiality may be due to individual behaviour or as a result of organisational systems or procedures.
Confidentiality is a fundamental part of professional practice that protects human rights. This is identified in Article 8 (Right to respect for private and family life) of the European Convention of Human Rights which states:
The common law of confidentiality reflects that people have a right to expect that information provided is only used for the purpose for which it was given and will not be disclosed without permission. This covers situations where information is disclosed directly and also to information obtained from others. One aspect of privacy is that individuals have the right to control access to their own personal health information.
- All staff will respect people’s right to confidentiality.
- Staff must ensure people are informed about how and why information is shared by those who will be providing their care.
- Staff must disclose information if they believe someone may be at risk of harm, in line with the law of the country in which you are practicing.
The Data Protection Act 1998 requires every organisation that processes personal information to register with the Information Commissioner’s Office (ICO), unless they are exempt. Failure to do so is a criminal offence. Further details and registration forms can be found on: http://ico.org.uk/