L’Atelier Aesthetics 60 Harley Street Tel: 0207 637 3208 London W1G 7HA Policy statement
Confidentiality and data protection Policy
1.1 L’Atelier Aesthetics independent healthcare service is fully committed to complying with the Data Protection Act 1998 which came into force on 1 March 2000.
1.2 It is important that L’Atelier Aesthetics protects and safeguards patient-identifiable (or person-identifiable) and confidential business information that it gathers, creates, processes and discloses, in order to comply with the law, and to provide assurance to patients who use the healthcare services on offer.
1.3 All employees of L’Atelier Aesthetics are bound by a legal duty of confidentiality to protect personal information they may come into contact with during the course of their work.
1.4 This policy sets out the principles that must be observed by all staff who work within L’Atelier Aesthetics and have access to person-identifiable information or confidential information.
1.5 All members of staff need to be aware of their responsibilities for safeguarding confidentiality and preserving information security.
1.6 Respect for confidentiality is an essential requirement for L’Atelier Aesthetics as an independent healthcare provider.
2. Data protection
2.1 The ease with which personal information can be passed L’Atelier Aesthetics – often electronically – is a benefit for patients and for those involved in their care and treatment. However, all staff need to be aware of their legal responsibilities under the Data Protection Act to protect the confidentiality of patient information, and other information relating to the business activities of L’Atelier Aesthetics.
2.2 Personal information on staff is also protected by the Data Protection Act. The Act affords members of staff the same rights of protection for, and of access to, their personal information held by L’Atelier Aesthetics.
2.3 The term ‘person-identifiable information’ refers to information relating to any identifiable individual and it is important to be aware that healthcare information is considered in the Data Protection Act to be ‘sensitive information’ requiring the highest levels of care and protection.
2.4 L’Atelier Aesthetics fully supports and complies with the principles of the Data Protection Act. In summary, this means personal information must be:
- processed fairly and lawfully
- processed for limited purposes and in an appropriate way
- adequate, relevant and sufficient for the purpose
Page 2 of 10
- accurate and up-to-date
- kept for as long as is necessary and no longer
- processed in line with individuals’ rights
- secure and protected against unlawful access, loss or damage, and only transferred to others that have suitable data protection controls.
2.5 Everyone working for L’Atelier Aesthetics who records, handles, stores or otherwise comes across information, has a statutory duty under the Data Protection Act, along with a duty of confidentiality in common law, to patients and to L’Atelier Aesthetics as an employer. These duties apply equally to staff who are permanent or temporary, full or part-time, agency or bank staff, staff who have been granted practising privileges, students or trainees, volunteers, or to staff on temporary placements.
2.6 L’Atelier Aesthetics will follow procedures to ensure that all employees, contractors, agents, consultants and other relevant parties who have access to any personal information held by, or on behalf of L’Atelier Aesthetics, are fully aware of and abide by their duties and responsibilities under the Act.
3. Roles and responsibilities
3.1 The Medical Director The Medical Director has overall responsibility for maintaining confidentiality within L’Atelier Aesthetics and ensuring that this policy is complied with by all staff. This responsibility may be delegated to a senior member of staff.
3.2 All members of staff All staff have a responsibility to protect the personal information held by L’Atelier Aesthetics.
Each member of staff will be expected to take steps to ensure that personal data is kept secure at all times and protected against unauthorised, unlawful or accidental loss, damage or disclosure. This applies to all personal identifiable information held in all formats, whether is it in patients’ healthcare records or staff employee files, or in any other format such as diaries, message books, notebooks, appointment books, emails and other notes held about individuals.
In particular staff must ensure that:
- they are appropriately trained and knowledgeable in the handling of personal information
- paper files and other records or documents containing personal/sensitive data are kept in a secure environment
Page 3 of 10
- where they are required to take personal information away from the L’Atelier Aesthetics premises as part of their work, including information held in all formats, this should be held securely at all times and everything possible done to safeguard against unauthorised access or accidental loss or damage
- personal information is transferred securely at all times, whether it is being sent electronically or by surface post
- personal data held on computers and computer systems is protected by the use of secure passwords, and all relevant policies are adhered to when processing personal data to ensure adequate levels of protection are maintained. Where staff, as part of their L’Atelier Aesthetics responsibilities, collect, hold and process information about other people, they must comply with this policy. No-one should disclose personal information outside this policy or use personal data held about others for their own purposes. All healthcare professionals practising within L’Atelier Aesthetics have professional and ethical duties of confidentiality within their respective codes of conduct which they are expected to follow.
4. Person identifiable information
4.1 Person-identifiable information is anything that contains the means to identify a person, e.g. an individual name, address, postcode, date of birth, email address, telephone number, or unique identifiable reference number.
4.2 Confidential information within L’Atelier Aesthetics is not restricted to a person’s health information. It also includes private information that an individual would not expect to be shared such as staff employee records, occupational health records, and business information about L’Atelier Aesthetics.
4.3 Information can relate to L’Atelier Aesthetics patients and staff (including temporary staff), however stored. Information may be held in:
- paper format
- tablet devices
- mobile phones
- digital cameras
- compact discs (CDs)
Page 4 of 10
- digital versatile discs (DVDs), and USB devices. This list is not exhaustive.
5. Disclosure of personal information
5.1 Strict conditions apply to the disclosure of personal information within L’Atelier Aesthetics. L’Atelier Aesthetics will not disclose personal information to any third party unless it is believed to be lawful to do so.
5.2 Information relating to identifiable patients must not be divulged to anyone other than an authorised person, for example medical, nursing or other healthcare professional staff, as appropriate, who are concerned directly with the care, diagnosis and/or treatment of the patient.
5.3 Maintaining confidentiality is an important duty but there are circumstances when it may be appropriate to disclose confidential patient information. These are:
- when the patient has given consent
- when the law says it must be disclosed, or when it is in the public interest to do so. An example of such circumstances would be child protection where the overriding principle is to secure the best interests of the child.
5.4 L’Atelier Aesthetics will also seek the consent of staff for the passing on of identifiable personal information for any purpose other than those outlined to staff on appointment. In certain circumstances, information relating to staff acting in a business capacity may be made available provided:
- L’Atelier Aesthetics has the statutory power or is required by law to do so, or
- the information is clearly not intrusive in nature, or
- the member of staff has consented to the disclosure, or
- the information is in a form that does not identify individual employees.
5.5 If staff have any concerns about disclosing information they must discuss this with the Medical Director.
Page 5 of 10
6. Caldicott principles
6.1 The following seven Caldicott principles will be adhered to by L’Atelier Aesthetics in all cases where the appropriate use of person identifiable health information is considered.
Principle 1 Justify the purpose Every proposed use or transfer of personal confidential data, within or from, L’Atelier Aesthetics should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed by the Practice Manager or Medical Director.
Principle 2 Don’t use personal confidential data unless it is absolutely necessary Personal confidential data should not be used unless it is essential for the specified purpose. The need for patients to be identified should be considered at each stage of satisfying the purpose.
Principle 3 Use the minimum necessary personal confidential data Where use of personal confidential data is considered to be essential, the inclusion of each individual item of data should be considered and justified so that the minimum amount of personal confidential data transferred or accessible as is necessary for a given function to be carried out.
Principle 4 Access to personal confidential data should be on a strict need to know basis Only those individuals who need access to personal confidential data should have access to it, and they should only have access to the data items that they need to see.
Principle 5 Everyone with access to personal confidential data should be aware of their responsibilities Action should be taken to ensure that those handling personal confidential data, both clinical and non-clinical staff, are made fully aware of their responsibilities and obligations to respect patient confidentiality.
Principle 6 Comply with the law Every use of personal confidential data must be lawful. Someone in each organisation handling personal confidential data should be responsible for ensuring that the organisation complies with legal requirements. In L’Atelier Aesthetics, this is the Medical Director.
Principle 7 The duty to share information can be as important as the duty to protect patient confidentiality Health and social care professionals should have the confidence to share information in the best interests of patients within the framework set out by these principles. They should be supported by policies of their respective regulators and professional bodies.
Page 6 of 10
Examples of justifiable purposes include:
- delivering personal care and treatment
- assuring and improving the quality of care and treatment
- monitoring and protecting public health
- managing and planning healthcare services
- risk management
- investigating complaints and potential legal claims
- teaching purposes
- statistical analysis, and
- medical or health services research. The above principles do not and cannot provide definitive answers for every situation as much depends on the context of each individual case. If in doubt, staff working at L’Atelier Aesthetics must seek appropriate advice from the Medical Director before releasing personally identifiable information.
7. Handling of personal information
7.1 L’Atelier Aesthetics will handle all person-identifiable information securely and in keeping with the requirements of the Data Protection Act.
7.2 All staff, through appropriate training and responsible management, will be expected to:
- fully observe conditions regarding the collection and use of personal information
- meet legal obligations to specify the purposes for which personal information is gathered and used
- collect and process appropriate personal information only to the extent that it is needed to fulfil L’Atelier Aesthetics’s operational needs or to comply with any legal requirements
- apply strict checks to determine the length of time personal information is held, and
- take appropriate technical and organisational security measures to safeguard personal information.
7.3 L’Atelier Aesthetics will take disciplinary action against any member of staff found to have breached patient confidentiality, and ensure
Page 7 of 10
that all staff are aware that they risk personal prosecution for breaches of the Data Protection Act.
8.1 L’Atelier Aesthetics will ensure that:
- there is always someone with specific responsibility for Data Protection in L’Atelier Aesthetics
- patients are pro-actively informed of the uses to which their information is put
- staff are informed, on appointment, of the uses to which their personal information is put, e.g. equal opportunity monitoring
- consent is sought before passing personal identifiable information on for any reason other than to fulfil justifiable purposes
- staff are reminded of their obligations under the Data Protection Act
- everyone managing and handling personal information understands that they are directly and personally responsible for following good Data Protection practice
- only staff who need access to personal information as part of their duties are authorised to do so. Unauthorised access to personal information, either in paper or electronic format, is considered to be a breach of the Data Protection Act and this L’Atelier Aesthetics policy
- everyone managing and handling personal information is appropriately trained to do so
- everyone managing and handling personal information is appropriately supervised, where necessary
- anyone wishing to make enquiries about handling personal information knows what to do
- queries about handling personal information are dealt with promptly and courteously
- methods of handling personal information are clearly described, and
- the way personal information is managed and handled will be regularly reviewed and evaluated.
9. Breaches of confidentiality
9.1 Breaches of confidentiality are often unintentional. They are often caused by staff conversations being overheard, by files being left unattended, or by poor
Page 8 of 10
computer security. However, the consequences could be equally serious for all concerned.
9.2 Obligations to maintaining confidentiality and preventing breaches include;
- not gossiping
- taking care not to be overheard when discussing a patient’s circumstances in a public area
- closing and locking doors/cabinets/drawers when not in use
- not leaving a computer unattended and logged-in
- always logging out of a computer when work is finished or when leaving a desk
- making sure computer screens are never visible to the public, especially in public reception areas
- querying the status of visitors and strangers to London Interventional Radiology, and
- knowing who to tell if anything is suspicious or worrying.
9.3 The simple rule of thumb is that personally identifiable information must always be held securely and, when used, treated with respect. This rule applies whether the information is held in paper format, in a computer, or in a member of staff’s head.
10. Policy awareness
10.1 All new members of staff at L’Atelier Aesthetics will be made aware of this policy through their induction programme.
10.2 Existing staff will be reminded of the policy which will be readily accessible within L’Atelier Aesthetics.
10.3 All staff and relevant third parties must be familiar with and comply with this policy at all times.
Storage and security of your personal information
We comply with the standard procedures and requirements as laid down by applicable law to ensure that your personal information is kept secure and we use the latest in Secure Server Technology (SSL – 128bit encryption) to ensure that all of your personal information is protected to the highest standards.
The transmission of information via the internet is not completely secure. Any emails we send or receive may not be protected in transit. Although we will do our best to protect your personal information, we cannot guarantee the security of your information transmitted to our website; any transmission is at your own risk.
Any passwords that you use must be kept securely. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access. We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.
Additionally, the information that we collect from you may be transferred to, and stored at, a destination outside the UK and the European Economic Area (“EEA”). It may also be processed by our third party suppliers outside of the UK and EEA.
This site uses Google Analytics to track user interaction. We use this data to determine the number of people using our site, to better understand how they find and use our web pages and to see their journey through the website.
Google Analytics records data such as your geographical location, device, internet browser and operating system, none of this information personally identifies you. Google Analytics also records your computer’s IP address which could be used to personally identify you but Google do not grant us access to this.
Email newsletters – Campaign Monitor
We use a third party provider, Campaign Monitor, to deliver our e-newsletters using the email address that you submit to us. We gather statistics around email opening and clicks.
Your email address will remain within Campaign Monitor’s database for as long as we continue to use Campaign Monitor’s services for email marketing or until you specifically request removal from the list. You can do this by unsubscribing using the unsubscribe links contained in any email newsletters.
We consider Campaign Monitor to be a third party data processor. For more information, please see MailChimp privacy notice
If you are under 18 years of age you MUST obtain parental consent before joining our email newsletter.
Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. We may also use trusted third-party services that track this information on our behalf.
Most web browsers allow some control of most cookies through the browser settings. Every browser is different, look at your browser’s Help Menu to learn the correct way to modify your cookies. If you turn cookies off, some features may be disabled.
The Data Controller
Our registration number for the UK Data Protection Act 1998 is ZA180716
Operating office is:
C/O Integra Advisers Llp, 1 Westleigh Hall Wakefield Road, Denby Dale, Huddersfield, England, HD8 8QJ
Data Protection Officer
Changes to this privacy notice
We keep our privacy notice under regular review. This privacy notice was last updated on 10th May 2018.
Contains public sector information licensed under the Open Government Licence v3.0. http://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/