Medefer and Manx care privacy policy

Summary

The requester sought privacy policies and data storage details regarding the contract between Manx Care and Medefer Limited. Manx Care responded by providing Medefer's Records Management Policy, which outlines data handling procedures, though the response indicates some information was exempt.

Key Facts

• Medefer stores patient medical records electronically on a secure server located within England.
• The data is encrypted both at rest and in transit.
• The server is hosted by CareLink, a provider on the UK's N3 network for the NHS.
• Paper records received by Medefer are scanned and immediately shredded.
• The maximum retention period for public records is normally 30 years.

Data Disclosed

• 2019
• February 2022
• May 2014
• October 2016
• 30 years
• Level4/5
• v2.0
• V1.0
• V1.1

Exemptions Cited

• Part exempt

Original Request

Please can you provide me with a copy of the following documents regarding the contract between Manx Care and Medefer limited. 1. The privacy policy between Manx Care and Medefer limited 2. The privacy notice between Manx Care and Medefer limited 3. The relevant privacy notice issued to Manx Care patients using the Medefer service 4. The policy for Manx Care data processing by Medefer limitrd 5. A list of locations the data is stored and processed in. 6. Details of what data is stored in the United States and for how long. 7. What data from Manx Care patients does Medefer share with NHS UK for research and planning purposes.

Data Tables (4)

Full Response Text

MEDEFER

2019 Records Management Policy

Records Management Policy, v2.0 Review Date: February 2022 1 Title Records Management Policy Author Dr Bahman Nedjat-Shokouhi Responsible Person Dr Bahman Nedjat-Shokouhi Authorised Dr Bahman Nedjat-Shokouhi Issue Date February 2019 Review Date February 2022 - Every three years unless review required earlier

Revision History Version Revision Date Summary of Changes V1.0 May 2014

V1.1 October 2016

V2.0 February 2019 Added retention periods and wider record management piece

Scope Title Name CEO and Compliance Lead (Clinical) Dr Bahman Nedjat-Shokouhi Employees All individuals in the employ of this establishment
(‘Employ’ means any person who is employed, self-employed, volunteer, working under practising privileges or contract of service with this establishment)

Records Management Policy, v2.0 Review Date: February 2022 2 Executive Summary This document contains policies and procedures for the control and use of both Medical and corporate records with Medefer. It includes information on the roles and responsibilities of staff, provision and storage of patient notes.
1. Introduction Definition: A Health Record As defined in section 68 (2) Data Protection Act 1998: a. Consists of any information relating to the physical or mental health or condition of an individual. b. Has been made by or on behalf of a health professional in connection with the care of that individual checked and correct. 2. Policy Principles This policy is concerned with the management of medical health records held in a variety of forms. This policy should be read alongside Information Governance Policy, Patient Confidentiality Policy, System Security Policy, Clinical Governance Procedure and Medicine Management Policy, Incident Reporting Policy and the linked policies therein.
Any changes or breaches of legal obligations relating to medical records should be reported via the incident reporting forms. Confidentiality
All information concerning patients and staff must be held in the strictest confidence and may not be divulged to any unauthorised persons at any time, unless it is in the best interests of the individual.
Information Governance
Staff must ensure at all times that high standards of data quality, data protection, integrity, and confidentiality and records management are met in compliance with the relevant legislation and guidance. 3. Management of Medical Records Electronic Records The majority of the patients’ medical records are handled electronically, with strict role-based access, such that the records can be access only on a need-to-know basis.
Within Medefer, all medical records are kept electronically, on a secure database on a server within England, complying with all NHS security requirements. The data is encrypted at rest and on transit. The server is hosted by CareLink, one of UK’s premier N3 network providers to the NHS, within highly secure facilities, that meet all NHS Digital requirements. Paper Records On rare occasions, Medefer may come into possession of paper copies of patient records; for example, if the patient has inadvertently posted a copy of a letter to Medefer. In such cases, the paper record will be scanned and uploaded to the appropriate patient and shredded immediately. 4. RECORD RETENTION Keeping records must be balanced with the need to store them securely. The maximum term is normally 30 years for public records and Medefer is not intending to exceed this. Medefer aims to

Records Management Policy, v2.0 Review Date: February 2022 3 reflect Part 2 of the NHS publication ‘Records Management: NHS Code of Practice’ as much as is reasonably applicable.

PROCESS FOR THE RETENTION, DISPOSAL AND DESTRUCTION OF CORPORATE RECORDS Medefer reviews its corporate records that are no longer required for business use on a regular basis, and safely destroys any data that is deemed obsolete by the company Executives according to the level of sensitivity. Medefer destroys all physical electronic storage media, such as computer hard- drives or USBs through the manual in-office physical destruction of the drive, before disposal. Any paper records are shredded in the company Level4/5 shredder. Electronic mails will be deleted from the mailbox. Some modification of the document retention periods would also occur at this point, such as an extension.

If a record due for destruction is subject to an information request or potential legal action destruction should be delayed until disclosure has taken place, or if not disclosed, any period allowed for appeal against that decision has passed.

PROCESS FOR THE RETENTION, DISPOSAL AND DESTRUCTION OF PATIENT RECORDS The overall responsibility for managing the process for the retention, disposal and destruction of patient health records lies with Medefer’s Compliance Lead (Clinical).

Where possible those elements of a patient record that are held digitally will be retained for 8 years. When digital patient records reach the end of the agreed retention period they should be reviewed, and an appropriate method of disposal agreed. Although in most cases a decision will be reached to securely destroy the records, consideration should be given to the archival value of the record set and the potential to transfer them to a place of deposit for permanent preservation. The process for the retention, disposal and destruction of patient health record folders will be carried out by the clinical operations staff. Eight years following a patient’s death or last contact their record folder(s) will be selected for review. The folder will be reviewed to confirm its status and it will be classified as one of the following: • Containing information subject to a longer minimum retention period (Retain in system). • Possible archival value (Discuss archiving). • Passed minimum retention period (Can be destroyed).

Where it is identified that a patient record folder can be selected for destruction the record will be securely destroyed. The decision to destroy the record will be recorded using Medefer’s system by recording on the patient record ‘DES’ (Record Destroyed). 5. Roles and Responsibilities CEO • Ensure protection of service users and corporate risk All employees • Ensure compliance of Records Management Policy and report any issues as Significant Events

FOI 2403023 - Medefer and Manx Care Privacy Policy

Q 4. The policy for Manx Care data processing by Medefer limited

Annex A Data Processing Services Processing, Personal Data and Data Subjects

1. The Provider must comply with any further written instructions with respect to processing by the Co-ordinating Commissioner.

2. Any such further instructions shall be incorporated into this Annex.

Description
Details Subject matter of the processing Patient medical records. Duration of the processing For the duration of the contract. Nature and purposes of the processing The Provider will be collecting, storing, updating and transmitting patient data as part of the contract. This is necessary for the performance of a contract to which the company is party, and it is necessary for the performance of a task carried out in the public interest or under official authority vested in the Commissioner as a Data Controller. The Provider’s processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to certain conditions and safeguards. Type of Personal Data
Forename, Surname, Date of Birth, Gender, Address, NHS Number, Clinical Data relating to medical condition of the patient. Diagnostic test results and referral letters will also be included. Categories of Data Subject Forename, Surname, Date of Birth, Gender, Address, NHS Number, Clinical Data relating to medical condition of the patient. Diagnostic test results and referral letters will also be included. Plan for return and destruction of the data once the processing is complete UNLESS requirement under law to preserve that type of data The Provider will not return the data to the Commissioner at the end of the contract, as the Provider is processing the data as a Data Controller and has a legal requirement to retain the data as part of the clinical record of the patient. The Provider complies and adheres to the NHSX Records Management Code of Practice 2020 and all data will be retained in the Provider’s Secure system.
At the end of the defined retention period, the Provider will be electronically securely destroyed.

Manx Care Noble’s Hospital, Strang Braddan, Isle of Man IM4 4R (01624) 650 000

Our ref: 2403023 24 May 2022

Dear ###

We write further to your request which was received on 26th April 2022 which states:

"Please can you provide me with a copy of the following documents regarding the contract between Manx Care and Medefer limited. 1. The privacy policy between Manx Care and Medefer limited 2. The privacy notice between Manx Care and Medefer limited 3. The relevant privacy notice issued to Manx Care patients using the Medefer service 4. The policy for Manx Care data processing by Medefer limited 5. A list of locations the data is stored and processed in. 6. Details of what data is stored in the United States and for how long. 7. What data from Manx Care patients does Medefer share with NHS UK for research and
planning purposes."

Our Response 1. The privacy policy between Manx Care and Medefer limited While our aim is to provide information whenever possible, in this instance Manx Care is unable to provide the information that you have requested. This is in line with Section 11(3)a of the Act, as a practical refusal reason applies; namely we do not hold or cannot, after taking reasonable steps to do so, find the information that you have requested. Manx Care are in the process of reviewing and updating their Policies and Procedures. 2. The privacy notice between Manx Care and Medefer limited While our aim is to provide information whenever possible, under section 20 of the Act, we are not required to provide information in response to a request if it is already reasonably accessible to you, whether free of charge or on payment of a fee. The Privacy Notice can be found on our website: www.gov.im/medefer 3. The relevant privacy notice issued to Manx Care patients using the Medefer service Please refer to attached “Patient Privacy Notice.pdf” 4. The policy for Manx Care data processing by Medefer limited Please see “Policy for Manx Care Data Processing by Medefer limited.pdf”

1. A list of locations the data is stored and processed in. Please see attached “Medefer Records Management Policy.pdf”
2. Details of what data is stored in the United States and for how long. No data is stored in the USA, as clarified by Medefer
3. What data from Manx Care patients does Medefer share with NHS UK for research and
   planning purposes." No data is shared with NHS UK, as clarified by Medefer. Please quote the reference number 2403023 in any future communications.

Your right to request a review

If you are unhappy with this response to your freedom of information request, you may ask us to carry out an internal review of the response, by completing a complaint form and submitting it electronically or by delivery/post.

An electronic version of our complaint form can be found by going to our website at https://services.gov.im/freedom-of-information/Review . If you would like a paper version of our complaint form to be sent to you by post, please contact me and I will be happy to arrange for this. Your review request should explain why you are dissatisfied with this response, and should be made as soon as practicable. We will respond as soon as the review has been concluded. If you are not satisfied with the result of the review, you then have the right to appeal to the Information Commissioner for a decision on; 1. Whether we have responded to your request for information in accordance with Part 2 of the Freedom of Information Act 2015; or 2. Whether we are justified in refusing to give you the information requested.
In response to an application for review, the Information Commissioner may, at any time, attempt to resolve a matter by negotiation, conciliation, mediation or another form of alternative dispute resolution and will have regard to any outcome of this in making any subsequent decision. More detailed information on your right to a review can be found on the Information Commissioner’s website at www.inforights.im. Should you have any queries concerning this letter, please do not hesitate to contact me. Further information about freedom of information requests can be found at www.gov.im/foi. I will now close your request as of this date. ###