NWOS Patient Privacy Notice
Version date: 29 October 2019
NWOS is committed to respecting and protecting your privacy. Therefore, we want to be fully transparent about the ways we will use information we collect about you.
This privacy notice only applies to NWOS patients. If you work for an organisation which has a commercial relationship with NWOS or are a healthcare provider or other member of the public please see here for the privacy notice which applies to you. Employees of NWOS can find our colleague privacy notice on the intranet.
1. Important information and who we are:
OTC Direct Limited, trading as ‘NWOS’, is the ‘data controller’ and is responsible for personal data collected in the course of providing our services to you.
If you have any questions about this privacy notice or our data protection practices please contact email@example.com.
2. What information will we collect and hold about you?
NWOS may receive the following information from your Pharmacy:
- Your name;
- Your address;
- Your date of birth;
- Details of your prescribed surgical appliances;
- The name of your GP or prescriber;
- Measurements & Information required for customised items.
- Your NHS number.
3. Why does NWOS collect and use this information?
We collect and use this information in order to:
- Provide and dispense the surgical appliances that you have requested from our pharmacy partners;
- Monitor the quality of our service and comply with our regulatory obligations (including our obligation to maintain patient records and report adverse events);
- Demonstrate to the NHS and regulatory authorities that we are complying with Industry standards and obligations;
- Administer our business.
We will do these things on the basis that there is a legitimate interest to do so and/or because of a legal obligation that we are subject to.
4. What are the key groups we might share this information with?
We may need to share your personal data with regulatory bodies such as The NHS Business Service Authority in response to an audit, inspection or formal request for information.
We may share information with the manufacturer of a surgical appliance if an adverse Event is reported or where customisation of your prescribed appliance is required.
We may give other companies within the Alliance Healthcare corporate group and third party service providers who provide services to us (for example, finance, HR and IT services) access to your data in order to provide us with those services.
We always take appropriate steps to ensure that your data is adequately protected (including having appropriate contracts in place) and that access is restricted to individuals who genuinely need it to provide the relevant services to NWOS.
5. For how long does NWOS keep your information?
NWOS will only keep your personal data as long as this is necessary to fulfil the purposes we collected it for and in order to comply with any legal, tax, regulatory, accounting or reporting requirements.
To determine the appropriate retention period for personal data, we consider: the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data, and whether we can achieve those purposes through other means, and any legal obligations to keep data for minimum periods of time.
The period for which we keep your data will depend on the nature of the treatment that you receive and the type of the data. Customisation records will be held for 2 years post your final interaction for customisation. Records of surgical appliances dispensed will be held for a minimum of 8 years.
We may retain your personal data longer than our default retention period if there is a good reason for doing so. For example, if you have made a complaint or we reasonably believe that there is a chance of legal action being taken against us in relation to the services we have provided to you, then we will retain the relevant data beyond the retention period until such complaint or legal action is conclusively resolved.
If you would like more information about our retention periods for a specific category of personal data which we process about you, please contact firstname.lastname@example.org.
6. International transfers
Some of the service providers that we use and which process your personal data on our behalf may access your personal data from outside of the European Economic Area.
Where we work with a third party processing data outside of the European Economic Area (EEA), we are conscious that the laws of other countries may not provide the same level of protection for your data as the laws of the UK and the EEA. Therefore, when working with these service providers, we ensure that your data is appropriately protected by ensuring that one of the following measures is in place:
- (a) the country where the processing is occurring has been deemed to have a legal system which provides adequate levels of protection for personal data by the European Commission.
- (b) specific contracts approved by the UK or European Commission which ensure that your data has the same protection as it has in Europe.
- (c) where the service provider processes data in the US, the service provider is part of the Privacy Shield (which requires them to provide a certain standard of protection for personal data shared between Europe and the US).
Please contact email@example.com if you would like further information on the specific measures we use when transferring your personal data outside of the EEA.
7. Your rights
Under certain circumstances, you have rights under data protection laws in relation to your personal data:
Request access to your personal data (commonly known as a subject access request). You can request a copy of the personal data we hold about you, to check that we are lawfully processing it.
Request correction of the personal data that we hold about you. You can ask for any incomplete or inaccurate data we hold about you to be corrected. We may need to verify the accuracy of the new data you provide to us.
Request erasure of your personal data. You can ask us to delete or remove personal data where there is no good reason for us continuing to process it. Note that we may not always be able to comply with your request if there is a lawful reason for us to continue to process it. If this is the case, we will notify you of this when responding to your request.
Object to processing of your personal data where we are relying on a legitimate interest and there is something about your particular situation which makes you believe that the impact on your fundamental rights and freedoms outweighs that legitimate interest. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data if: (a) you want us to establish the data’s accuracy; (b) our use of the data is unlawful but you do not want us to erase it; (c) you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
Withdraw consent. You can withdraw your consent to processing at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.
Complain to the ICO. Although we hope it never comes to this, you do have the right to complain to the ICO about any of Homecare processing activities at firstname.lastname@example.org
If you wish to exercise any of these rights, please contact email@example.com.
8. Changes to this Privacy Notice