Mountain Healthcare Limited is a private company, commissioned by NHS England and the Police to provide forensic healthcare services.

The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 are data protection laws that apply to companies that are established in the UK. UK GDPR requires us to provide people with information about what personal data we process, what are their rights, how they can exercise those rights, and how to make complaints.

Mountain Healthcare takes your privacy very seriously and is committed to protecting your personal information. This Privacy Notice provides that information in a way we have tried to make clear and transparent. If you would like more information about what data we process, for what purpose or how long we keep it for, please use one of the contact details provided to ask us.

Data Controller

Mountain Healthcare Limited (referred to as Mountain, “we”, “us” or “our” in this privacy policy) is a limited company with registration number 11394918. Mountain is the Controller of the personal data to which this privacy policy relates. This means that we are responsible for making sure that we process your personal data in a safe and lawful way.

We have appointed a data protection lead (“DPL”) whose role includes overseeing questions in relation to how we process your personal data. If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact our DPL using the details set out below.

Contact details

Our contact details are:

Our full name: Mountain Healthcare Limited

Email and postal address for contacting us and our DPL:

Email address: governance@mountainhealthcare.co.uk  

Registered Office: First Floor, Station Place, Argyle Way, Stevenage, SG1 2AD, UK

Telephone: 0330 223 0099

Personal data processed

Personal data is any information we have that can identify you, such as your name, date of birth, or medical history.

Our data retention period, which is the length of time we hold your personal data, is informed by our commissioners and the Department of Health, NHS England and professional bodies such as the British Medical Association and The Health and Care Professions Council.

We might also keep some information that doesn’t identify you to help improve our business and our services as well as helping with health research. We do this by removing your identifiable information such as your name, date of birth, contact details to form ‘de-identified’ data.

In accordance with national opt-out legislation, you can choose to opt out of your confidential information being used for research and planning. For more information on this, please visit the NHS data opt-out website.  If you have any concerns about this or wish to change your data preferences, please email the Governance team at governance@mountainhealthcare.co.uk or call 0330 223 0099.

We process the following personal data for the purposes listed. Where we use personal data, we will only use the minimum necessary personal data for that purpose.

Patients:

Purposes	Types of personal data	Retention period	Lawful basis
Providing health and care to NHS referred patients	•  Basic details •  Contact details •  Details of accompanying persons and/or next of kin •  Medical history/Medication usage •  Reason for attending •  Notes regarding any physical mental health assessments/examinations carried out •  Results of any tests that we refer the individual to •  Information about onward referrals made to other support services •  Any feedback provided to us by the individual.	If you are an adult service user, we will keep your data for 8 years. If you are 16 we will keep your data until your 25th birthday or 26 if you were 17 at the time of your treatment.	Performing a task in the public interest [Article 6(1)(e)] and; The provision of health or social care or treatment [Article 9(2)(h)]
Communicating regarding any concerns, queries or complaints	Name, contact details, any relevant information including health	We keep your data for 10 years	Providing you or planning for healthcare services in our ‘legitimate interest’ [Article 6(1)(f)] and; Ensuring high standards of quality and safety of health care [Article 9(2)(i)]
Quality assurance, quality improvement, training and security including conducting peer reviews of treatment conducted by clinicians delivering Mountain services	Health data, video and/or audio conversations recorded through clinical sessions as well as recorded calls and emails to support teams regarding your service with us	If you are an adult service user, we will keep your data for 8 years. If you are 16 we will keep your data until your 25th birthday or 26 if you were 17 at the time of your treatment.	Providing you or planning for healthcare services in our ‘legitimate interest’ [Article 6(1)(f)] and; Ensuring high standards of quality and safety of health care [Article 9(2)(i)]
Complying with our legal or regulatory obligations, and defending or exercising our legal rights where necessary or in the vital interests of the data subject	All personal data held by Mountain where necessary	We keep your data for 8 years, although it may be longer to comply with legal requirements	For compliance with a legal obligation [Article 6(1)(c) and Article 9(2)(f)] and; For reasons of substantial public interest [Article 9(2)(g)]
To conduct research	Name, contact details, study ID and health data, video recorded through clinical sessions.   We remove any details that could identify you from this information. This includes your name, address and contact information.	We keep your data for up to 10 years, which will vary on the type of research	Providing you or planning for healthcare services in our ‘legitimate interest’ [Article 6(1)(f)] and; For the public interest, scientific or statistical purposes [Article 9(2)(j)]

Suppliers:

Purposes	Types of personal data	Retention period	Lawful basis
Supplier retention	Name, address, contact details and payment information	We keep your contact details for the life of the contract plus 6 years for audit purposes	Processing is necessary for the performance of a contract [Article 6(b)]

Where we rely on GDPR Article 6(1)(f) ‘legitimate interests’ are as follows:

1.     Providing health care to individuals

2.     Ensuring complaints and communications are handled appropriately

3.     Ensuring we provide and maintain a high level of quality of service

4.     Undertaking research to further improve our service

Helping with health research

When using your de-identified data to support health research, we aim to publish our research results in peer-reviewed journals or by working with academics. We may conduct research with partner organisations such as universities or other academic institutions.

We may also use data that does not identify you personally as part of statistics that we collect on certain types of illness, symptoms and conditions. This might include us contributing medical data to our partners and organisations such as NHS England. They will always be anonymised, which means you cannot be personally identified. This is so we can improve our medical knowledge, help deliver better care and help the public.

Sharing your personal data

We will only share your personal data with organisations involved with your care for example your GP, unless we have a legal obligation to share with another party. Where personal data will be shared outside the purposes of providing you care we will inform you unless the law restricts us from doing so. These services may include Sexual Health, Social Services, Independent Sexual Violence Advisor (ISVA) Services, Talking Therapies, Mental Health, Drug & Alcohol as well as other local services.

Where we store and process your data

Your data may be processed or stored outside of the UK and the European Economic Area (EEA). This is because we sometimes work with other companies who help us deliver our services to you and they might have servers outside of the UK or EEA.

This will always be in line with applicable data protection lawful mechanisms and protected by appropriate safeguards such as EU-approved standard contractual clauses, a Privacy Shield certification, or a supplier’s Binding Corporate Rules.

For further information on how we protect your data if we transfer it outside of the EEA, contact us by email at: governance@mountainhealthcare.co.uk.

Further uses of personal data for corporate purposes:

Contractors, Third-Party Service Providers, and Suppliers:

Purposes	Types of personal data	Retention period	Lawful basis
Supplier retention	Name, address, contact details and payment information	We keep your contact details for the life of the contract plus 6 years for audit purposes	Processing is necessary for the performance of a contract [Article 6(b)]

Patients and commissioners:

Purposes	Types of personal data	Retention period	Lawful basis
Managing our business operations such as maintaining accounting records, analysis of financial results, internal audit requirements, receiving professional advice (eg tax or legal advice)	Financial, contact details, name	We keep your data for 8 years	Providing you or planning for healthcare services in our ‘legitimate interest’ [Article 6(1)(f)] and; For compliance with a legal obligation [Article 6(1)(c)]

The UK GDPR allows various rights for people whose data is being processed. The rights are not absolute and so sometimes do not apply. Where you wish to exercise any of your rights, you may do so free of charge contacting us at governance@mountainhealthcare.co.uk. We will respond within one month. 

Details of the rights within UK GDPR are below. You will be informed if the right is available to you upon application:

Right	Meaning
Access UK GDPR Article 15	You may request a copy of the data held by us about you.
Rectification UK GDPR Article 16	If you think the data held by us is wrong and you may request that it is corrected.
Erasure (Right to be forgotten) UK GDPR Article 17	You can request that your data is deleted by us.
Restriction UK GDPR Article 18	There are circumstances in which you may ask us to stop processing your data, but we must otherwise keep the data. For example, where required by law.
Portability UK GDPR Article 19	You can ask for a copy of your data in a format that can be readily transferred to another company.
Objection UK GDPR Article 20	You can object to the processing of your personal data when we are relying on a legal obligation or public duty legal basis or where we are processing in our legitimate interest, especially for direct marketing.

 

If you have any complaints regarding our use of personal data, please contact us by one of the above means. In the event we cannot resolve your complaint, you have the right to complain to the Information Commissioners Office, the UK data protection regulator.

They can be contacted at:

Information Commissioner’s Office (www.ico.org.uk)

Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Tel: 0303 123 1113

Mountain Healthcare are registered to the Information Commissioners Office registration number: Z9725343

 

Mountain takes protection of your personal data very seriously. Mountain uses a range of precautions that include administrative, technical and physical measures, to safeguard your personal data against loss, theft and misuse, as well as against unauthorized access, disclosure, alteration and destruction. We store the personal data you provide encrypted on computer servers that are in highly secure and controlled facilities. We restrict access to personal data to our employees, contractors and agents who need access to operate, develop, or improve our services and the application.

We follow industry accepted security standards to protect the personal data you submit to us, both during transmission and once we receive it.

We have implemented several technical and organisational measures to ensure your personal data is kept secure. This includes:

·       Compliance with the NHS Data Security and Protection Toolkit

·       Completing annual Cyber Essentials Plus certification by external security specialist company

·       Annual penetration testing of our systems by an external cyber security specialist company

·       Annual training for all staff on how to handle information securely.

·       Having role-based access controls so that staff can only access records necessary for their role.

Personal data processed

Purposes	Types of individuals	Types of personal data	Retention period	Lawful basis
Collect analytics to understand user numbers accessing website, registering interest for our research	All individuals access social media platforms that click on our adverts	IP address, device address, time of day, length of time, what screens are visited	We keep your data for 8 years	Providing you or planning for healthcare services in our ‘legitimate interest’ [Article 6(1)(f)]

For website users and social media platforms, where we rely on GDPR Article 6(1)(f) our legitimate interests are as follows:

1.     Marketing our products, services and research.

Under the General Data Protection Regulation (GDPR) and Data Protection Act, individuals have the right to access the information we hold about them, both on paper and electronically. There are some exceptions to this however, which include:

·       If information has been provided about the individual by someone else and they have not given their permission for this to be shared with them.

·       The information is considered to have the potential to cause mental or physical harm to the individual or someone else.

Please note we will require proof of identity before we can disclose personal information.

 

Job Applicants

When potential candidates apply for one of our vacancies, we will collect basic contact details, as well as standard curriculum vitae information. We will also give individuals the opportunity to provide information regarding equal opportunities. As the individual’s application progresses, we may require information to support security checks and professional body compliance. This information is collected to process the individual’s application and to complete our ‘New Starter’ process, should the individual be appointed.

Employees:

Mountain will collect your personal data for the performance of your employment contract. We will normally record the following information:

·       Basic details

·       Contact details

·       Curriculum Vitae information, including qualifications, employment history, etc.

·       Information to support Equal Opportunities

·       Finance/Bank details

·       Medical/Health information

·       Information required for DBS/Vetting Checks

·       Information to confirm compliance with professional bodies such as the GMC/NMC/HCPC.

·       Staff training and development

·       Staff appraisals, probation and promotion.

Additional personal information may also be collected throughout your employment with Mountain Healthcare Ltd, to manage your ongoing employment relationship with us. This information may include but is not limited to leave requests, medical certificates, performance appraisals, etc.

The main purposes for collecting your personal information are to process your employment application, maintain your employee records, manage your employment, and administer your salary.

Personal employee information, which is collected by Mountain Healthcare Ltd, will be used for managing processes associated with your employment relationship with us.

We use external companies to support some functions, we may be required to share your personal information with third parties. If you would like further information regarding this, please contact our Human Resources Department by email via hr@mountainhealthcare.co.uk.