Privacy Notice

About us and what we do

Optimum Patient Care Limited (OPC) is a not-for-profit social enterprise that provides quality improvement programmes to support GP practices, healthcare providers and commissioners to improve patient care. Over the last 15 years, we have supported more than 800 GP practices across England, Scotland, Wales and Northern Ireland with clinical trials, observational research and clinical quality improvement programmes. For more information about our services and the work we do with GP practices, please see our Quality Improvement Programme.

OPC also supports GP practices and researchers to conduct research in primary care. This includes observational research, which is where only anonymised data is used without patients taking part; and clinical research where patients are invited by their GP practice or doctor to take part in a study.

Our research database, the Optimum Patient Care Research Database (OPCRD), is approved by the NHS Health Research Authority Research Ethics Committee (REC reference: 20/EM/0148) to provide anonymised patient data for ethically approved scientific, exploratory and public health research. All research requiring the use of anonymised data from OPCRD must receive prior independent research ethics approval from the Anonymised Data Ethics and Protocol Transparency committee (ADEPT). The funds we get from OPCRD research is vital for us to continue providing quality improvement services at no cost (free) to GP practices across the UK. To read more about publications from research using data provided by OPCRD, please see our recent publications.

Why we have this privacy notice

Optimum Patient Care Limited (OPC) is a not-for-profit social enterprise that provides quality improvement programmes to support GP practices, healthcare providers and commissioners to improve patient care. Over the last 15 years, we have supported more than 800 GP practices across England, Scotland, Wales and Northern Ireland with clinical trials, observational research and clinical quality improvement programmes. For more information about our services and the work we do with GP practices, please see our Quality Improvement Programme.

OPC also supports GP practices and researchers to conduct research in primary care. This includes observational research, which is where only anonymised data is used without patients taking part; and clinical research where patients are invited by their GP practice or doctor to take part in a study.

Our research database, the Optimum Patient Care Research Database (OPCRD), is approved by the NHS Health Research Authority Research Ethics Committee (REC reference: 20/EM/0148) to provide anonymised patient data for ethically approved scientific, exploratory and public health research. All research requiring the use of anonymised data from OPCRD must receive prior independent research ethics approval from the Anonymised Data Ethics and Protocol Transparency committee (ADEPT). The funds we get from OPCRD research is vital for us to continue providing quality improvement services at no cost (free) to GP practices across the UK. To read more about publications from research using data provided by OPCRD, please see our recent publications.

We may collect personal data from individuals when they use or request a service with us, complete a survey, questionnaire or enrolment form, apply for employment with us, or communicate with us by email, telephone, in writing or in person.

We may also collect personal data about individuals when they provide or supply a service to us. This information is necessary to manage the relationship and work we do with the supplier or service provider, such as contact details, contracting information, invoicing or payment details.

We may collect personal data from the public domain if permitted by law, for example, from registration and regulatory bodies.

Who we collect personal data from

We may collect personal data from individuals when they use or request a service with us, complete a survey, questionnaire or enrolment form, apply for employment with us, or communicate with us by email, telephone, in writing or in person.

We may also collect personal data about individuals when they provide or supply a service to us. This information is necessary to manage the relationship and work we do with the supplier or service provider, such as contact details, contracting information, invoicing or payment details.

We may collect personal data from the public domain if permitted by law, for example, from registration and regulatory bodies.

What personal data we collect and why

The types of personal data we collect will vary depending on the relationship between OPC and the individual or the organisation. These include personal data collected from phone and email contact, from our website, from our social media, from images and photos, and from our events and educational activities.

We collect only the information that we need for a particular function, and only hold it for as long as it remains necessary for the purposes for which it was collected. We only use or disclose personal data for the purposes for which the individual gave it to us for, or for directly related purposes the individual would expect, or other purposes if agreed with the individual.

  • Personal data collected from phone and email contact

We may collect personal data when individuals contact our services by phone or email. We use this information for administering our services and to correspond with service users.

  • Personal data collected on our website

We collect personal data when individuals visit our website, complete forms or questionnaires on our website, apply for employment with us via our website, or provide contact details through our website. We use this information to respond to the user’s enquiry, or to provide a requested service or to make improvements to our website.

When a user visits our website, our web server may request that the user’s browser create a cookie on the user’s computer. A cookie is a small piece of information sent by the server of a website to the user’s browser by other sites. We use cookies to measure how individuals use our website to help us make website updates and improvements.

Our website cookies do not contain personal information about users. However, cookies can identify a user’s browser. The cookies transferred by our website are used for such things as capturing information about a user’s web browser, controlling a pop-up window or enabling login access to password-protected areas of the website. The cookies have an expiration date set 24 months from the most recent website visit date.

We use a third-party service, Google Analytics, to collect information regarding visitor activity to the website. This is not used to identify the user as an individual but is collated into aggregate results or classifications. We do not make an attempt to find out the identities of the visitors to our website.

If users do not wish to receive any cookies, they may set their browser to refuse or disable them. When you visit our website, you will be notified that we use cookies and asked if you agree to this or choose to decline. Please note that some features of our website may not work if cookies are disabled.

OPC does not allow advertising or marketing on its website.

  • Personal data collected on our social media

We use a number of social media platforms, including Facebook, Twitter and LinkedIn to update and inform our service users and the public. Comments posted on our social media are open to the public. We may collect personal data from social media posts that are uploaded to these platforms.

If users post or upload content to our social media platforms, they should be aware information is also collected by the company operating the social media platform, for example Facebook, Twitter or LinkedIn. The user should refer to the privacy policy of that social media company for information on how it collects, uses and discloses personal data.

  • Personal data from our events and educational activities

We collect personal data from individuals invited to, attending or participating in events and educational activities supported by OPC. We use this information to organise and run the events, and to support individuals attending or participating in the events.

In some cases, information on the education or participation activity status of individuals may be disclosed to relevant institutions or accreditation bodies for the purpose of certifying completion or participation or for recording continuing professional development points such as CPD points.

  • Personal data from our clinical research

We collect personal data from individuals invited to, attending or participating in events and educational activities supported by OPC. We use this information to organise and run the events, and to support individuals attending or participating in the events.

In some cases, information on the education or participation activity status of individuals may be disclosed to relevant institutions or accreditation bodies for the purpose of certifying completion or participation or for recording continuing professional development points such as CPD points.

  • Personal data from images and photos

We will seek an individual’s consent prior to taking a photo or image, and using it. In some cases that consent may be implied, such as the taking of photos at events to be used in publications.

If the photo or image contains sensitive information about a person e.g. information relating to their health, we will obtain the individual’s consent to take the photo or image and specify what it will be used for. This consent should be informed and freely given by the individual whose photo or image is to be shared. Individuals may withdraw their consent at any time. If this occurs, we will take all reasonable steps to stop using the image or photo from the time the consent is withdrawn.

How we use personal data

We may use personal data to:

  • respond to enquiries from individuals, service users and suppliers;
  • conduct evaluations of our products, materials, programs and services;
  • assist service users in conducting or participating in our quality improvement programmes and education workshops;
  • assist service users in conducting or participating in OPC-supported research;
  • invite individuals to complete questionnaires for health quality improvement;
  • invite individual to participate in research or to inform individual of educational programs;
  • provide and promote educational activities, events and conferences;
  • contact individuals for feedback on products, materials, programs and services; and
  • assist us to perform our corporate, regulatory and contractual obligations.

How we disclose or share personal data

Personal data that we hold is only shared or disclosed in accordance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA). We will disclose personal data if we are required to do so by law, by court order, government department or to prevent fraud or other crime.

We do not disclose personal data to third parties for marketing purposes. We do not sell personal data or confidential information to third parties.

We do not disclose any personal data collected in the UK to overseas entities.

We may disclose personal data to contractors to whom we outsource certain functions, or which provide services to us. We take all reasonable measures with contractors to ensure they comply with the law on data protection. Contractors must not disclose any personal data or confidential information without prior approval in writing from OPC, unless they are required to disclose the information by law, court order, or to prevent fraud or crime.

We may disclose personal data to relevant institutions or accreditation bodies for the purpose of certifying completion or participation or for recording continuing professional development points, when individuals participate in our educational activities.

We may disclose personal data to data linkage authorities for linking data from different healthcare data sources, where this is approved by the relevant research ethics committee.

How we store personal data

OPC is committed to ensuring that any personal data we hold is as safe as reasonably possible, both while it is being processed and when it is stored.  We store the personal data we collect on secure databases, electronic and hard copy files. Personal data is only stored in the UK and within the European Economic Area (EEA) in line with data protection laws.

We have archiving policies and procedures for the secure, permanent destruction of personal data when it is no longer required.

Please note that we hold de-identified patient data we receive from GP practices receiving services from us and is stored in the OPC Quality Improvement Database and the OPC Research Database (OPCRD). The de-identified data stored in these databases is not personal data.

How long we keep personal data

We retain the personal data we collect for as long as needed to continue to meet the purposes for which the information is collected. We will delete personal data in line with our records retention policy or as required by law, which is typically 8 years after any enquiry is closed or contract terminated.

How we protect and secure personal data

OPC takes preserving and protecting a person’s identity and personal data very seriously and it is a key responsibility of all our staff, contractors and partners. We have technical and organisational procedures in place to prevent unauthorised access or disclosure of personal data we hold.

We also make sure that any contractors and third parties we deal with have an obligation to keep secure all personal data they process on our behalf.

The steps we take to keep the personal data we hold secure include:

  • Regularly assessing the risk of misuse, loss, interference, modification, unauthorised access or disclosure of personal data.
  • Putting measures in place to address the above risks including robust information technology security, data encryption, restricted user access, and data security and protection policies.
  • Regularly ensuring that our staff and contractors only access personal data when needed.
  • Ensuring our staff and contractors are regularly trained on data protection at least annually.
  • Conducting regular internal audits to assess compliance with these measures and the GDPR/DPA.
  • Undertaking and complying with the NHS Data Security and Protection Toolkit (ref: 8HR5) assessment annually. This assessment ensures we comply with the National Data Guardian’s Data Security Standards.

Your data rights under the GDPR and DPA

OPC takes preserving and protecting a person’s identity and personal data very seriously and it is a key responsibility of all our staff, contractors and partners. We have technical and organisational procedures in place to prevent unauthorised access or disclosure of personal data we hold.

We also make sure that any contractors and third parties we deal with have an obligation to keep secure all personal data they process on our behalf.

The steps we take to keep the personal data we hold secure include:

  • Regularly assessing the risk of misuse, loss, interference, modification, unauthorised access or disclosure of personal data.
  • Putting measures in place to address the above risks including robust information technology security, data encryption, restricted user access, and data security and protection policies.
  • Regularly ensuring that our staff and contractors only access personal data when needed.
  • Ensuring our staff and contractors are regularly trained on data protection at least annually.
  • Conducting regular internal audits to assess compliance with these measures and the GDPR/DPA.
  • Undertaking and complying with the NHS Data Security and Protection Toolkit (ref: 8HR5) assessment annually. This assessment ensures we comply with the National Data Guardian’s Data Security Standards.

Your right to opt-out of data sharing

You have the right to opt-out of the sharing of your de-identified medical data (this is data which you cannot be identified from) by your GP practice with OPC. Opting-out of sharing your de-identified medical data will not affect the direct care that you receive.

If you do not wish for your de-identified medical data to be collected, processed or used for any purpose including research and healthcare planning, please contact and inform your GP practice. Individuals in England can also opt-out of data sharing through the National Data Opt-out policy.

Contact us

If you have any questions or feedback about this privacy notice or if you have any complaints about how we handle personal data, please contact our Data Protection Office by email, phone or post using the details below:

OPC Data Protection Office

Email:    dataprotection@optimumpatientcare.org

Phone: 01223 967 855

Post:      Optimum Patient Care, 5 Coles Lane, Cambridge CB24 3BA

If you wish to make a complaint to the Information Commissioner’s Office (ICO) or to request independent advice, the ICO can be contacted at:

Information Commissioner’s Office

Email:    casework@ico.org.uk

Tel:         0303 123 1113

Post:      Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

[Notice last updated 08 June 2020]