top of page

Privacy

This privacy notice tells you what to expect us to do with your personal information when you contact us or use one of our services.

​

This notice is layered. So, if you wish, you can easily select the reason we process your personal information and see what we do with it.

​

The first part of the notice is information we need to tell everybody.

 

1.1 Contact details

Pastel Health Ltd. is the controller for the information we process, unless otherwise stated.

There are many ways you can contact us, including by phone, email and post.

Our Data Protection Officer is Umar Sabat. You can contact him at umar.sabat@ig-health.co.uk.

 
1.2 How do we get information?

Most of the personal information we process is provided to us directly by you for one of the following reasons:

  • You are an NHS patient, where we provide services in partnership with the NHS.

  • You have applied for a job or secondment with us.

  • You have visited our offices or our website.

  • You have attended one of our events.
     

We may monitor and record communications with you, such as telephone conversations and emails, for quality, training and compliance purposes.
 

We also receive personal information indirectly, in the following scenarios:

  • You are an NHS patient that has been referred to our services by your GP practice.

  • You are a patient and as part of your treatment you have had an assessment or test at a hospital or specialist.

  • You are a patient and as part of your wider care you are receiving support from other organisations, such as community services, care homes, hospices, social services and housing support.

  • An employee of ours gives us your contact details as an emergency contact or a referee.

  • You are an employee of one of our customers, potential customers, or business partners.
     

We will only use your personal information for the purpose(s) for which we have obtained it.  We may process your information without your knowledge or consent where this is required by law.

 
1.3 Sharing your information

We will not share your information with any third parties for the purposes of direct marketing.
 

We will not transfer any of your information to a separate organisation or individual outside of the EU.
 

In some limited circumstances we may be legally obliged to share information. For example, under a court order.
 

We use third parties to provide elements of services for us, such as NHS patient records management systems. We have contracts in place with these third parties. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.

 
1.4 Your information protection rights

Under information protection law, you have rights we need to make you aware of. The rights available to you depend on the reason for processing your information.
 

  • Right to be informed: organisations must tell individuals what information is being collected, how it’s being used, how long it will be kept and whether it will be shared with any third parties.

  • Right of access: individuals have the right to request a copy of the information that an organisation holds on them.

  • Right of rectification: individuals have the right to correct information that is inaccurate or incomplete.

  • Right to be forgotten: in certain circumstances, individuals can ask for the information an organisation holds on them to be erased from their records.

  • Right of portability: individuals can request that organisation transfer any information that it holds on them to another company.

  • Right to restrict processing: individuals can request that an organisation limits the way it uses personal information.

  • Right to object: individuals have the right to challenge certain types of processing, such as direct marketing.

  • Right related to automated decision-making including profiling: individuals are free to request a review of automated processing if they believe the rules aren’t being followed.
     

You have the right to obtain information from us as to whether we are processing your personal information and if we are, to request a copy of the personal information we hold about you.  This is known as a ‘Subject Access Request’.  If you wish to make a subject access request, please do contact us.

​

Where you have provided consent for us to process your personal information, please note that you have the right to withdraw this consent at any time.

 

1.5 Complaints

We aim to meet the highest standards when collecting and using personal information, however if you have any complaints or concerns about any aspect of this privacy policy and the ways in which we obtain, store, manage or destroy personal information, then please contact us via our contact us page.
 

Alternatively, you can raise an issue, if you feel we have in any way handled your personal information unfairly or inappropriately, with the Information Commissioners Office. Further details on GDPR and information protection laws can also be found at the ICO website.

 

2. What information do we hold?

As providers of health care services, we have a legal duty to collect and process information relating to the creation of medical records.

We only hold information that is relevant to your care and treatment. This may include:

  • Basic details such as name, address and contact details.

  • Details of contact we have had with you throughout your treatment with us.

  • Professional information (such as job title, role and duties) if your occupation is relevant to your care and treatment.

  • Details of the services you have accessed.

  • Treatment notes and reports about your health and any treatment you have received.

  • Your feedback and treatment outcome information.

  • Information surrounding complaints and incidents which may have arisen.

  • Recordings of calls, inbound and outbound.

  • Any other personal information we collect in the course of providing our services or in the course of operating our business.


3. Lawful basis for processing

Although we will always seek your consent for the medical treatment itself, this is entirely separate from our data protection obligations. We rely on the following legal reasons for processing your personal information:
 

  • Consent: We will tell you how your information will be used and seek your consent, where it can be freely given.

  • Contractual necessity: We will process your personal information when it is necessary to perform a contract. For example, where we provide services to you that are fund by the NHS or your employer.

  • Legal obligation: We will process your personal information when it is necessary to comply with a legal or regulatory obligation (e.g. identity checks, external auditing).

  • Legitimate interests: We will process your personal information when we or a third party have a legitimate interest in processing it (e.g. ensuring our business policies are adhered to or improving our business through research and statistical analysis).  We only process for this reason if the legitimate interest is not overridden by your own interests or fundamental rights or freedoms.

  • Perform a public task: For NHS patients the processing is necessary for the performance of a task carried out in the public interest.
     

Information pertaining to your health is classified as ‘special category information’.  We will process this information on the basis that it is necessary for medical diagnosis, the provision of health care services and historical research purposes or statistical purposes.


4. Sharing your health record

We will not disclose any health information to third parties unless there are specific circumstances as outlined below:

  • To provide the best possible care, it may be necessary to share your health information with others. For example, with your GP, a consultant or the hospital which treats you. We will discuss this with you and seek your consent.

  • We will make it clear if we are providing a service as part of multi-agency team or partnership where we may be required to share your health information with the lead organisation.

  • We may need to share limited and more general information as part of the contractual arrangements with the NHS or your employer (if they are funding the treatment).

  • In exceptional situations, we may need to share information without your consent if:

          – it is in the public interest – for example, there is a risk of death or serious harm.
          – there is a legal need to share it – for example, to protect a child under the Children  
          Act 1989.
          – a court order tells us that we must share it.

  • there is a legitimate enquiry from the police for information related to a serious crime.
     

Pastel Health will always do its best to notify you of this sharing.
 

5. How the NHS and care services use your information

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.
 

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance, to help with:

  • improving the quality and standards of care provided.

  • research into the development of new treatments.

  • preventing illness and diseases.

  • monitoring safety.

  • planning services.
     

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential NHS patient information about your health and care is only used like this where allowed by law.
 

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.
 

You have a choice about whether you want your confidential NHS patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt-out your confidential patient information will still be used to support your individual care.
 

To find out more or to register your choice to opt-out, please visit www.nhs.uk/your-nhs-data-matters.
 

On this web page you will:

  • See what is meant by confidential patient information.

  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care.

  • Find out more about the benefits of sharing data.

  • Understand more about who uses the data.

  • Find out how your data is protected.

  • Be able to access the system to view, set or change your opt-out setting.

  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone.

  • See the situations where the opt-out will not apply.
     

You can also find out more about how patient information is used at:

  1. https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and

  2. https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)
     

You can change your mind about your choice at any time.
 

6. How long we hold your health records for

As a Healthcare organisation we have a legal and regulatory obligation for health care records to be kept for a minimum period of time.  We will typically keep your information for a period of 8 years after the end of your care.

​

bottom of page