Privacy statement

East Kent Unit for Breast Screening - EKUBS (we/our/us) are committed to the protection of the rights and privacy of the data subjects (you/your) providing data to EKUBS.

This Privacy Statement informs you of our privacy practices and of the choices you can make about the way information about you is collected, how that information is used by EKUBS, and how EKUBS communicates with you. In implementing any changes to our procedures we apply a privacy first policy, we consider the impact on data privacy, and we review these policies accordingly. The policies in this statement are reviewed annually and were last reviewed in May 2018.

In order to comply with GDPR, PECR and other regulations, EKUBS only grants access to the personal data that it holds after obtaining the following agreement, and requires that agreement to be renewed on an annual basis in writing.

I will ensure that the data released to me will be treated as confidential and will not be used by me or any organisation with which I am associated for any purpose other than for secure processing in respect of the legitimate purposes of EKUBS or purposes for which EKUBS has received informed consent from the data subject. In particular, I recognise the requirement to keep the personal details of data subjects confidential and to destroy in some unreadable form any paper or electronic records when no longer required.

I have retained access to a copy of this statement. I have read and understand how it impacts on my involvement with EKUBS. I agree to abide by the requirements and principles of this statement and I understand that non-compliance will be cause for disciplinary action up to and including termination of contract, and perhaps criminal and/or civil penalties. I will report any breaches or suspected breaches of this statement immediately in order that EKUBS can comply with its duty to report such breaches.

………………………………………… ……………………………………… …………………………… ”
Name Signature Date

The General Data Protection Regulations (GDPR) provide the following rights for individuals who are data subjects: the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, and rights in relation to automated decision making and profiling. These are explained in detail in the 120 page ICO guide at https://ico.org.uk/media/for-organisations/guide-to-the-general-data-protection-regulation-gdpr-1-0.pdf.

On request, preferably by email to info@ekubs.org.uk, EKUBS will provide you with the personal data that it holds about you in order that you can rectify any incorrect details, erase information that it is holding with your consent, and restrict any future processing except where it has a legitimate right under contract. We request you to notify us whenever your details change in order that our records can be kept up to date, and in order to prevent fraud, we reserve the right to request evidence of authenticity before making changes.

EKUBS uses data for legitimate purposes to communicate with you in respect of the services that EKUBS is contracted to provide and manage our relationship with you, including collecting monies due to us, and to resolve any complaints.

EKUBS uses data with your explicit consent for electronic marketing purposes and in circumstances where it wishes to publish any of that data. EKUBS allows you to select specific items and methods for consent, and retains a record of your consent and the basis on which it was obtained.

EKUBS does not send unsolicited messages except with specific informed consent which has not been withdrawn except to an existing (not prospective) customer or client who has not withdrawn consent.

EKUBS collects and records personal data which may include your name, address, telephone number, NHS number, marital state, email address, age, and date of birth.

EKUBS does not have a need to store a full Credit Card Permanent Account Number (PAN). Any record of a card number to identify the card is restricted to the first 6 and the last 4 digits of the cardholder data, and the CVV/CVC (3 characters on the back of the card) is never stored.

EKUBS collects and records credit card data as a paper record while processing your credit card payments, using an outside processor, but securely destroys this information using a cross cut shredder immediately the transaction has been processed. EKUBS retains no record of your credit card data used by the outside processor to collect your credit card payment.

EKUBS does not and will not share, sell, rent, or lease your personal data to others except as required by law, or under a contract for the provision of services where the provider has a legitimate requirement for that information solely to provide that service and contracts not to use it for any other purpose. EKUBS will share your personal information to: (i) respond to duly authorized information requests of police and governmental authorities; (ii) comply with any law, regulation, subpoena, or court order; (iii) investigate and help prevent security threats, fraud or other malicious activity; (iv) enforce/protect the rights and properties of EKUBS when allowed and in line with the requirements of applicable law.

EKUBS may provide links to third-party applications, products, services, social media websites, or other websites for your convenience and information. If you access those links, you will leave the EKUBS website. EKUBS does not control those third party sites or their privacy practices. EKUBS does not endorse or make any representations about third-parties. The personal data you choose to provide to or that is collected by these third parties is not covered by the EKUBS Privacy Statement. We encourage you to review the privacy policy of any site you interact with before allowing the collection and use of your personal information.

Data security

To prevent unauthorized access or disclosure, to maintain data accuracy, and to ensure the appropriate use of the information, EKUBS utilizes reasonable and appropriate physical, technical, and administrative procedures to safeguard the information we collect and process. EKUBS retains data only as required or permitted by law and while it has a legitimate business purpose or consent. The personal information you provide to EKUBS is stored on computer systems in permitted locations in controlled facilities which have limited access. When we transmit or transport confidential information, including over the internet, we protect it through the use of encryption, such as the Secure Socket Layer (SSL) protocol. EKUBS does not connect computer files storing with personal data to an unsecured WiFi.

EKUBS will not include personal data in an email, but emails can include an encrypted attachment which includes personal data, and communicate a password separately, either by email of some other means.

EKUBS will consider whether it is appropriate to reveal the email addresses of other recipients, but will also consider whether the use of bcc is more appropriate.

EKUBS requires the use of strong passwords, preferably 12 characters which do not resemble a dictionary word or anything that can easily be broken by a brute force attack. Passwords and computer access must never be shared. Vendor supplied default passwords must be changed before any equipment or processing facility is used.

EKUBS implements automatic updating antivirus and firewall software, and a daily backup procedure encrypted to a secure off-site location.

Cookies

EKUBS uses session cookies to record your login to the secure parts of its website. These session cookies expire when you close your browser.

EKUBS sets and reads persistent cookies on your computer through your browser in order the understand and improve your use of its website.

You can prevent EKUBS’s use of cookies in your browser settings as detailed below, but this will restrict the functionality of the website in your browser.

https://support.google.com/chrome/answer/95647?hl=en-GB
https://support.apple.com/kb/PH21411?locale=en_US
https://support.microsoft.com/en-gb/help/17442/windows-internet-explorer-delete-manage-cookies
https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences

Definitions

‘GDPR’ General Data Protection Regulations

‘Data subject’ is a living individual to whom personal data relates.

‘Personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.

The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.

Personal data that has been pseudonymised – e.g. key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual. info@bloggs.com is not personal but joe@bloggs.com is personal.

‘Sensitive personal data’ refers to “special categories of personal data” and specifically include genetic data, and biometric data where processed to uniquely identify an individual.

‘Information society service’ (ISS) is any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.

‘Permitted locations’ are countries within the EU and other locations with an adequate level of protection. The United States of America is not a permitted location, but some US data storage facilities are compliant.

‘PECR’ Privacy and Electronic Communications (EC Directive) Regulations 2003

‘Electronic communication’ is any communication over a phone system or internet connection, but excluding generally available information such as the content of web pages or broadcast programming.

‘Unsolicited message’ is any message that has not been specifically requested.

‘Soft opt-in’ is an existing (not prospective) customer or client who has not withdrawn consent.