OPC UK PRIVACY NOTICE
Last updated 13 July 2022
What this information is about
This privacy notice tells you how Optimum Patient Care Limited (OPC, we, us, our) collects, stores and uses your personal data when you contact us, use our website, or use one of our services. Personal data is information that can identify you. This notice explains what you should expect OPC to do with the personal data that we have collected from you where OPC is the controller of the personal data that we hold.
Further information about how we handle health data as a data processor for our quality improvement and research services (or OPC Services) can be found on our Data Transparency page.
To help you understand the information on this page, the types of data mentioned are defined below.
This is information which relates to a living individual who can be identified either directly or indirectly from that information. Personal data contains information or identifiers that can identify the person the data relates e.g. name, date of birth, address, contact information, etc. OPC does not process data that can identify patients by name when providing the OPC Services (see further information on these services, below).
Pseudonymised or de-identified data
This is information which has had identifiers (information that will identify the person it relates to) such as name, date of birth, address, contact information, removed and replaced by a code or unique ID that cannot be traced back to the person the information relates to. The patient data OPC receives from GP practices is pseudonymised data as the name of each patient has been replaced with a unique ID (see further information about the OPC quality improvement services, below). This pseudonymised data is still considered personal data under the GDPR even though OPC cannot directly attribute the information received to a named individual. Only the GP practice can reverse the unique IDs back to the patient’s name.
This is information which cannot identify or re-identify an individual (directly or indirectly), either on its own or when combined with other information. Anonymised data is not personal data. The research data that OPC provides for ethics approved research is anonymised data as it does not contain any information such as name, date of birth, address, contact information etc and any unique ID that was attributed to the data for use with the OPC quality improvement services is removed before its inclusion on the research databases (see further information on the OPCRD and OPCRD-NEXUS, below).
Who we are and what we do
OPC is a not-for-profit, social enterprise that provides free quality improvement and research support services to GP practices in the UK since 2005. We help practices with reports and activities to assist them in improving the care they provide for patients with chronic and public health conditions such as asthma, COPD and Covid-19, rare diseases and many more. We also help practices to take part part in real-life research and clinical trials.
Read more about OPC and all the quality improvement and research support services we provide.
We also support researchers to carry out medical research using anonymised data from our research databases called Optimum Patient Care Research Database (OPCRD) and OPCRD-NEXUS. The fee paid by researchers to OPC for access to the anonymised research data is directly reinvested into OPC Services, which is vital for OPC to continue providing free quality improvement programmes and research support services to GP practices across the UK. Read more about OPCRD and how it helps medical research
Who we collect personal data from
We collect personal data from individuals when they use or request a service with us, complete a questionnaire or form, apply for employment with us, or contact us by email, telephone, in writing or in person.
We collect personal data about individuals when they provide or supply a service to us. This information is needed to manage the work we do with the supplier or service provider, such as contact details, agreements, and invoicing or payment details.
We may collect personal data from the public domain if permitted by law, for example, from registration and regulatory bodies.
We collect personal data as a processor in the form of pseudonymised data from GP practices who receive our quality improvement and research support services (or OPC Services). The data controller for these services is your GP practice, and you should refer to your GP practice if you have any queries. For further information on how we process personal data with regards to the OPC services as processor, please see our Data Transparency page.
Why we collect personal data (lawful basis)
OPC collects personal data as a data controller in order to run its business, provide services to users, and for our website to function correctly. It is in the legitimate interest of OPC to process personal data for the purposes explained above, and this processing should not impact on you negatively. This lawful basis is covered by:
GDPR Article 6(1)(f) Legitimate interests: Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
There are other lawful basis that we rely on to collect or process personal data depending on the nature of the activity or service.
GDPR Article 6(1)(a) Consent: the data subject has given consent to the processing of his or her personal data for one or more specific purposes. For example if you request information from our website, or when you sign a consent form to take part in an OPC-supported study.
GDPR Article 6(1)(b) Contract: Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. For example contracts with our suppliers.
GDPR Article 6(1)(c) Legal obligation: Processing is necessary for compliance with a legal obligation to which the controller is subject. Such processing is necessary for OPC to comply with the law and regulatory requirements.
For our GP services, OPC is a data processor on behalf of participating GP practices who are the data controllers of the pseudonymised patient data they shared with OPC as part of receiving OPC Services. Each practice enters into a service, data processing and sharing agreement with OPC, which permits OPC to collect, pseudonymise and hold the data for providing OPC Services to the practice. As data controller, the GP practice is responsible for determining the lawful basis under which the processing of your personal data takes place and you should refer to further information on this in the applicable privacy notice the GP practice provides to patients. It is likely that the lawful basis for these activities is covered by one or more of the following lawful bases:
GDPR Article 6(1)(e): Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (being the GP practice).
GDPR Article 6(1)(e) and Article 9(2)(i): Medicines and medical device monitoring – processing of special category data (e.g. data concerning health) for public interest in the area of public health.
GDPR Article 6(1)(e) and Article 9(2)(j): Medical research and statistics – processing of special category data (e.g. data concerning health) for public interest and scientific research purposes.
OPC acts as data controller for the purposes of transferring data from the OPC Services to make it available for anonymised research purposes. This applies to the data OPC holds in OPCRD and OPCRD-NEXUS. The lawful basis for this is covered by:
GDPR Article 6(1)(f): Processing is necessary for the purposes of the legitimate interests pursued by the controller (being OPC) or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
GDPR Article 6(1)(e) and Article 9(2)(j): Medical research and statistics – processing of special category data (e.g. data concerning health) for public interest and scientific research purposes.
What personal data we collect
We collect only information that we need for a particular function, and only hold it for as long as it remains necessary for the purposes for which it was collected. We only use or disclose personal data for the purposes for which the individual gave it to us for, or for directly related purposes the individual would expect, or other purposes if agreed with the individual.
Personal data collected from phone and email contact
We may collect personal data when individuals contact our services by phone or email. We use this information for administering our services and to correspond with service users.
Personal data collect from our suppliers
We collect information regarding contacts at our suppliers such as names, telephone numbers, email addresses, postal address in order to maintain the relationship and ensure the continued supply of services from those parties.
Personal data from curriculum vitae (CVs) and job applications
We collect information from you when you apply for a job with us or send us your CV. Please refer to the separate candidate privacy notice for further information in relation to how we use the personal data we collect.
Personal data collected on our website
We collect personal data when individuals visit our website, complete forms or questionnaires on our website, apply for employment with us via our website, or provide contact details through our website. The personal data we collect from users of this website will include the IP address you use to access this website, and the URLs of any of our web pages which you visit and the time of your visit. We use this information to respond to the user’s enquiry, or to provide a requested service or to make improvements to our website.
Our website cookies do not contain personal information about users. However, cookies can identify a user’s browser. The cookies transferred by our website are used for such things as capturing information about a user’s web browser, controlling a pop-up window or enabling login access to password protected areas of the website. The cookies have an expiration date set 24 months from the most recent website visit date.
We use a third-party service, Google Analytics, to collect information regarding visitor activity to the website. This is not used to identify the user as an individual but is collated into aggregate results or classifications. We do not make an attempt to find out the identities of the visitors to our website.
Personal data collected on our social media
We use a number of social media platforms, including Facebook, Twitter and LinkedIn to update and inform our service users and the public. Comments posted on our social media are open to the public. We may collect personal data from social media posts that are uploaded to these platforms.
Personal data from our events and educational activities
We collect personal data from individuals invited to, attending or participating in events and educational activities supported by OPC. We use this information to organise and run the events, and to support individuals attending or participating in the events. In some cases, information on the education or participation activity status of individuals may be disclosed to relevant institutions or accreditation bodies for the purpose of certifying completion or participation or for recording continuing professional development.
Personal data from images and photos
We will seek an individual’s consent prior to taking a video, photo or image, and using it. In some cases that consent may be implied, such as the taking of photos at events to be used in publications. If the video, photo or image contains sensitive information about a person e.g. information relating to their health, we will obtain the individual’s consent to take the video, photo or image and specify what it will be used for. This consent should be informed and freely given by the individual whose photo or image is to be shared. Individuals may withdraw their consent at any time. If this occurs, we will take all reasonable steps to stop using the image or photo from the time the consent is withdrawn.
Personal data from our GP services (or OPC Services)
Personal data from our QI and research support services
Participating practices send pseudonymised patient data to OPC and OPC uses this data to provide the practice with quality improvement and research support services. OPC provides practices reports to assist them improve care for patients and to help them carry out research.
The GP practice is the data controller of this data, and OPC is a data processor. OPC does not receive any information that will identify you from the pseudonymised data a practice shares with us. If you have questions about use or sharing of your medical data with OPC by your GP practice, please you will need to contact your GP practice.
Personal data from clinical trials supported by OPC
We do not process your personal data as a data controller in relation to clinical research or trials. Any personal data of patients taking part in clinical research or trials supported by OPC is collected or processed with the patient’s informed consent at their GP practice. OPC does not hold personal data for patients who take part in clinical research. If you have questions about the use of your personal data in a clinical research study or trial, please contact your GP practice who will hold records about your involvement.
Personal data held in our research databases – OPCRD, OPCRD-NEXUS
OPCRD and OPCRD-NEXUS databases receive pseudonymised patient data from participating GP practices but only provide anonymised data, which is not personal data, to researchers for ethically approved scientific and exploratory research.
OPC acts as data controller for the purposes of permitting pseudonymised data to be processed into anonymised research datasets and made available for anonymised research purposes. This applies to the data OPC holds in OPCRD and OPCRD-NEXUS. Read more about OPCRD and OPCRD-NEXUS.
How we use personal data
We may use personal data to:
respond to enquiries from individuals, service users and suppliers;
conduct evaluations of our products, materials, programs and services;
assist service users in conducting or participating in our quality improvement programmes and education workshops;
assist service users in conducting or participating in OPC-supported research;
allow a third party to link pseudonymised GP data with pseudonymised hospital data;
invite individuals to complete questionnaires for health quality improvement;
invite individual to participate in research or to inform individual of educational programs;
provide and promote educational activities, events and conferences;
contact individuals for feedback on products, materials, programs and services;
assist us to perform our corporate, regulatory and contractual obligations; and
allow third parties to conduct ethically approved research on anonymised datasets.
We will not:
sell your personal data to third parties
share your personal data with third parties for marketing or insurance purposes
How we disclose or share personal data
Personal data that we hold is only shared or disclosed in line with data protection laws. We will disclose personal data if we are required to do so by law, by court order, government department or to prevent fraud or other crime.
We do not disclose personal data to third parties for marketing purposes. We do not sell personal data or confidential information to third parties. We do not disclose any personal data collected in the UK to overseas entities.
We may disclose personal data to contractors to whom we outsource certain functions, or which provide services to us. We take all reasonable measures with contractors to ensure they comply with the law on data protection. Contractors must not disclose any personal data or confidential information without prior approval in writing from OPC, unless they are required to disclose the information by law, court order, or to prevent fraud or crime.
We may disclose personal data to relevant institutions or accreditation bodies for the purpose of certifying completion or participation or for recording continuing professional development points, when individuals participate in our educational activities.
We may disclose personal data to data linkage authorities for linking data from different healthcare data sources, where this is approved by the relevant research ethics committee.
How we store personal data
OPC is committed to ensuring that any personal data we hold is as safe as reasonably possible, both while it is being processed and when it is stored. We store the personal data we collect on secure databases, electronic and hard copy files. Personal data is only stored in the UK and within the European Economic Area (EEA) in line with data protection laws.
We have policies and procedures for the secure, permanent destruction of personal data when it is no longer required.
Pseudonymised patient data we receive from GP practices receiving OPC Services from us is stored in the OPC Service Database (OPCSD), and where agreed to by the GP practice, it is also stored in OPCRD and OPCRD-NEXUS.
How long we keep personal data
We retain the personal data we collect for as long as needed to continue to meet the purposes for which the information is collected. We will delete personal data in line with our records retention policy or as required by law.
A GP practice can request at any time for their patients’ data to be removed from OPC databases without disclosing the identity of patients; subject to any requirements on data retention by GDPR or DPA 2018.
OPC will continue to securely hold the pseudonymised data received from participating practices for the provision of OPC Services to participating practices. The pseudonymised data OPC holds in OPCSD will be held for a maximum of five (5) years after the participating practice has terminated OPC Services. The participating practice can also instruct OPC to delete their pseudonymised data from OPCSD immediately when they terminate OPC Services.
OPC will continue to hold pseudonymised data in OPCRD and OPCRD-NEXUS in perpetuity unless the participating practice notifies OPC in writing to destroy the data, subject to any applicable legal requirements for data retention. Please note it is not possible to remove a patient data from anonymised research data, results or publications, as the patient cannot be identified.
Data security – how we protect and secure personal data
OPC takes preserving and protecting a person’s identity and personal data very seriously and it is a key responsibility of all our staff, contractors and partners. We have technical and organisational procedures in place to prevent unauthorised access or disclosure of personal data we hold.
We also make sure that any contractors and third parties we deal with have an obligation to keep secure all personal data they process on our behalf.
The steps we take to keep the personal data we collect secure include:
Regularly assessing the risk of misuse, loss, interference, modification, unauthorised access or disclosure of personal data.
Putting measures in place to address the above risks including robust information technology security, data encryption, restricted user access, and data security and protection policies.
Regularly ensuring that our staff and contractors only access personal data when needed.
Ensuring our staff and contractors are regularly trained on data protection at least annually. This includes compulsory annual certified training provided by NHS Digital, and NIHR certified Good Clinical Practice (GCP) training.
Conducting regular internal audits to assess compliance with these measures and the GDPR/DPA.
Undertaking and complying with the NHS Data Security and Protection Toolkit (ref: 8HR85) assessment annually. This assessment ensures we comply with the National Data Guardian’s Data Security Standards.
ISO 27001 and ISO 9001 certification (certificate number 385342022). These accreditations demonstrate that OPC operates in accordance with a global framework of information security and quality assurance and management.
OPC is a registered data controller with the Information Commissioner’s Office, registration number: ZA197058.
Your data protection rights
Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information. Note that these rights apply to the data we hold in our capacity as data controller. We will try to assist with any requests we receive from data subjects, however rights are only exercisable against data controllers under the GDPR and so we may need to pass your request (or ask that you approach) to the relevant entity that controls the data (e.g. your GP practice):
Your right of access
You have the right to ask us for copies of your personal data held by OPC.
Your right to rectification
You have the right to ask OPC to change or correct information you think is inaccurate about you. You also have the right to ask OPC to complete information you think is incomplete.
Your right to erasure
You have the right to ask OPC to erase your personal data in certain circumstances.
Your right to restriction of processing
You have the right to ask OPC to restrict the processing of your information in certain circumstances.
Your right to object to processing
You have the right to object to processing if we are able to process your information because the process is in our legitimate interests.
Your right to data portability
This only applies to information you have given to OPC. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information with your consent.
You are not required to pay any charge for exercising your rights. We have one month to respond to you. Please note that we are only able to help you exercise your data protection rights if we hold your personal data and we can identify you.
Please send an email to us (Email: email@example.com) if you wish to make a request, or contact our office line on (Tel: 01223 967855).
You can opt out of sharing data
You have the right to opt out of the sharing of your patient data by your GP practice with OPC. Opting out of sharing your health information will not affect the care you receive from your GP practice.
If you do not wish for your data to be shared by your GP practice, or you would like your data to be removed from our databases, please contact your GP practice who can provide OPC with a code to remove your data without disclosing your identity. Individuals in England can also opt-out of data sharing through the National Data Opt Out scheme.
It is not possible to remove a patient from anonymised research datasets, research results or publications, as patients cannot be identified from anonymised information.
If you have any questions or complaints or you require any information about how we handle personal data at OPC, please contact our Data Protection Team by email, phone or post using the details below:
Write to us: Optimum Patient Care, 5 Coles Lane, Cambridge, CB24 3BA
Email us: firstname.lastname@example.org
Phone us: 01223 967 855
Our Data Protection Officer is Francis Appiagyei. You can email him at email@example.com or write to him using our postal address above. Please mark the envelope ‘Data Protection Officer’.
You can make a complaint about the way we process your personal data to the Information Commissioner’s Office (ICO) using their contact information below. You can also request independent advice from the ICO.
Phone: 0303 123 1113
Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
ICO website: https://ico.org.uk/make-a-complaint/
Changes to this Privacy Notice
We keep our privacy notice under regular review to make sure it is up to date and accurate. When we make changes to this notice, we will amend the last updated date at the bottom of this page. Any update to this notice will be applied to the handling of personal data as of that update date.
Privacy Notice last updated 13 July 2022