Privacy Notice for Cegedim Rx Ltd
Pharmacy Manager Product Suite
Content
- Introduction
- Who We Are
- Definitions
- Purpose of this Privacy Notice
- Our Contact Details
- Changes to this Privacy Notice
- Third-Party Links
- The Purposes for Processing Personal Data
- Types of Personal Data Processed
- Why we Process Personal Data
- How we Collect the Personal Data
- How do we protect personal data?
- How long will we keep the personal data?
- International Transfers
- Data Sharing
- Data Protection Rights
- Cookies
- How to Complain
1. Introduction
Welcome to Cegedim Rx’s Pharmacy Manager Product Suite Privacy Notice.
Cegedim Rx respects privacy and is committed to protecting personal data. This privacy notice advises how we look after personal data collected through any of our applications, including internet based applications (regardless of how they are accessed), and provides information regarding privacy rights and how the law protects them. This privacy notice is designed to comply with the requirements of the Data Protection Legislation.‘Data Controller’, ‘Data Processor’ and ‘Data Subject(s)’ have the meanings given to them in UK Data Protection Legislation which for the purposes of this Privacy Notice shall mean the UK General Data Protection Regulation and Data Protection Act 2018, together with guidance and codes of practice issued by the Information Commissioners Officer (ICO), the UK supervisory authority for data protection.
2. Who We Are
Cegedim Rx Limited (trading as Cegedim Healthcare Solutions) is referred to as ‘Cegedim, We, Us or Our’ throughout this notice.In the delivery of the Pharmacy Manager Product Suite, Cegedim Rx are the Data Processors as we process personal and special category (sensitive) data on the behalf of our customers as part of the contracted services we provide to them.
Our customers are those who wish to utilise the Pharmacy Manager Product Suite services (such as pharmacists and pharmacies) who are described as the ‘Data Controllers’.
Patients and the employees of our customers are the Data Subject(s). We have an appointed a Data Protection Officer (DPO) who is responsible for writing this privacy notice as well as overseeing any related queries or questions. If there are any questions about this privacy notice, including any requests to exercise legal rights, please contact the DPO using the details below.
3. Definitions
- Data Controllers: Are the main decision-makers. They exercise overall control over the purposes and means of processing personal data.
- Data Processors: Act on behalf of, and only on the instructions of, the relevant Data Controller.
- Data Subjects: The identified or identifiable living individual to whom the personal data relates.
- Data Protection Officer: Under the GDPR, some organisations need to appoint a Data Protection Officer (DPO) who is responsible for informing them of and advising them about their data protection obligations and monitoring their compliance with them.
- Cookies: Small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.
- Personal Data: Any information about a living individual that could lead to their identification
- Processing: In relation to personal data, means any operation or set of operations which is performed on personal data or on sets of personal data (whether or not by automated means, such as collection, recording, organisation, structuring, storage, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure or destruction).
- Special Category Data: The UK GDPR singles out some types of personal data as likely to be more sensitive, and gives them extra protection. These are racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (where used for identification purposes), health, sex life and sexual orientation.
5. Our Contact Details
- Full name of legal entity: Cegedim Rx Limited – company number 02855109
- Name of DPO: Justine Wright
- Email address: DPO@cegedimrx.co.uk
- Postal address: Building 2, Buckshaw Station Approach, Buckshaw Village, Chorley. PR7 7NR
- ICO Reference: Z4925208
7. Third-Party Links
The Pharmacy Manager Product Suite may include links to 3rd party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data. Cegedim do not control these 3rd party websites and are not responsible for their privacy notices. When you leave our website or service, we encourage you to read the privacy notice of every website that’s visited.
8. The Purposes for Processing Personal Data
It is necessary for us to process personal data to support the administration and delivery of a healthcare service via the use of our Pharmacy Manager Product Suite. These include but are not limited to:
The provision of dispensed medication and delivery of clinical services and advice to patients.- Recording clinical events both within the pharmacy system and the patients GP record (via NHS England GP Connect facility – see below for more details).
- Research and analysis (all identifiable data is anonymised at source).
- Financial, operational, clinical management and administration of pharmacies.
NHS England GP Connect is a facility that supports the delivery of direct patient care by making relevant clinical information available to authorised clinicians such as GP’s, NHS 111 clinicians, hospital and Social Care clinicians when and where they need it. These clinicians are able to access the GP records of the patients they are treating via this secure digital service; leading to improvements in both care and outcomes. For further information about GP Connect please visit the NHS website: https://digital.nhs.uk/services/gp-connect
9. Types of Personal Data Processed
The types of personal data we process includes:
- Patients full name, address, email address and NHS numbers.
- The personal details of a carer or family member, such as the next-of-kin.
- Patients pharmaceutical dispensing history.
- Clinical services delivered via pharmacy services such as vaccinations and contraception.
- Details of the services accessed or offered by other healthcare providers.
- Employment or occupational details, what the person does for a living.
- Lifestyle and social circumstances, such as if the person smokes, drinks, etc.
- Responses to healthcare surveys.
- System Users (employees) full name, email address, job title and GPHC registration number required to create user login accounts.
We may also process special category personal data that may include:
- Racial/ethnic origin.
- Religious or similar beliefs.
- Physical or mental health details.
- Sex orientation or sexual health.
It is important that personal data is kept accurate and up-to-date, therefore, we encourage Customers to take reasonable measures to ensure patients are reminded to check their current personal details for accuracy when appropriate to do so.
10. Why we Process Personal Data
Detailed in the table below are the reasons for the processing activities, the types of personal data being processed and the legal basis for doing so.
Note: The legal basis behind each processing activity can differ depending upon the specific purpose.
Purpose / Activity |
Type of Personal Data |
GDPR/DPA Lawful Basis |
To enable a clinician to safely provide a service, including dispensing of medication |
|
Article 6 (1)(e) – Public Task: the processing is necessary to perform a task in the public interest or for official functions, and that task or function has a clear basis in law. Article 9 (2)(h) – Health or Social Care: necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services Schedule 1 of the DPA 2018: For the provision of direct care the relevant condition is ‘Health or social care purposes’ (Schedule 1, Part 1 (2)). |
To facilitate medication status updates, scheduling of services/appointments, medication follow up (including drug recall) |
|
Article 6 (1)(e) – Public task Article 9 (2)(h) – Health or Social Care DPA Schedule 1, Part 1 (2) |
Identification and validation of a patient within NHS and supporting systems via Patient Demographic Service (NHS Number lookup) and/or Real Time Exemption Checking |
|
Article 6 (1)(e) – Public task Article 9 (2)(h) – Health or Social Care DPA Schedule 1, Part 1 (2) |
Clinical decision making to support dispensing of medication, referral to an appropriate alternative healthcare provider, administering a service, e.g. new medicine review |
|
Article 6 (1)(e) – Public task Article 9 (2)(h) – Health or Social Care DPA Schedule 1, Part 1 (2) |
Research and/or analytics, e.g. to understand uptake of a service by a minority group |
|
Article 6 (1)(f) – Legitimate Interests Article 9 (2)(h) - Archiving, research and statistics DPA Schedule 1, Part 1 (4) |
A wide range of interests may be deemed to be Legitimate Interests; be they our own interests, the interests of a third party or commercial interests, as well as wider societal benefits. Therefore, we must balance our interests against an individual’s interests, (particularly if the individual would not reasonably expect us to use their data in that way or it would cause them unwarranted harm, their interests are likely to override ours).
However, these interests do not always have to align; if there is conflict, our interests can still prevail as long as we have a clear justification for the impact on the individual.
11. How we Collect the Personal Data
We obtain personal data via the following methods:
- Data manually entered by a healthcare professional authorised by the Data Controller during the provision or delivery of clinical services to a patient, including the dispensing of medication, and/or
- Data extracted from an integrated product/ product component within the Pharmacy Manager Product Suite, e.g. Pharmacy Manager patient dispensing history presented within Pharmacy Services during delivery of a clinical service, and/or
- Patient Demographic Service (NHS number look-up service) and/or Real Time Exemption Checking.
- Data extracted from another NHS integration route, e.g. GP Connect Access Record presenting patient data held within the patients GP record into the Pharmacy Manager Product Suite.
12. How do we protect personal data?
We take our responsibilities to protect personal data and uphold confidentiality extremely seriously. We are committed to protecting personal data against unauthorised or unlawful processing, accidental loss, destruction or damage, using appropriate technical and organisational measures in line with UK GDPR, the Data Protection Act and Computer Use Act and in accordance with the Common Law Duty of Confidentiality.
Cegedim (Rx) Healthcare Solutions are an ISO 27001 Information Security and Cyber Essentials Plus accredited company.
13. How long will we keep the personal data?
We will only retain information for as long as necessary. Records are maintained in line with the NHS England and NHSX retention schedule which determines the length of time records should be kept. This can be found here: https://www.nhsx.nhs.uk/information-governance/guidance/records-management-code/
14. International Transfers
Your personal data is only processed by companies within the Cegedim group, which involves electronic transfer to the Cegedim Cloud which is hosted in France. All transferred data is afforded the same level of protection as it is in the UK by ensuring that the receiving country, i.e. France, has been deemed to provide an adequate level of protection (known as the EU GDPR adequacy decision – see here for further information: https://ico.org.uk/for-organisations/data-protection-and-the-eu/data-protection-and-the-eu-in-detail/the-uk-gdpr/international-data-transfers/). Please contact us if you want further information on the specific mechanism used by us when transferring personal data out of the UK.
We do not transfer personal data in an identifiable format outside the European Economic Area. Only anonymised data is shared with our contracted third party resources for essential software development and testing purposes. UK GDPR does not apply to anonymised data – see here for further information: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/personal-information-what-is-it/what-is-personal-data/what-is-personal-data/#pd5
15. Data Sharing
In connection with the services that we deliver and the contract(s) in place between us and our customer(s), we may share personal data with the following third parties.
- Internal Third Parties including:
-
- Other companies in the Cegedim Group who are based in the UK or France and provide IT and system administration services and undertake leadership reporting.
- External Third Parties including:
- Healthcare providers who provide healthcare or pharmaceutical related services, including providing access to consolidated patient records across a multi-site healthcare service provider.
- Healthcare payment intermediaries acting as processors who manage payments and reimbursement to NHS entities or non-NHS providers in relation to healthcare products or services being provided.
- Service providers based in the UK who provide IT and System Administration services.
- Relevant NHS services, e.g. NHS 111 service, etc and
- NHS Patient Demographic Service.
- We share electronic prescriptions data with NHS England who operate the Electronic Prescriptions Service (EPS). For more information, see the Electronic Prescription Service in England Transparency Notice.
We require all third parties to respect the security of personal data and to treat it in accordance with the law. No third-party service providers are permitted to process the data we provide to them for anything other than the specifically stated purposes required to provide the pharmacy healthcare service. All such services are engaged with contracts and full terms and conditions that stipulate exactly what service provisions are required.
16. Data Protection Rights
Under data protection laws, Data Subjects have the following rights (unless a valid exemption applies):
- Right of Access – the right to receive a copy of your personal data.
- Right to Rectification – the right to rectify inaccurate personal information and complete information that’s considered incomplete.
- Right to Erasure – the right to have personal information erased in certain circumstances.
- Right to Restriction of Processing – the right to restrict the processing of personal information in certain circumstances.
- Right to Object to Processing – the right to object to the processing of personal information in certain circumstances.
- Right to Data Portability - the right to ask that the personal information provided is transferred to another organisation, or to you, in certain circumstances.
Where Cegedim are the Data Processors, subjects are advised to make such requests directly to the Data Controllers (Pharmacy/Pharmacist or GP).
17. Cookies
We use essential cookies to authenticate users and prevent fraudulent use of user accounts. Customers who use our web based products may be subject to analytical cookies which help our Product Development teams track and understand user interactions. This in-turn helps to inform our approach to development, which ultimately improves the user’s experience.
This information is processed in a way which does not lead to the identification of any data subjects or users.
18. How to Complain
If you have any concerns about our use of your personal information, you can make a complaint to us via the DPO, as detailed in Section 4.
You can also complain to the Information Commissioners Office (ICO) if you are unhappy with any aspect of this notice or data processing activities. However, we would welcome the opportunity to discuss your concerns with you first, so we may investigate and deal with your complaint in an efficient and transparent manner.
You can contact the ICO either in writing at:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Or call them via their helpline number: 0303 123 1113
Further contact details and more information can be sourced from their website: https://www.ico.org.uk