DR D PAVIOUR AND GDPR COMPLIANCE
Consultants, as data controllers, are required to maintain an up to date, written data inventory.
WHAT THE DATA INVENTORY COVERS:
1. The types of data I store
a. Identifiable clinic letters and medical records relating to adults I have consulted with in relation to neurological clinical care and prior medical history.
b. Identifiable clinical and medico-legal documentation relating to Civil and Criminal medico-legal expert reports I have provided.
2. Why I store it
a. This information is stored in order for me to provide ongoing clinical care to the patients I consult with and in order to complete medico-legal reports to assist the Court in civil and criminal cases in which I have been instructed to act as an expert witness.
3. Where and how the data types are stored e.g. on paper, electronically, email, clouds or other systems
a. The information is usually initially documented on paper then scanned and uploaded to a password protected cloud-based server for which Dr Paviour has sole access.
b. Once uploaded the paper records are either confidentially disposed of at the medical facility (their responsibility) or for medico-legal case files, stored securely in a locked area to which only Dr Paviour has access.
c. Dr Paviour may email data to his practice management company as a password protected document using an email client with end to end encryption. They have their own GDPR policy for data protection and are separately registered with the ICO.
d. Emails from your personal email to drpaviour.com may not be encrypted by your provider.
4. How the data and storage devices are secured.
a. Dr Paviour uses a handheld device which is touch ID/numerical pin protected to scan clinical documents in clinic.
b. The pdf files are uploaded to a GDPR compliant password protected cloud-based server which is confirmed as GDPR compliant (Dropbox for Business).
c. The files are accessed by Dr Paviour either via the web-portal provided by his practice management company (PHF.uk.com) or by logging on securely to the cloud-based server via a personal device (handheld, tablet, laptop).
RECORD OF PROCESSING
Consultants, as data controllers, are required to maintain an up to date record of data processing:
1. How and why data is collected and processed (include third parties who receive patient data to process on your behalf).
a. The data is collected in written format and documented in paper or electronic format (pdf) by Dr Paviour and may be sent on to Dr Paviour’s practice management staff using a secure email account. Other third parties may include: a separately employed medical secretary, Private or NHS medical professionals (GPs and other clinicians), Solicitors (in medicolegal cases), transcription services and billing companies (via PHF, Dr Paviour’s practice management company).
Consultants as data controllers are required to provide patients with a notice that sets out how their data is collected and used.
This is called a Privacy Notice (PN) or a Fair Processing Notice.
1. What information is being collected?
a. Typically, Dr Paviour will record your name, date of birth, address, details of other individuals involved in your care, telephone number, hospital record and NHS number, email address, age, employment status and clinical information related to your current and past medical problems.
2. Who is collecting it?
a. Dr Paviour as a Clinician involved in your care will collect and store this information.
3. How is it collected?
a. The information is recorded as a written document (medical record).
4. Why is it being collected?
a. It is collected in order to provide a contemporary record of your medical care should it need to be referred to in the future in order to ensure good clinical care.
5. How will it be used?
a. It will be used as part of your medical record with Dr Paviour and as a means of managing your medical condition as part of the medical record.
6. Who will it be shared with?
a. For clinical care, the information will be shared with your permission (implied for GP and other practitioner referrals) with the referring clinician and other clinicians involved in your care.
b. For medico-legal reports, the information recorded and Dr Paviour’s concluding opinion will be shared with your Solicitor and then with the court if the report is submitted as a Court document for evidence.
c. Dr Paviour does not routinely store or pass on data entered into his website nor personal data entered into the online billing portal (provided by PayPal) on his website, PayPal may however store this data in relation to their own GDPR policy.
7. What will be the effect of this on the individuals concerned?
a. The intended effect is to facilitate a high standard of clinical care or, in medicolegal cases, to assist the Court in reaching a decision or to assist in a Civil claim for damages. It is not thought that the intended use of this information is likely to cause individuals to object or complain.
St Anthony’s Hospital 801 London Road North Cheam Surrey
020 8337 6691
The New Malden Diagnostic Centre 171 Clarence Avenue
020 8942 6555
020 7079 4344
020 8971 8026
The Lister Hospital
Chelsea Bridge Road
020 7730 7733
Practice Manager: Gayle.firstname.lastname@example.org Tel: 020 7042 1850