Fair Collection/Privacy Notice
General Data Protection Regulations 2018 and the Data Protection Act 2018
Data Controller - Festival Medical Services
This notice provides you with information about how we use and manage the personal data we hold about you, including how we share it and how we maintain confidentiality.
What is personal data?
Personal data is information about a living, identifiable individual. Therefore, your personal data is any information that can be attributed to you personally, including your name, weight, height, date of birth, health conditions and treatments you receive. So long as you can be identified from that information, it becomes your personal data.
Organisations that use personal data must do so in line with the provisions of the General Data Protection Regulations 2018 and Data Protection Act 2018. The legislation applies to personal data held in both electronic and physical media.
An example of the types of personal data that the charity uses are:
Name, address, date of birth and next of kin
Contact information i.e. telephone number
Contacts we have had with you such as clinic visits
Details of diagnosis and treatment
Religious or other beliefs of a similar nature
Offences, criminal proceedings, outcomes and sentences.
Family, lifestyle and social circumstances
Education and training details
Goods and services
We also process sensitive classes of information that may include:
Physical or mental health details
Racial or ethnic origin
Religious or other beliefs of a similar nature
We process personal information about:
advisers and representatives of other organisations
Why we collect information about you
We process personal information to enable us to provide a voluntary service for the benefit of the public in a particular geographical area as specified in our constitution; administer membership records; to fundraise and promote the interests of the charity; manage our employees and volunteers; maintain our own accounts and records.
We may need to keep records about the health care and treatment you receive as one of our patients. This helps to ensure that you receive the best possible care from us and that full information is readily available if you see another doctor, or are referred to a specialist or the NHS.
We may use personal data for the following purposes:
To prepare statistics on performance
To audit services
To monitor funding and expenses
To plan and manage services
To teach and train volunteers
To provide emergency care
This helps you because
Accurate and up to date information assists us in providing patients with the right care;
Full information is readily available if you see another doctor or are referred to a specialist or the NHS;
Accurate and up to date information assists us in providing volunteers with the information and training required to carry out their role in the charity.
General Data Protection Regulations 2018 / Data Protection Act 2018
All of the personal data that we collect and use is handled in accordance with current Data Protection legislation.
Organisations that process personal data must register as a 'Data Controller', and notify the Information Commissioner (ICO) why they need to process the data.
Festival Medical Services is the Data Controller (registration number is Z2634259) of personal information that is collected by the charity.
Full details of all the purposes to which data may be used are listed at the ICO website:
Legal Bases for Processing
To collect identifiable data about service users that we are responsible for.
Personal confidential data describes personal information about identified or identifiable individuals, which should be kept private or secret and includes deceased as well as living people.
Processing is necessary for the performance of a contract in which the patient has taken steps to enter in to and is necessary for the purposes preventative or occupational medicine, for assessing the working capacity of an employee, medical diagnosis, the provision of health or social care or treatment or management of social care systems and services.
Employment / Volunteers
To collect identifiable data about employees that we are responsible for. Data collected includes, but is not limited to the following:
Education, training and development
Information and database administration
Business management and planning
Accounting and auditing
Criminal prosecution and prevention / Fraud
By signing your contract/volunteer agreement with FMS, you consent to us holding and processing any information about you which you provide to us, or which we may acquire as a result of employment or volunteering. These include circumstances where the processing is necessary for the performance of contracts with us or for compliance with any legal obligations which applies to us as your employer.
To provide information in order to fulfil a contractual obligation with a third party for supply of services by the Charity.
Processing is necessary for the performance of a contract for supply of services and is necessary for carrying out obligations under employment.
To provide information in order to fulfil a contractual obligation with a third party for supply of services by the Charity.
Processing is necessary for the performance of a contract for supply of services and is necessary for the purposes preventative or occupational medicine, for assessing the working capacity of an employee, medical diagnosis, the provision of health or social care or treatment or management of social care systems and services.
To collect personal information about you when you make a donation to us for the purpose of reclaiming Gift Aid.
We will only process your personal data where we have your explicit consent.
To inform you of AGMs, to distribute membership newsletters and general FMS updates
The organisation has a responsibility to keep you informed about the charity, events and changes to the membership agreements.
To support evaluation of services to assist with monitoring and service planning.
Evaluation of tasks carried out in the exercise of official authority by the controller for the reasons of public health, to ensure high standards of healthcare and for the legitimate interests of the controller to provide the best possible services.
CCTV cameras are installed at FMS headquarters for the purpose of security.
This is for the purposes of public safety and crime prevention / detection. In all locations, signs are displayed notifying of the fact the CCTV is in operation and providing details of whom to contact for further information about the scheme.
We will collect and process identifiable information where we need to assess and evaluate any safeguarding concerns.
Because of public interest issues, e.g. to protect the safety and welfare of vulnerable children and adults, we will rely on a statutory basis rather than consent to process information for this use.
To process your personal information if it relates to a complaint where you have asked for our help or involvement.
We will need to rely on your explicit consent to undertake such activities.
Complaint Processing Activities
When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.
We will only use the personal information we collect to process the complaint and to check on the level of service being provided.
We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute.
If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.
We will keep personal information contained in complaint files in line with the FMS retention policy. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.
Who do we share personal data with?
We sometimes need to share the personal information we process with the individual them self and also with other organisations. Where this is necessary we are required to comply with all aspects of the Data Protection Act 2018 (DPA).
We will always endeavour to share the minimum amount of personal data required, even anonymising data where we possible. However, there will be some instances where personal data will need to be shared with other organisations for the purposes of caring for a patient. In such instances we will need to ensure that the information shared is adequate so that the patient is properly cared for.
We may share personal data with the following organisations for the purposes of delivering or improving healthcare, or where there is a legal requirement for us to do so:
General practitioners (GPs)
NHS common services agencies such as primary care agencies
family, associates or representatives of the person whose personal data we are processing
current, past and prospective employers
healthcare, social and welfare organisations
educators and examining bodies
employment and recruitment agencies
survey or research organisations
business associates and professional advisers
providers of goods and services
local and central government
other voluntary and charitable organisations
How long do we retain your records?
All our records are destroyed in accordance with the FMS Retention Policy, which sets out the appropriate length of time each type of record is retained. We do not keep your records for longer than necessary.
All records are destroyed confidentially once their retention period has been met, and the charity has made the decision that the records are no longer required.
How do we keep your personal data safe and secure?
We are committed to securing your personal information from unauthorised access, use or disclosure. We secure the personal data you provide on computer servers in a controlled and secure environment. We also train our volunteers and have policies and procedures in place so that everyone volunteering for the charity is aware of the high standards we expect them to adhere to when handling your personal data.
Information provided in confidence will only be used for the purposes advised and consent given by the individual to whom the information relates, unless there are other circumstances covered by the law.
Under the Data Protection PolicyandVolunteer Agreement, all our members are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. This will be noted in your records.
For your benefit, we may also need to share information from your health records with non-NHS organisations, from which you are also receiving care, such as social services or private healthcare organisations. This information is only routinely shared with data processors with whom we have written contracts to undertake work for us. These organisations are not allowed to use the data for their own purposes.
Where there is no written contract we will not disclose any health information to third parties without your explicit consent, unless there are exceptional circumstances, such as when the health or safety of others is at risk or where the law requires it.
Where personal information is shared with other organisations, an Information Sharing Agreement is drawn up to ensure information is shared in a way that complies with relevant legislation.
These organisations may include, but are not restricted to: NHS organisations, social services, the Police, voluntary sector providers and private sector providers.
CCTV - Crime Prevention and / or Staff Monitoring
CCTV is used for maintaining the security of property and premises and for preventing and investigating crime, it may also be used to monitor staff when carrying out work duties. For these reasons the information processed may include visual images, personal appearance and behaviours. This information may be about staff, customers and clients, offenders and suspected offenders, members of the public and those inside, entering or in the immediate vicinity of the area under surveillance. Where necessary or required this information is shared with the data subjects themselves, employees and agents, services providers, police forces, security organisations and persons making an enquiry.
It may sometimes be necessary to transfer personal information overseas. Any transfers made will be in full compliance with all aspects of the Data Protection Act 2018.
We do not sell, rent or lease customer or member lists to third parties. From time to time we may contact you on behalf of external business partners about a particular offering that may be of interest to you. If you do not wish to receive this information please contact the Information Governance Manager.
In those cases, your unique personally identifiable information (e-mail, name, address, telephone number) is not transferred to the third party. In addition, we may share data with trusted partners to help us perform statistical analysis, send you email postal mail and/or appointment reminders, provide customer support or arrange for deliveries. All such third parties are prohibited from using your personal information except to provide these services to the Charity, and they are required to maintain the confidentiality of your information.
Festival Medical Services uses the following third party organisations/providers to assist in the delivery of IT services:
FMS Members Database
Festival Medical Services will not contact you directly for marketing purposes unless there has been a clear opt in process for the purpose of research and customer surveys.
As a member the organisation has a responsibility to keep you informed about the charity, events and changes to the membership agreements.
FMS store the name and email address of donors for the purpose of claiming GiftAid. This information is shared with HRMC for that purpose. To raise funds FMS uses the following services:
Give as you live
Can I see my information?
Under the General Data Protection Regulations 2018 and Data Protection Act 2018 a person may request access to information (with some exemptions) that is held about them by an organisation.
This is known as the Right of Subject Access.
Data Subject Rights
The right to be informed
Individuals have the right to be informed about the collection and use of their personal data.
The right to access records – Data Subject Access Request (DSAR)
Any Individual can request to see all the data that the FMS holds about them or someone they have a legal responsibility for. Requests must be received in writing and responded to within 20 working days in line with the DSAR Procedure.
The right to request rectification – the correction of incorrect information
If a data subject identifies that information we hold about them is incorrect FMS must investigate and if the law allows correct the error. However, in many cases FMS will be required to keep the old record by law and will instead append a note to the record advising of the suggested correction.
The right to request erasure / deletion of their records (right to be forgotten)
A data subject can request that we delete records we hold about them. However, in many cases FMS will be required to keep the record by law and will instead append a note to the record advising that the request was made but declined.
The right to restriction – restricting the processing of personal data
When a data subject requests that we rectify or delete records we hold about them we are obliged to cease processing the record. However, in many cases FMS will be required to continue processing the record by law and will instead append a note to the record advising that the request was made but declined.
The right to portability
A data subject can request that we ask that we transfer their personal data records to another data controller in a machine-readable form. NOTE ONLY APPLIES TO ELECTRONIC RECORDS
The right to object to automated decision making & profiling
A data subject should not be subject to automated decision making unless authorised by UK law or FMS has explicit consent. As FMS does not in general use profiling or automated decision making.
The right to complain to the Information Commissioner’s Office
If a data subject has cause for complaint about how their personal data has been processed by the FMS or one of our partners / contractors they must be advised of their right to complain to the Information Commissioner’s Office (ICO). FMS must provide them with full contact details for the ICO.
A data subject can object to FMS processing their personal data and we could be obliged to do this. However, in the majority of cases FMS will be required to continue processing the record by law and will instead append a note to the record advising that the request was made but declined.
If you require access to your records you must make a written request to:
Festival Medical Services can only provide access to information it holds.
Raising a concern
If you have a concern about any aspect of your information, care or treatment or about the way your records have been managed, please contact:
The Data Protection Officer
Additionally, you have a right to complain to the Information Commissioner if ever you are unsatisfied with the way the Charity has handled or shared your personal information:
Information Commissioner's Office
Cheshire SK9 5AF
Tel: 0303 123 1113 (or 01625 545745 or 44 1625 545745 if calling from overseas)
Fax: 01625 524510
Changes to this Statement
Festival Medical Services will occasionally update this Statement of Privacy to reflect company and customer feedback. Festival Medical Services encourages you to periodically review this Statement to be informed of how Festival Medical Services is protecting your information.
To learn more about how we use, manage and maintain confidentiality of your information, please speak to the health professionals concerned with your care, or contact:
Information Governance Manager
Festival Medical Services