This document describes how your personal data is collected, used and protected so that I can provide you with health care. It also outlines your rights regarding personal data.
Throughout the policy “I”, “me” or “my” refers to Dr Lucinda Green. “We” also includes the medical secretaries and administrators working with me.
All uses of your information comply with the General Data Protection Regulation (GDPR) and the Data Protection Act. My practice also complies with the General Medical Council (GMC) “Confidentiality: Good practice in handling patient information” guidance.
I am registered as a Data Controller with the Information Commissioner’s Office (Dr Lucinda Caroline Green – ZA336474). I am responsible for the processing of your personal data.
2. Data Protection Principles
We will comply with data protection law, which requires that the personal information we hold about you must be:
Used lawfully, fairly and in a transparent way
Collected and used only for valid purposes that we have told you about
Relevant to the purposes we have told you about
Accurate and kept up to date
Kept only as long as necessary for the purposes we have told you about
3. What is personal data?
Personal data consists of information relating to an identified or identifiable living person. This includes your contact information and clinical information.
4. How is information collected?
(a) Information is collected directly from you when you:
Complete the contact form on my website: www.drlucindagreen.co.uk or the websites of the Child and Family Practice, Women’s Wellness Centre or HCA Healthcare UK.
E-mail information us directly (e.g. at email@example.com) or through the Child and Family Practice, Women’s Wellness Centre or HCA Healthcare UK emails.
Speak to my PA, another medical secretary or administrator, or to me, on the phone.
Speak to me when you attend an appointment.
Provide any information in writing. This may include filling in registration or other forms, providing copies of clinical letters or records written by other health professionals, or any other letters.
Information you provide as part of payment for treatment.
(b) Information is collected from other health care professionals involved in your care (or the care of your baby or other children):
Professionals currently or previously involved in your health and social care may provide information, for example about your previous diagnosis or treatment. This information may be obtained from your GP, obstetrician, midwife, health visitor, other mental health professionals, social workers or other professionals. This information may be obtained verbally or in writing.
Information may be sent with a referral. Alternatively, I may request mental health or other health care records from your GP or another psychiatrist or mental health service ( I will ask for your written consent to request this information if it is needed).
Healthcare records include:
Correspondence between health professionals
Laboratory reports e.g. blood test results
Communication between you and a healthcare professional, by letter, email or SMS.
Information may be obtained from professionals primarily involved in the care of your baby or other children. This can include but is not limited to doctors, social workers and teachers.
See section11 below for further information about information sharing.
(c) Information may be obtained from third parties This may include:
Your partner, family or friends
Your insurance policy provider
(d) Information obtained when you visit my website:
When you visit my website (www.drlucindagreen.co.uk) data regarding the resources you access is collected automatically. This includes:
Technical information such as your IP address, browser type and operating system
Pages viewed on my website, length of time spent on the website.
This information is not personally identifiable. It allows me to understand how the website is used. This information is used to improve the effectiveness of the website.
5. What information is collected?
(a) Basic details including:
Date of birth
Contact details: address, email and telephone number.
Next of kin
Emergency contact details.
Your NHS number.
Financial information (e.g. credit card details) you use to pay for your appointments.
Insurance policy details.
(b) Information relating to your medical treatment, which is a special category of personal data under the law.
This includes information you give to me at your appointments and information from other professionals or third parties (see section 4 above). This includes, but is not restricted to:
Your current and previous mental health, obstetric and other physical health care.
Personal information relevant to your mental health history and care plan.
Your children’s names and dates of birth.
6. The purposes for which your personal data is used
I will only use your personal information in accordance with current data protection laws and the guidelines on medical confidentiality.
Your data will be used:
(a) To provide health care
(b) To provide information and advice related to your care. This may include using your email address to send you links to websites with information about specific mental health problems in pregnancy, medication or organisations which offer information and support for women with mental health problems in pregnancy or after birth.
(c) To make a referral to another professional or healthcare provider to enable them to provide appropriate advice, investigations, treatments and/or care.
(d) To check and review the quality of care (this is called audit and clinical governance).
7. The lawful basis for processing data
The legal basis for allowing me to use (“process”) your data is defined in the following sections of the GDPR:
(a) Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and
(b) Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”
We will also respect and comply with our obligations under the common law duty of confidence.
8. How we store and process your personal data
In order to prevent unauthorised access or disclosure of personal data, we have in place suitable physical and electronic procedures to safeguard and secure the data we hold. All staff who have access to your personal data have training in relation to data protection, information security and confidentiality.
All medical professionals have to keep patient records in order to provide high quality care. Medical records at most hospitals and GP practices are held electronically. I use a secure web-based management system called Heydoc (https://heydoc.co.uk/). Data stored in Heydoc is physically stored on servers which have achieved the highest level of security certification, as used by banks and government services. These servers are located in London, United Kingdom. Data in transfer is fully encrypted using the most secure cryptographic technologies available (256-bit level of encryption). This means that when data is accessed via the internet the Heydoc server will negotiate a secure link with the end user via a process called SSL. This is the same technology used for online banking and credit card transactions and is known to be the most secure system available.
I use Heydoc to process all appointments and consultations, and to store letters and clinical information electronically. This includes letters I write about you and any letters or other clinical correspondence I receive from your GP or other professionals involved in your care.
I do not keep paper records. I will handwrite notes at your appointments. These do not include your name or personal details. I use these to ensure my letters contain accurate information. These are shredded as soon as I have dictated the letter following your appointment.
The hospital or clinic where I see you for your appointment will store your contact details and the dates and times of your appointments. I will not upload any clinical information to the electronic records systems at the clinics where I see you. However, if you agree that information can be shared with other professionals, e.g. obstetricians, then that clinician may upload a copy of the letter sent to them.
Information about you may need to be sent by email. This includes referral details and appointment times sent between my PA and the administrators who organise my clinics at the Child and Family Practice, the Women’s Wellness Centre and the Portland Hospital. This also applies to letters sent to your GP other clinicians. This information is only sent by secure email. This is sent using Proton Mail ( https://protonmail.com/) or Egress (https://www.egress.com/), which are both encrypted systems.
We never sell or share your personal data with other organisations for marketing, market research or commercial purposes.
Your personal data is stored and processed within the European Economic Area (EEA). It may also be processed by staff operating outside the EEA who work for one of our suppliers. This may include staff who process your payment details. By submitting your personal data, you agree to this transfer, storing or processing. In case of transfer of your personal data to any third countries, as defined in General Data Protection Regulation (GDPR), the relevant laws and regulations concerning such transfers are observed.
9. How is information processed by the hospitals and clinics where I see you for your appointments?
I provide care and treatment at various sites: The Child and Family Practice, The Women’s Wellness Centre and The Portland Hospital. It may be necessary for these organisations to process your personal data.
10. How we communicate with you
We communicate with you by telephone, SMS, email, and / or post. We also use Heydoc (as described above) to share letters using a password protected link so that you can download letters directly from the Heydoc server. The Heydoc server will negotiate a secure link with the end user via a process called SSL. This is the same technology used for online banking and credit card transactions and is known to be the most secure system available
If we contact you using the mobile or landline telephone numbers which you have provided, and the call is diverted to a voicemail, we may leave a message. In this case the minimum information will be included in the message. This will be enough for you to identify who the call is from, the reason for the call and our contact details.
Written consent is needed if you request any letters written about you to be sent to you by non-secure email.
Please note that information submitted through the Contact form on my website (www.drlucindagreen.co.uk) is not completely secure until it reaches us. Any data which you send to us in this way is therefore at your own risk.
Video consultations are end to end encrypted using Twilio software as part of Heydoc (https://help.heydoc.co.uk/en/articles/2409351-video-consultation-privacy-concerns).
11. How personal data is shared with other professionals, relatives and third parties
Any information about you is usually only shared with your consent. The only exceptions to this are if there is a significant risk of harm to you or to others, or sometimes when a court requests information, which is extremely rare.
(a) Sharing information with your GP
Your GP usually receives copies of letters relating to any physical or mental health care. It is considered good practice to share information about your care and treatment with your GP.
I will write a letter after each appointment to document the discussion we have had, the advice I have given you, and the plan we agree together for your care and treatment. I usually send this letter to your GP and will send you a copy. However, if there is information that you do not want to be shared with your GP then please let me know. Information sharing will always be discussed at your first appointment.
Please tell me if you do not want copies of letters to be sent to you, or if you do not want letters to be sent to your home address. Also, please tell me as soon as possible if I have misunderstood anything or made any errors in any letters so that I can correct these as soon as possible.
(b) Sharing information with other professionals involved in your care
When you are pregnant and after you have a baby, there are usually several other professionals involved in your care. These include a midwife, obstetrician and health visitor. Some women may also have a general adult psychiatrist, a psychologist or other professionals involved. Sharing some information with these professionals is important to make sure you have the best care. An example of this is making sure that your obstetrician knows what medication you are taking in pregnancy.
Many women do not want all the details of their mental health history shared with obstetricians, midwives and health visitors. If you are pregnant, I will offer you the option of having a Perinatal Mental Health Care Plan. This is a plan that I will write with you to outline some very brief details, such as your diagnosis, and the plan we agree for your care. This is mainly written for your benefit, but it can also be a helpful way of sharing some information with the other professionals involved in your care, without letting them know all the details of your history. Some women do want to share more information with other professionals. Of course, if you want to share all the letters I write about you then you are welcome to do this. We can discuss information sharing at your appointment and agree what information, if any, it will be helpful to share with specific professionals.
Information may also be shared with other professionals who need to be involved in your care. These may be in connection with your physical or mental health care as an inpatient or outpatient.
Information may also be shared with other professionals who need to be involved in your care. These may be in connection with your physical or mental health care as an inpatient or outpatient.
(c) Sharing information with your partner or family members
You are welcome to bring your partner, another family member or a friend to some or all of your appointments if you want to. Information will not be shared with your partner or relatives without your consent.
(d) Sharing information with other third parties
Relevant information may also be shared with some or all of the following:
Members of staff involved in the delivery of your care e.g. receptionists
Medical secretaries, receptionists and administrators working with any of the other professionals who are involved in your care
The Care Quality Commission
Debt collection agencies
The police – if necessary to prevent or detect a crime
Third party service providers including analytics, payment processing and legal services.
Sometimes I need to share information so that other people, including children or others with safeguarding needs, are protected from risk of harm.
All professionals have a duty to share information with Children’s Social Care to make sure that your unborn baby, child or children get the help and support they need. If I have concerns about your unborn baby or child’s wellbeing, I will discuss this with you so that we can think together about how to proceed.
It is rare to decide that a referral to Children’s Social care is needed without your consent. This can only happen if there is a risk of significant harm to your baby or child. This only happens when a child is at immediate risk or when talking to parents might put the child at further risk.
I will inform you if information is being shared without your consent, unless doing so would present a significant risk to a child or other person.
I comply with the safeguarding policies of the Portland Hospital (HCA Healthcare UK), The Child and Family Practice and the Women's Wellness Centre and the London Child Protection Procedures.
For information about safeguarding see: www.nspcc.org.uk/preventing-abuse/safeguarding/.
13. How long is personal data kept ?
Your medical records will be kept in line with the law and national guidance.
The Records Management Code of Practice for Health and Social Care 2016 states that mental health records should be stored for 20 years after the last contact between the patient and any healthcare professional or if sooner, 8 years after the patient’s death.
14. Your rights
Under the Data Protection Act and GDPR, you have certain rights in relation to the personal information that I hold about you. These include rights to know what information I hold about you and how it is used. You may exercise these rights at any time by contacting me using the contact details in section 17 below.
If for any reason I cannot comply with your request to exercise your rights we will usually tell you why.
Your rights include:
(a) The right of access
You have the right to access any information I hold about you. I usually send you a copy of all letters I write about you, unless you tell me you do not want to receive these.
(b) The right to rectification
I aim to ensure that all the information I hold about you is accurate and complete.If you believe that any information I hold is incorrect, please let me know as soon as possible so that I can correct any errors and update information.
(c) The right to erasure
In some circumstances you can request that some of the personal information I hold about you is deleted.
You do not have a right to delete correct information from your medical records. You are entitled to obtain your own legal advice if you believe there is no lawful purpose for which we hold the information.
If it is necessary to keep your information in order to perform tasks which are in the public interest, or for the purposes of establishing, exercising or defending a legal claim, I am not obliged to comply with a request to delete information.
(d) The right to restrict processing
In some circumstances you have the right to request that I limit the use of your personal data if you have a particular reason for this. This may be because you are concerned about the accuracy of the data or how it is processed. In that case your information can be stored but not used.Usually the restriction is not indefinite.
(e) The right to data portability
This allows you to obtain and reuse your personal data across different services. This means that you can request that I transfer certain information about you to another individual or organisation, provided this is technically feasible.
(f) The right to object
You have the right to object to information being shared between professionals who are providing you with direct care. This may affect the care you receive.
You are not able to object to your name, address and other demographic information being sent to NHS Digital. This is necessary if you wish to be registered to receive NHS care.
You are not able to object when information is legitimately shared for safeguarding reasons
(g) Rights in relation to automated decision making and profiling
Automated decision making takes place when an electronic system uses personal information to make a decision without human intervention.
I do not use processes which involve or rely on automated decision making.
(h) The right to withdraw consent
In some circumstances, I may need your consent to use your personal information to comply with data protection legislation. You have the right to withdraw your consent to further use of your personal information.
(i) The right to complain
You have the right to complain to the Information Commissioner’s Office. (ICO) If you wish to complain you can do so using the ICO website: https://ico.org.uk/make-a-complaint/ or by phone: 0303 123 1113.
(a) What are cookies?
Cookies are small pieces of text sent by your web browser to a website you visit. A cookie file is stored in your web browser and allows the website or a third-party to recognize you and make your next visit easier and my website more useful to you.
There are two types of cookies:
Session cookies – these are temporary and are erased when you close your browser.
Persistent cookies – these files stay in one of your browser’s subfolders until you delete them manually or your browser deletes them when they expire.
When you use and access my website, a number of cookies files may be placed in your web browser.
Some of the cookies used our set by the website host (wix) and some are set by third parties (e.g. google analytics).
The cookies used on my website are
(c) Third-party cookies
In addition to our own cookies, we may also use various third-parties cookies to report usage statistics of the Service, deliver advertisements on and through the Service, and so on.
Cookies used on my website are
(d) What are your choices regarding cookies
Please note, however, that if you delete cookies or refuse to accept them, you might not be able to use all of the features of the website and some our pages might not display properly.
(e) Where can you find more information about cookies
You can learn more about cookies at www.allaboutcookies.org
This policy will be regularly reviewed and, where necessary, updated. The date of the latest update is provided at the end of the document.
If I plan to use personal data for any new purpose I will update this privacy information and communicate the changes to women under my care before starting any new processing.
17. Contact details and further information
Further information about Data Protection and confidentiality can be found at:
The Information Commissioners Office - https://ico.org.uk/your-data-matters/your-right-to-be-informed-if-your-personal-data-is-being-used/
General Medical Council – Confidentiality - www.gmc-uk.org/-/media/ethical-guidance/related-pdf-items/confidentiality/new-gdpr-changes.pdf
The Records Management Code of Practice for Health and Social Care 2016 https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016 .
Date of policy update: 26th February 2020