[Withdrawn] Patient Safety Commissioner privacy notice
Published 28 September 2022
Applies to England
Summary
The Patient Safety Commissioner (PSC) acts as a champion for patients and works to drive improvement in the safety of medicines and medical devices.
Dr Henrietta Hughes, the PSC, will be an independent point of contact for patients, giving a voice to their concerns with regard to medicines and medical devices. She will help the NHS and government better understand what they can do to put patients first, promote the safety of patients, and the importance of the views of patients and other members of the public.
Data controller
The PSC is the data controller.
What personal data the PSC collects
In order to fulfil their role as a voice for patients, the PSC will need to collect personal data. This will vary depending on the nature of their interactions with patients, but may include:
- name
- address
- postcode
- date of birth
- age
- sex
- gender
- mobile or home phone number
- email address
- geographical location
- nationality or immigration status
- information relating to the individual’s physical or mental health condition
- information relating to the individual’s sex life or sexual orientation
- information which relates to the ethnic origin of the individual
- information relating to the individual’s religion or other beliefs
How the PSC uses your data (purposes)
The PSC needs to collect and hold personal data to understand the views of patients with regards to medicines and medical devices. While the PSC will not act on behalf of individuals, it is their insight that helps the PSC understand what improvements patients wish to see with regards to medicines and medical devices, and to convey that understanding and her recommendations for improvement to the health sector.
Legal basis for processing personal data
Under Article 6 of the United Kingdom General Data Protection Regulation (UK GDPR), the lawful bases we rely on for processing this information are:
(e) Necessary task in the public interest or controller’s official authority.
This is in line with the PSC’s functions as outlined in Part 1 of the Medicines and Medical Devices Act 2021.
Under Article 9 of the UK GDPR, the lawful bases we rely on for processing special category data are:
(h) Necessary for the purposes of preventive or occupational medicine, the provision of health or social care or treatment or the management of health or social care systems and services.
Data processors and other recipients of personal data
While we do not envision the requirement to share identifiable data with other organisations (such as other government departments or health and care organisations) in order for the PSC to carry out their duties as described above, there may be circumstances where this is required, including (but not limited to):
-
where there is a business need to do, so should we use any third parties to process data on our behalf (such as consultation exercises)
-
where we are under a duty to do so in order to comply with a legal obligation, or we are permitted to do so to protect the rights, property or safety of others (such as sharing with police forces and other law enforcement organisations)
Where this is necessary, we will ensure all aspects of data protection legislation are complied with, including (where appropriate) the requirement to inform data subjects.
International data transfers and storage locations
All personal data that the PSC processes is securely stored within the UK.
Retention and disposal policy
Any personal data processed by the PSC will only be held for as long as is required for the PSC to fulfil their statutory functions.
How the PSC keeps your data secure
The PSC and their team are required to complete mandatory information security and data protection training as required by government. All data is processed and stored securely on servers based in the UK and is only accessed by those authorised to do so by the PSC.
Your rights as a data subject
By law, data subjects have a number of rights, and this processing does not take away or reduce these rights under the EU General Data Protection Regulation (2016/679) and the UK Data Protection Act 2018 applies.
These rights are:
-
the right to get copies of information – individuals have the right to ask for a copy of any information about them that is used
-
the right to get information corrected – individuals have the right to ask for any information held about them that they think is inaccurate, to be corrected
-
the right to limit how the information is used – individuals have the right to ask for any of the information held about them to be restricted, for example, if they think inaccurate information is being used
-
the right to object to the information being used – individuals can ask for any information held about them to not be used. However, this is not an absolute right, and continued use of the information may be necessary, with individuals being advised if this is the case
-
the right to get information deleted – this is not an absolute right, and continued use of the information may be necessary, with individuals being advised if this is the case
Comments or complaints
Anyone unhappy or wishing to complain about how personal data is used as part of this programme, should contact in the first instance: commissioner@patientsafetycommissioner.org.uk.
Anyone who is still not satisfied can complain to the Information Commissioner’s Office.
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Automated decision-making or profiling
No decision will be made about individuals solely based on automated decision-making (where a decision is taken about them using an electronic system without human involvement) which has a significant impact on them.
Changes to this policy
This privacy notice is kept under regular review, and new versions will be available on our privacy notice page on GOV.UK. This privacy notice was last updated on 28 September 2022.