London International Patient Services (LIPS) takes information security seriously.
The EU General Data Protection Regulation (GDPR) came into force on the 25th of May 2018. The GDPR changes how personal data is handled and increases or reinforces the rights of data subjects.
Your Rights Under the GDPR
You have certain rights in relation to how your personal data is processed, including:
The right to be informed about processing of your personal data.
The right to have any inaccuracies in your personal data corrected.
The right to object to processing of your personal data.
The right to restrict processing of your personal data.
The right to have your personal data erased.
The right to request access to your personal data and information about how we process it (Subject Access Request).
The right to move, copy or transfer your personal data.
Rights in relation to automated decision making including profiling.
This page tells you how London International Patient Services Limited (LIPS) is managing GDPR.
LIPS uses Meddbase developed by Medical Management Systems Limited (MMS) to help maintain GDPR compliance and protect personal information. Meddbase is a web application designed for clinical management and is used to run our organisation and manage our patient records (practice management software).
Information We Collect
We obtain personal information about our patients including:
- Date of birth, gender and nationality,
- Postal address, email address and telephone numbers,
- Next of kin contact details,
- GP details,
- Medical records, including referral details, and information provided by third parties and other healthcare professionals,
- Details of your condition, treatments, investigations and any details required by a healthcare professional involved in your care,
- Information about medical or health conditions of your family members.
- Financial information e.g. payment card details.
MMS stores client data in secure geographically dispersed UK Data Centres. The data centres have multiple physical controls including Biometrics and dedicated key passes that only allow access to authorised parts of the datacentre.
Access to the Meddbase portal is over a secure link. There are multiple layers of intrusion protection, intrusion detection and firewalls between the internet, the application servers and the databases. The application and database servers have no access to the internet. All access to the application is by users who have been authorised by LIPS. We also have enabled two-factor authentication to add further strength to access management.
LIPS internal policies only allow specified employees access to the application. All access is monitored, and any unusual access is alerted to the MMS Security Team. Unusual access by client users is also monitored and unusual events are also alerted to the MMS Security Team who will liaise with LIPS to investigate that access. MMS is NHS IGSoC and ISO27001 certified and HIPAA compliant and follows the strict information handling requirements of these standards.
Data Controllers and Data Processors
Within the meaning of the GDPR, MMS acts as a Data Processor on behalf of LIPS who are defined as Data Controllers in respect of the personal data stored on the Meddbase application. MMS cannot do any processing of personal data without the permission of LIPS. This permission is given via the contract between LIPS and MMS.
Subject Access Requests
Data subjects have similar rights under GDPR to the current law to access copies of information that data controllers hold about them through a subject access request (SAR). MMS makes it easy for LIPS to handle SARs through the Meddbase application. Using the application LIPS can search for the relevant information that the requestor is looking for an export this in a suitable format to provide to the data subject.
Where MMS receives a SAR in respect of data that an individual believes is held within the Meddbase application, MMS will advise them to contact the data controller they believe is using the application. MMS will not take any other action in respect of a SAR unless in accordance with specific instructions from LIPS.
The Right of Erasure
The GDPR gives data subjects’ new rights to have data about them erased in certain limited circumstances. This is easily managed by LIPS within the Meddbase application. Once permanently deleted, such data cannot be restored. The Meddbase application provides warnings when data is deleted in this way but the decisions as to when and whether to delete data is one for our clients to take as a data controller.
MMS will not delete data other than in accordance with the specific instructions from LIPS.
The Right to Rectification
The GDPR allows data subjects to have their data corrected when it is wrong. This is easily managed by LIPS within the Meddbase application as data controllers. MMS will not modify data other than in accordance with the specific instructions of our client.
Third Party Transfers
MMS does not use any third parties to process any of the personal data stored within the Meddbase application and, unless otherwise required by law, will not transfer any of this personal data to any third party other than in accordance with the specific instructions of our client.
We may need to transfer your information to other LIPS Group companies or service providers in countries outside the European Economic Area (EEA). The EEA consists of countries in the European Union, Switzerland, Iceland, Liechtenstein and Norway: they are considered to have equivalent laws when it comes to data protection and privacy. This kind of data transfer may happen if our servers (i.e. where we store data) or our suppliers and service providers are based outside the EEA, or if you use our services and products while visiting countries outside this area.
If LIPS sends your information to a country that is not in the EEA, we will make sure that your information is properly protected. We will always ensure that there is a proper legal agreement that covers the data transfer. In addition, if the country is not considered to have laws that are equivalent to EU data protection standards then we will ask the third party to enter into a legal agreement that reflects those standards.
If you wish to exercise your rights under GDPR, please contact our Data Protection Manager by email at firstname.lastname@example.org, by telephone at +44 (0) 207 164 6114 or by post to Data Protection Manager, London International Patient Services, 5 Devonshire Place, London, W1G 6HL.
You have the right to complain to the Information Commissioner’s Office (www.ico.org.uk), who are responsible for monitoring compliance with GDPR and data protection laws.