What information about me will be held by the DESP?
- Date of birth
- Contact details
- NHS number
- Details of your GP
- Preferred language
- Preferred contact method
- Any other specific requirements
- If you have been diagnosed as having Type 1 or Type 2 diabetes
What other information will the DESP Need?
Once you agree to have your eyes screened it will be necessary for the Programme to access previous screening results.
Further information may be required about your medical history relating to diabetes such as your blood sugar levels, blood pressure, foot checks, smoking history, etc.
If you do not wish this information to be passed to the programme then you should let the DESP staff know when confirming/attending your appointment for screening.
This will not prevent you from being screened but does mean staff are less able to assess your case as carefully.
Where does the DESP get my information from?
To ensure every diabetic patient receives eye screening, the DESP will routinely receive data from GPs. The information may be provided to us via the GP2DRS IT system.
GP2DRS is a system for automating the sharing of patient information between general practices and local diabetic eye screening programmes. GPs are responsible for referring eligible patients with diabetes for diabetic eye screening, by communicating each patient’s contact details to their local programme.
GP2DRS uses the General Practice Extraction Service (GPES) provided by NHS Digital to obtain the information of eligible patients from computer systems used by GPs. You can learn more information about this service from the primary NHS privacy notice in respect of the national DESP programme - https://www.gov.uk/government/publications/diabetic-eye-screening-use-and-transfer-of-patient-information/diabetic-eye-screening-use-of-personal-information
If you do not want your GP to provide information about you to your local diabetic eye screening programme you should contact your GP to opt out of the service.
Who are we?
The DESP service is provided by Medical Imaging (UK) Limited (T/A NPS Care), a company registered in England with company number 04416975 with a registered office address of Northgate Public Services, Peoplebuilding 2, Peoplebuilding Estate, Maylands Avenue, Hemel Hempstead, HP2 4NW. We are committed to protecting and respecting your privacy. We are contracted by the NHS to deliver the DESP programme.
Who will see information about me?
As part of delivering the DESP programme we may need from time to time to share elements of your personal data with certain entities, including:
Those involved in making, changing and booking your appointments.
Screening Team/ Local Optometrists contracted by the DESP
Those who carry out the screening process including putting in the eye drops, checking vision, taking your history, taking photographs of your eyes and grading the photographs. Staff involved in your screening are employed by an NHS body or an NHS partner company commissioned to provide services. All those involved in your diabetic eye screening follow the same NHS standards of confidentiality.
Your General Practitioner
Your results and screening information will be sent to your GP.
Local Hospital’s Eye Department
If your case is referred to the hospital for further assessment the information about you will be forwarded to the hospital so that those who will be looking after your case have as much information about your history as possible.
Occasionally problems may occur in the software used by the programme. Normally the software supplier will not need to see information that is identifiable. However it may become necessary to supply basic information to ensure that the correct information is maintained by the programme securely. All NHS software providers are bound by requirements of confidentiality.
In order to make sure the DESP operates effectively it is assessed by those involved in national quality assurance. They may require access to your data.
If there is a change in diabetic eye screening provider, patient data will be shared between the incoming and outgoing providers so that service can continue to run. This is done under the supervision of NHS England using a standard data sharing agreement. No data is shared without direction from NHS England.
To a contractor appointed by us to deliver elements of the DESP service on our behalf (and under our control), for example, a third party contracted to send out notifications that your next appointment is due. Any access we might grant to a contractor will be limited to such information as is required for them to deliver the relevant service (and will be subject to a contract which includes appropriate obligations of confidence and compliance with applicable law).
How is my information used?
We will use the personal data which we hold about you in order to deliver services under the DESP programme to you.
During your screening, you may be asked to provide consent for us to use your data for research purposes. We periodically undertake clinical research studies to improve the quality of the service we provide within NPS Care or with carefully selected partners. Examples may include research on predicting the risk of developing diabetic eye disease and using image recognition to improve the quality of the grading of your retinal images. The quality of care we provide you will not be affected if you do not agree to research.
In addition, efforts will be made nationally by the NHS to carry out research using fully anonymised data to try to identify as precisely as possible how best diabetes should be managed in the long term.
Basis on which we process your personal data
We may rely on a range of legal grounds in accordance with the applicable privacy laws in order to ensure that our use your personal data is lawful, including:
- where it is necessary for us to deliver healthcare services to you;
- where it is in our legitimate interests to do so (provided this is not overridden by considerations regarding your rights and interests), such as:
- delivering the DESP service;
- sharing your personal data with service providers in order to deliver any element of the Service;
- managing the Service, updating your records, contacting you about the Service (where appropriate);
- performing and/or testing the performance of, our products, services and internal processes;
- following guidance and recommended best practice of government and regulatory bodies;
- managing and auditing our business operations;
- monitoring and to keeping records of our communications with you;
- to comply with our legal obligations; and/or
- with your (explicit) consent.
How and where we store your personal data
We use strict procedures and security features designed to prevent any unauthorised or unlawful access to the personal data which we control.
Personal data which we hold in relation to you will be stored securely at our offices and (where relevant) at the offices of third party agencies, service providers, representatives and agents. We may also hold your personal data in secure data centres located within the European Economic Area (EEA).
We will retain a record of your personal data in accordance with relevant law and the following criteria:
- in accordance with the terms of the contract(s) under which we are commissioned to deliver the DESP programme; and/or
- in line with any legal and regulatory requirements or guidance in respect of retention periods.
You have a number of important legal rights regarding the manner in which personal data relating to you is used. You can find more information about your rights on the Information Commissioner’s Office website – please see: https://ico.org.uk/for-the-public/
We have outlined below the key rights which we believe may be relevant to your use of the screening service and your interactions with the DESP.
If you would like to exercise any of these rights then please contact us using the contact information provided below. Please note that you may be asked to provide us with reasonable proof of your identity so that we can be sure that we are discussing or providing your personal data with, or to, you (or if someone is making a request on your behalf, we need to check that they have the authority to do so).
Access to information
You have the right to access certain information we hold about you so that you can be aware of, and verify the lawfulness of, the processing we undertake.
You can exercise your right of access by making what is generally referred to as a 'subject access request'.
We will review each request which we receive and if we agree that we are obliged to provide personal data to you then we will (subject to certain limited exceptions provided under the relevant law) amongst other things: (i) describe it to you; (ii) tell you why we are holding it; (iii) tell you who it could be disclosed to; and (iv) let you have a copy of it (this may include providing an electronic copy).
Right to have information corrected
If you identify that any personal data that we hold about you is wrong, inaccurate or out of date then you may ask us to correct or update it. Please contact us via the details provided below and we will review each request and respond accordingly.
Right to stop or limit our processing of your personal data
This is also known as the ‘right to be forgotten’. You have the right to require us to stop or to limit any processing we are undertaking in respect of your personal data if we no longer have a valid reason to do so or if we have held it for too long.
This is not an absolute right but every request we receive will be considered carefully and we will respond accordingly (providing grounds for any decision we make).
Right to withdraw consent
You are free to withdraw any consent which you have given to us in relation to our use of your personal data at any time. Please note that not all uses which we make of your personal data require your consent.
Right to complain
If you are unhappy about the way in which we have processed your personal data then you have a right to raise the issue or to lodge a complaint with the Information Commissioner’s Office – as noted above please see https://ico.org.uk/for-the-public/ for further details.
Changes to our privacy notice
We will keep this privacy notice and we may update it from time to time (for example, to reflect changes we might make to our services or to reflect changes in the law or best practice). Any changes we may make to our privacy notice in the future will be posted on this page. We encourage you to visit this page periodically so that you are aware of any changes which have been made. In addition changes may be notified to you when you next attend a clinic.
This version of our privacy notice is effective as from 25th May 2018.
If you have any comments or concerns regarding our fair processing notice, or the manner in which we handle your personal data or if you would like to exercise any of the rights outlined above then please do feel free to contact us by one of the following means:
- By post: FAO Data Protection Officer, Northgate Public Services, Peoplebuilding 2, Peoplebuilding Estate, Maylands Avenue, Hemel Hempstead, HP2 4NW.
- By email:email@example.com