Privacy & Data Protection (updated for GDPR)
The information that we collect and hold
If you are a customer we only collect and hold information about you which you give to us.
When you apply for one of our services, the information that you supply is stored on secure UK servers in a data centre which is ISO 27001 certified and of Tier 3 standard.
Your personal information (name, address, email) is held and used in accordance with the General Data Protection Regulation (GDPR). We use this data to deliver the service that you have purchased from us.
We will contact you regarding any survey that you have purchased from us. Once complete, we may contact you about repeating this survey (or a related one).
We do not contact you about any of our services unless you are an existing, registered customer.
When we remove personal information
Whenever you ask us to.
When it is no longer needed to fulfil our services to you (see below ‘How long do we hold your personal information for?)
When our Data Controller requests that we delete it.
How long do we hold your personal information for?
- If you are a customer
It depends how long you need it for. We only hold personal information (name, contact details and other non-sensitive details) where necessary. For example, when you repeat a survey with us, we provide previous scores from earlier survey(s). We therefore hold your personal data according to survey cycle durations.
(If you request that we remove your personal data from our database and records we will do so immediately).
- If you contact us
We keep a record of the correspondence for as long as the correspondence is active or for 3 months (whichever is shorter). Securely archived emails are kept for up to 4 years.
Email and information-sharing with you
We do not email (send or receive) sensitive data.
We use Microsoft Exchange (Office365), which is cloud-based and stored in ISO27001 UK certified centres. For any personal data (we receive names and addresses and /or emails addresses and telephone numbers) we offer TLS encryption (compatible with NHS Mail).
We also offer a secure email alternative using an on-site Secure File Transfer Protocol and we have plenty of experience in helping and talking you through how to use this.
Survey Data Protection
- Anonymous surveys
Most patient feedback is collected anonymously and therefore unaffected by the GDPR.
The following NHS Code of Practice statements are therefore adhered to: That patients are made aware that the information that they give will be used and what it will be used for. That patients are aware that they have a choice as to whether or not they give information.
The survey material and guidance we supply allows for these patient requirements to be met.
The questionnaires do not identify any patient. If a patient has written a comment on the questionnaire which may identify them, this comment is either excluded or anonymised by trained CFEP processors.
- Postal surveys
CFEP receives patients’ personal information (name and address) as part of its role as data processor. We are permitted to receive this information because it is considered to be Special Category Data*. The organisation which requested the collection of patient feedback is the data controller.
CFEP does not receive any sensitive personal data.
Survey feedback provided by the patient (completed questionnaires) received in the post will processed in a way that ensures patient anonymity. Patient feedback and patient personal data will never be seen together by CFEP staff.
Patient personal information is received securely and held in local files and deleted 7 days following its final use.
All maintenance and deletion of personal data will be under the control of our Data Protection Officer and in accordance with strict guidelines.
In writing comments on the questionnaire, patients may include information about their health. We are able to process this information because it is considered to be Special Category Data*.
Patients are given at least 2 simple ways of removing themselves and their personal details from surveys.
Data Protection of your colleague feedback (MSF / 360)
When the process of compiling Colleague Feedback is complete, colleague personal data (email addresses) are pseudonymised so that feedback can be held in a way that ensures colleague anonymity.
Colleague feedback is reported back to the applicant. We only share reports with those third parties requested by the applicant. These third parties are given access to reports in order for the applicant to meet the obligations and principles of revalidation and appraisal (for example, reports can be supplied to an appraiser or supporting medical colleague).
The only other circumstance in which we would share a report with a third party is if we were legally obliged to do so.
General Privacy and Security
CFEP has ISO 27001 information security and ISO 9001 data quality certification.
No personal information is used or kept by CFEP for the secondary purpose of audit or service evaluation. Anonymous survey data are held to contribute to aggregate data used as part of a wider analysis of overall trends and benchmarks. Analysis is at a ‘high’ level of (for example) region or type of clinical service.
In order to adhere to the GDPR no personal details (name, email address, postal address, phone number – business details included), will be exchanged between CFEP and any other party without the explicit permission being sought and received from that data subject. The only exceptions are where we have a legal obligation to do so, or where CFEP UK Surveys is acquired (fully or in part) by a third party and existing systems are transferred**.
Personal data is not transferred to a country or territory outside the European Economic Area without the express permission or request of the data subject, or in the data subject’s vital interests, or unless necessary for legal reasons.
There are no automated decisions made by us with respect to your personal data.
There are rare occasions where a patient may specifically ask that an issue is addressed to a general practice or other organisation (for example, where a patient sends an email or letter to CFEP). Where this is the case, if appropriate we ask the patient for consent in order for the information in the letter to be forwarded. The patient correspondence is then deleted or shredded.
CFEP will report any data breaches to the Information Commissioner’s Office within 72 hours.
CFEP is obliged to keep any information it receives confidential at all times and is required to comply with the GDPR, Data Protection Act 1998 and the common law duty of confidence. This applies to any members of CFEP staff who have access to patient information.
All members of staff sign a confidentiality agreement and are bound by this agreement under their Terms of Employment.
Once entered or scanned, all paper questionnaires are destroyed by secure means (shredding).
All data (survey results) are generated within the CFEP office only.
Very confidential information comes under a single management resource, whereby only one member of staff may release information to a customer.
You can find out what information we hold about you, and ask us not to use any of the information we collect. You can contact us by email: firstname.lastname@example.org or 01392 927 005.
You have the right to withdraw your consent at any time, and can delete your account (and any data we hold about you) using the built-in tools on the site. You can also request a copy of any and all data that we hold about you. You also have the right to lodge a complaint with the Information Commissioners Office if you feel that your rights have not been upheld.
Where you have given consent for us to use your personal information, you can withdraw that right at any time.
If at any point you believe the personal information we hold on you is incorrect, you want us to correct or delete that information, or you no longer want us to hold that information or contact you, you can exercise your rights under law. These rights include:
- Right of access
- Right to rectification
- Right to erasure
- Right to restriction of processing
- Right to data portability
- Right to object
For more information about your personal data rights please visit the Information Commissioner Office website at: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/individuals-rights/
Changes to this Policy
CFEP UK Surveys Ltd reserves the right to change this Policy as we may deem necessary from time to time or as may be required by law. Any changes will be immediately posted on the Web.
* The Special Category Data we obtain from the survey and questionnaire is deemed to come under Article 9 (1) (2) (h) of the General Data Protection Regulation 2018
** In the event that any Data submitted by Users will be transferred in such a manner, you will be contacted in advance and informed of the changes. When contacted you will be given the choice to have your Data deleted or withheld from the new owner or controller.