With the introduction of the new data protection framework in May 2018, it brought an opportunity for organisations to really focus on their data protection and information security compliance. The GDPR and the Data Protection Act 2018 intends to give people greater control of their personal data and strengthens the rules relating to how organisations process an individual’s information.

At Nuffield Health, the introduction of GDPR presented an opportunity for us to review all of our existing processes, policies and procedures to ensure we capture the spirit of the regulation as well as making sure our compliance was as robust as it could be. We have an individual and collective, responsibility to do the right thing when it comes to managing our members, patients, customers and employee personal data to ensure we keep their data safe, secure and use it correctly and ethically.

Accordingly, we have established a minimum-required data set for our GP services. This would be required within eligibility lists from our corporates so that our systems and teams can securely process each employee through our GP service. Below, we explain how our GP services use these eligibility data fields, and how our minimum data set contributes to an enhanced and secure customer journey.

GP Service Eligibility Data – The Minimum Dataset

What happens to the eligibility data set once it has been provided to Nuffield Health?

Once we receive your eligibility list, it is uploaded to our customer record and booking system. By using the identifiable data above, our software then validates the data and identifies whether there are any records already in our system that require validation or creates a new record for those who have never engaged with our services before. This software will also highlight any exceptions, such as duplications, erroneous formatting or incomplete data. Once this has been completed, invitations are then scheduled from an eligibility report according to your contractual contact schedules. There is therefore no manual manipulation of your company data hence it is imperative that we receive your eligibility list complete with the required fields.

FAQ for corporates in acquiring/providing this data to Nuffield Health

Do we need to acquire consent from our employees to provide you their data?

Before the point the eligibility list is sent to Nuffield Health, this will be personal data of your employees for which you are Data Controller. As such it will be your responsibility to ensure you have a lawful basis for sharing the eligibility data with Nuffield Health. Consent is only one of the lawful basis for processing, for which you can rely on. If you can evidence another condition applies then you won’t necessarily need consent.

As the data subjects are your employees, it may be the case that a lot of the processing you carry out is done without consent, in which case you may find that the condition contained within Article (6)(f) of the GDPR – Legitimate Interest, is an alternative condition that you may be able to rely on in order to share the personal data with Nuffield Health.

Every organisation is different, so we would urge you to seek your own legal advice if you are not certain about the lawful basis for sharing the eligibility data with Nuffield Health.

Which organisation is the Data Controller in respect of the Eligibility Data?

At the point the eligibility list is transferred into Nuffield Health’s possession we become the Data Controller in respect of that data, which means we are responsible for ensuring it is processed in accordance with the data protection legislation.

If you retain a copy of the eligibility data you have sent to us, you will remain Data Controller in respect of your copy and Nuffield Health will be Data Controller in respect of the copy we hold. We have confirmed this position with the ICO and it is entirely possible to have two separate Data Controllers who control a different copy of the same data. For the avoidance of doubt, this does not give rise to a Joint Controller relationship.

What is Nuffield Health’s lawful basis for requesting this information?

As a Data Controller, Nuffield Health will be responsible for ensuring we have a lawful basis for processing the personal data we have requested above and we are in a position to justify our position should the ICO question or challenge our lawful basis for processing this personal data.

All of the personal data we have requested is necessary for the performance of our contract i.e. to provide private GP service to your eligible employees. For your employees to be able to take benefit of the service we need this minimum set of data. For this reason, we rely on the condition contained within Article 6(1)(b) of the GDPR.

Transparency is really important to Nuffield Health, so we have a privacy policy on our website which is available at: www.nuffieldhealth.com/privacy.

What happens if an employee does not wish to use Nuffield Health and we have already provided their data to Nuffield Health?

The data is eligibility data, so we know which individuals are eligible for a private GP service. It is entirely possible that not every eligible employee will elect to the service available to them, however, we still need their information should they decide they want to go ahead with the service at any point.

An individual can get in touch with Nuffield Health and let us know they won’t be interested in using the GP service within the scheme length and request that the information is deleted from Nuffield Health’s system. Such an erasure request will be considered by our dedicated Customer Data Requests Co-ordinator. The individual can also request that they don’t want Nuffield Health to be sent their personal data in the first place. If we receive such a request we would share this with you so you can consider their objection.

How long do you keep an eligibility list for?

The eligibility lists are refreshed every 12 months for the entire eligible population, but new joiners/leavers are provided typically monthly. As data is updated every 12 months, this gives a very short retention period for those employees who may have left the organisation or who may no longer be eligible for a private GP service.

As the eligibility data is populated straight into our system there is no need to retain spreadsheets or other documentation outside of the primary system, which mitigates the risk of multiple sets of data being retained in excess of a reasonable retention period, as data only needs to be kept up to date in one source.