COVID-19 Clinical Assessment Service: transparency notice
Updated 14 May 2021
Introduction
The Secretary of State for Health and Social Care, acting through the executive agency of the Department of Health and Social Care (DHSC), Public Health England, has commissioned the provision of a COVID-19 Clinical Assessment Service (CCAS) to support members of the public and their representatives with clinical advice from GPs.
The COVID-19 Clinical Assessment Service is a temporary service which has been rapidly mobilised as a part of the UK’s national response to the COVID-19 pandemic emergency.
A number of organisations have been mobilised to provide the rapid response COVID-19 Clinical Assessment Service. Existing contracts and agreements between a variety of UK health authorities and providers that were originally created to support a national flu pandemic response have been amended and deployed to mobilise this service at speed to support public health provision.
Contact details of the Data Protection Officer
The appointed Data Protection Officer as required under the EU GDPR and the Data Protection Act 2018 is as follows:
Lee Cramp, Data Protection Officer
Department of Health and Social Care
39 Victoria Street
London
SW1H 0EU
Email: data_protection@dhsc.gov.uk
Purposes of processing your personal data including health information
We process your personal data for the following purposes:
1. Provision of clinical advice on COVID-19 to callers
- guidance on status of eligibility to receive vaccines
- verification of eligibility to receive vaccines
- referrals to clinicians or other health care professionals for medical advice
- support and advice on vaccines, including frequently asked questions (FAQ), general information and signposting to other services where necessary
- booking or rescheduling appointments
- appointment and second vaccination reminders
- send service delivery messages by e-mail and/or text (SMS) message direct to callers patients or representatives or guardians) when you indicate you wish to receive these
- patient call back
2. Compliments and complaints
- determine the nature of the issue or concern
- initiate an appropriate investigation
- provide a resolution and response
3. Service planning and forecasting
- forecasting to manage supply and demand
- management information and reporting
4. Training and quality assurance
- calls will be recorded for training and quality purposes to maintain service delivery standards
5. Medical and scientific research
6. Clinical governance
7. Miscellaneous purposes
- to update guidance provided to patients, for example ‘frequently asked questions’ (FAQ)
- ombudsman requirements
- non-clinical auditing
- fulfilment of any legal obligation placed upon the department
Legal basis for processing your personal data
The legal basis for processing your personal data is that ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’ as set out in Article 6(1)(e), EU GDPR. This legal basis includes public health tasks and delivery of this service.
Where we have specific legal obligations that requires the processing of personal data, the legal basis is that “processing is necessary for compliance with a legal obligation to which the controller is subject” as set out in Article 6(1)(c), EU GDPR.
Categories of personal data processed during the CCAS process
We process the following categories of personal data, together with examples of the types of personal data processed included within each category:
1. Contact information:
- addresses, telephone numbers, e-mail addresses, contact details for your GP/health care professional
2. Identification information:
- date of birth, NHS number, proof of attorney or guardianship
3. Health information:
- relevant medical history including but not limited to past vaccinations, allergies, medications, any COVID-19 symptoms
4. Occupation/work sector:
- job title, role, name/type of employer, industry
5. Call recordings:
- audio files, call transcripts
6. Compliments and complaints information:
- contact details, nature of issue or concern
7. Miscellaneous information:
- may include any of the above and/or additional information to fulfil and respond to any legal obligations, data protection requests, legal disputes and/or public reporting
Some of the above categories will contain special category personal data.
Categories of recipients of your personal data
We will only share your personal data with those that have a valid ‘need to know’ in order to fulfil their role for the purpose of delivering this helpline service. Individuals will only be given access to the part of your personal data that is needed to perform their role to maintain service delivery. These include but may not be limited to:
- call centre staff
- clinicians and other health and social care professionals
- IT system processors
- UK Health Authorities involved in delivery of the service
Other recipients of your personal data
We will also need to share your personal data on a ‘need to know’ basis with trusted third-party partners to perform key activities on our behalf to deliver an effective service. These include, but are not limited to the following:
-
WEBEX – provider of call connection to GPs that call patients (or patient representative) that are queued seeking clinical assessment
-
Adastra – provides a database for holding caller details and call notes
This list of third parties will be kept under review and updated to inform you if or when a new third party is appointed.
How your personal data is kept secure
The security of your personal data and health information is of paramount importance to us. Personal data including any health information you provide as part of your contact with the COVID-19 Clinical Assessment Service is handled by clinicians with an awareness of security procedures in place for protection of your data. Calls are recorded and monitored for quality and safety purposes. Access to recordings is controlled and subject to a Quality Assurance process that removes personal identifiable data prior to any further listening, for example required for complaint investigations.
Our supplier provides an IT solution that manages your personal data taken during the call. There are technical and organisational security safeguards in place to minimise risks associated with data loss, misuse, unauthorised access, disclosure and alteration. Personal data and the IT solution is backed-up to data centres located in the UK to minimise any impact on data loss. At an organisational level, our supplier is certified to IS027001:2013, an international standard for the management of information security and receives surveillance visits every 6 months.
We require our supplier to follow security guidelines as detailed in their contractual terms in processing your personal data on our behalf. In the unlikely event that there is a requirement to report any data breaches to the Information Commissioners Office, the UK regulator for data protection, we will do so in accordance with the UK GDPR and Data Protection Act 2018.
Details of transfers of personal data to any countries or international organisations
Processing of your personal data is completed securely within the UK and we do not currently intend to transfer your personal data outside the European Economic Area (EEA). If this changes in the future, we will update this notice to reflect that and we will ensure any restricted transfers of personal data only take place where adequate safeguards are in place.
How long we will hold your personal data
All personal details that you provide will be stored safely and securely. We will only keep your personal details/ health information for as long as necessary depending on the purposes and in accordance with the Records Management Code of Practice for Health and Social Care 2016, but will dispose of your data sooner if it’s appropriate to do so.
The rights available to individuals in respect of the processing
You can exercise rights in relation to your personal data that are set out below, where those rights apply under data protection law. These are not absolute rights and the availability of some of these rights may vary depending on the circumstances in which they are applied. If you wish to exercise any of your rights please contact us using the details under section 2 above.
We will aim to respond to your requests in relation to your rights within one month and if it is going to take longer we will outline the reason and provide an updated response time. Your rights and how they apply are described below:
1. The right to get copies of your information:
You have the right to ask for a copy of any information about you that is used.
2. The right to get your information corrected:
You have the right to ask for any information held about you that you think is inaccurate to be corrected.
3. The right to limit how your information is used:
You have the right to ask for any of the information held about you to be restricted, for example, if you think inaccurate information is being used.
4. The right to object to your information being used:
You can ask for any information held about you to not be used. However, this is not an absolute right and we may need to continue using your information. We will tell you if this is the case.
5. The right to get information deleted:
This is not an absolute right and we may need to continue to use your information. We will tell you if this is the case.
The right to lodge a complaint with a supervisory authority
If you are not happy or wish to complain about how your personal data is used as part of this service, you should contact the DHSC in the first instance to resolve your issue (contact details in section 2 above).
If you are still unsatisfied, you have the right to lodge a complaint with the supervisory authority for data protection. In the United Kingdom, the Supervisory Authority is:
UK Information Commissioner’s Office
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 0303 123 1113 (local rate)
The source your personal data originates from and whether it came from publicly accessible records.
The sources of your personal data are:
- caller (patient or representative or health care provider)
- National Health Service (NHS) Systems
We will not refer to information held about you on any publicly available records, for example Companies House.
Details of whether individuals are under a statutory or contractual obligation to provide the personal data
Individuals are not under a statutory or contractual obligation to provide personal data to our service.
Individuals are not under a statutory or contractual obligation to provide personal data to our service.
Details of the existence of automated decision making including profiling
Clinical governance uses automated diversion pathways with a degree of manual intervention to deliver the service. Please do contact us if you require any further information about this.