top of page

Privacy Notice

What this information is about

 

This privacy notice tells you how Optimum Patient Care Global Limited (OPC, OPC Global, we, us, our or Company) collects, stores and uses your personal data when you contact us, use our website, or use one of our services. Personal data is information that can identify you. This notice explains what you should expect OPC to do with the personal data that we have collected from you where OPC is the controller of the personal data that we hold.

 

Important Definitions

 

To help you understand the information on this page, the types of data mentioned are defined below.

 

Personal data

This is information which relates to a living individual who can be identified either directly or indirectly from that information. Personal data contains information or identifiers that can identify the person the data relates to e.g. name, date of birth, address, contact information, etc. OPC does not process data that can identify patients when providing the OPC Services.

 

Pseudonymised or de-identified data

This is information which has had identifiers (information that will identify the person it relates to) such as name, date of birth, address, contact information, removed and replaced by a code or unique ID (also called a pseudonym) that cannot be traced back to the person the information relates to. The patient data OPC receives from healthcare providers or patient data contributors is pseudonymised data, and only the data controller i.e. the healthcare provider can re-identify their patients.

 

Anonymised data

This is information which cannot identify or re-identify an individual (directly or indirectly), either on its own or when combined with other information. Anonymised data is not personal data. The research datasets that OPC provides for ethics approved research is anonymised data as it does not contain any information such as name, date of birth, address, contact information etc. and any unique IDs or pseudonyms are removed.

 

Who we are and what we do

 

Optimum Patient Global Care Ltd (OPC or OPC Global) or referred to as ‘Company’, supports healthcare providers, commissioners/funders, and health researchers to improve healthcare provision to patients and better patient outcomes, globally including UK, Australia, Singapore and U.S.A. OPC provides quality improvement programmes and services, and supports and conducts real-life research and clinical trials.

 

We help healthcare providers with reports and activities to assist them in improving the care they provide for patients with chronic and public health conditions such as asthma, COPD and Covid-19, rare diseases and many more. We also help them to take part in real-life research and pragmatic clinical trials.

 

We also support researchers to carry out medical research using anonymised data from our research databases including but not limited to OPC Research Database, UK (OPCRD), OPCRD-NEXUS, OPC Research Database Australia (OPCRDA), and the International Severe Asthma Registry (ISAR). The fee paid by researchers to OPC for access to the anonymised research data is directly reinvested into OPC Services, which is vital for OPC to continue providing free quality improvement programmes and research support services. Read more about OPCRD for example and how it helps medical research.[FA1] 

 

Who we collect personal data from

 

We collect personal data from individuals when they use or request a service with us, complete a questionnaire or form, apply for employment with us, or contact us by email, telephone, in writing or in person.

 

We collect personal data about individuals when they provide or supply a service to us. This information is needed to manage the work we do with the supplier or service provider, such as contact details, agreements, and invoicing or payment details.

 

We may collect personal data from the public domain if permitted by law, for example, from registration and regulatory bodies.

 

We collect personal data as a processor in the form of pseudonymised data from healthcare providers e.g. practices who receive our quality improvement and research support services (or OPC Services).  The data controller for these services is the healthcare provider or practice, and you should refer to your healthcare provider or practice if you have any queries.

 

Why we collect personal data (lawful basis)

 

OPC collects personal data as a data controller in order to run its business, provide services to users, and for our website to function correctly. It is in the legitimate interest of OPC to process personal data for the purposes explained above, and this processing should not impact on you negatively. In the UK and Europe, this lawful basis is covered by:

  • GDPR Article 6(1)(f) Legitimate interests: Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

 

There are other lawful bases that we rely on to collect or process personal data depending on the nature of the activity or service, including lawful basis when we collect or process data in other regions or countries.

 

For our services to healthcare providers, OPC is a data processor on behalf of the participating healthcare provider or practice, who are the data controllers of the patient data they share with OPC as part of receiving OPC Services. Each healthcare provider or practice enters into a service, data processing and sharing agreement with OPC, which permits OPC to collect, pseudonymise and hold the data for providing OPC Services to the practice. As data controller, the healthcare provider or practice is responsible for determining the lawful basis under which the processing of your personal data takes place. Please visit your healthcare provider’s or practice’s privacy notice for further information. In the UK and Europe, the lawful basis for these activities is covered by one or more of the following lawful bases:

  • GDPR Article 6(1)(e): Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (being the GP practice).

  • GDPR Article 6(1)(e) and Article 9(2)(i): Medicines and medical device monitoring - processing of special category data (e.g. data concerning health) for public interest in the area of public health.

  • GDPR Article 6(1)(e) and Article 9(2)(j): Medical research and statistics - processing of special category data (e.g. data concerning health) for public interest and scientific research purposes.

 

OPC acts as data controller for the purposes of  transferring data from the OPC Services  to make it available for anonymised research purposes. This applies to the data OPC holds in OPCRD, OPCRD-NEXUS, OPCRDA, APEX, and ISAR.

 

 

What personal data we collect

 

We collect only information that we need for a particular function, and only hold it for as long as it remains necessary for the purposes for which it was collected. We only use or disclose personal data for the purposes for which the individual gave it to us for, or for directly related purposes the individual would expect, or other purposes if agreed with the individual.

 

  • Personal data collected from phone and email contactWe may collect personal data when individuals contact our services by phone or email. We use this information for administering our services and to correspond with service users.

  • Personal data collect from our suppliersWe collect information regarding contacts at our suppliers such as names, telephone numbers, email addresses, postal address in order to maintain the relationship and ensure the continued supply of services from those parties.

  • Personal data from curriculum vitae (CVs) and job applicationsWe collect information from you when you apply for a job with us or send us your CV. Please refer to the separate candidate privacy notice for further information in relation to how we use the personal data we collect.

  • Personal data collected on our websiteWe collect personal data when individuals visit our website, complete forms or questionnaires on our website, apply for employment with us via our website, or provide contact details through our website. The personal data we collect from users of this website will include the IP address you use to access this website, and the URLs of any of our web pages which you visit and the time of your visit. We use this information to respond to the user’s enquiry, or to provide a requested service or to make improvements to our website.

 

Cookie policy

When a user visits our website, our web server may request that the user’s browser create a cookie on the user’s computer. A cookie is a small piece of information sent by the server of a website to the user’s browser by other sites. We use cookies to measure how individuals use our website to help us make website updates and improvements.

 

Our website cookies do not contain personal information about users. However, cookies can identify a user’s browser. The cookies transferred by our website are used for such things as capturing information about a user’s web browser, controlling a pop-up window or enabling login access to password protected areas of the website. The cookies have an expiration date set 24 months from the most recent website visit date.

 

We use a third-party service, Google Analytics, to collect information regarding visitor activity to the website. This is not used to identify the user as an individual but is collated into aggregate results or classifications. We do not make an attempt to find out the identities of the visitors to our website.

 

If users do not wish to receive any cookies, they may set their browser to refuse or disable them. When you visit our website, you will be notified that we use cookies and asked if you agree to this or choose to decline. Please note that some features of our website may not work if cookies are disabled.

 

1. Personal data collected on our social media

We use a number of social media platforms, including Facebook, Twitter and LinkedIn to update and inform our service users and the public. Comments posted on our social media are open to the public. We may collect personal data from social media posts that are uploaded to these platforms.

If users post or upload content to our social media platforms, they should be aware that information is also collected by the company operating the social media platform, for example Facebook, Twitter or LinkedIn. The user should refer to the privacy policy of that social media company for information on how it collects, uses and discloses personal data.

 

2.Personal data from our events and educational activities

We collect personal data from individuals invited to, attending or participating in events and educational activities supported by OPC. We use this information to organise and run the events, and to support individuals attending or participating in the events. In some cases, information on the education or participation activity status of individuals may be disclosed to relevant institutions or accreditation bodies for the purpose of certifying completion or participation or for recording continuing professional development.

 

3.Personal data from images and photos

We will seek an individual's consent prior to taking a video, photo or image, and using it. In some cases that consent may be implied, such as the taking of photos at events to be used in publications. If the video, photo or image contains sensitive information about a person e.g. information relating to their health, we will obtain the individual’s consent to take the video, photo or image and specify what it will be used for. This consent should be informed and freely given by the individual whose photo or image is to be shared. Individuals may withdraw their consent at any time. If this occurs, we will take all reasonable steps to stop using the image or photo from the time the consent is withdrawn.

 

Personal data from OPC Services

 

Personal data from our QI and research support services

Participating practices or healthcare providers send pseudonymised patient data to OPC and OPC uses this data to provide the practice with quality improvement and research support services.OPC provides practices reports to assist them improve care for patients and to help them carry out research.

The healthcare provider or practice is the data controller of this data, and OPC is a data processor. OPC does not receive any information that will identify you from the pseudonymised data a practice shares with us. If you have questions about use or sharing of your medical data with OPC by your practice, please you will need to contact your practice.

 

Personal data from clinical trials supported by OPC

We do not process your personal data as a data controller in relation to clinical research or trials. Any personal data of patients taking part in clinical research or trials supported by OPC is collected or processed with the patient’s informed consent at their practice or healthcare provider. OPC does not hold personal data for patients who take part in clinical research. If you have questions about the use of your personal data in a clinical research study or trial, please contact your practice who will hold records about your involvement.

 

Personal data held in our research databases e.g. – OPCRD, OPCRD-NEXUS, ISAR

OPC databases receive pseudonymised patient data from participating practices or healthcare providers and provide ONLY anonymised datasets (which is not personal data) to researchers for ethically approved scientific and exploratory research and feasibility assessments.

OPC acts as data controller for the purposes of permitting pseudonymised data to be processed into anonymised research datasets and made available for anonymised research purposes.

 

How we use personal data

 

We may use personal data to:

 

  • respond to enquiries from individuals, service users and suppliers;

  • conduct evaluations of our products, materials, programs and services;

  • assist service users in conducting or participating in our quality improvement programmes and education workshops;

  • assist service users in conducting or participating in OPC-supported research;

  • allow a third party to link pseudonymised GP data with pseudonymised hospital data;

  • invite individuals to complete questionnaires for health quality improvement;

  • invite individual to participate in research or to inform individual of educational programs;

  • provide and promote educational activities, events and conferences;

  • contact individuals for feedback on products, materials, programs and services;

  • assist us to perform our corporate, regulatory and contractual obligations; and

  • allow third parties to conduct ethically approved research on anonymised datasets.

 

We will not:

  • sell your personal data to third parties

  • share your personal data with third parties for marketing or insurance purposes

 

How we disclose or share personal data

 

Personal data that we hold is only shared or disclosed in line with data protection laws. We will disclose personal data if we are required to do so by law, by court order, government department or to prevent fraud or other crime.

 

We do not disclose personal data to third parties for marketing purposes. We do not sell personal data or confidential information to third parties. We do not disclose any personal data collected in the UK to overseas entities. Similar restrictions and assurances apply to personal data or information collected in Australia, USA and Singapore.

 

We may disclose personal data to contractors to whom we outsource certain functions, or which provide services to us. We take all reasonable measures with contractors to ensure they comply with the law on data protection. Contractors must not disclose any personal data or confidential information without prior approval in writing from OPC, unless they are required to disclose the information by law, court order, or to prevent fraud or crime.

 

We may disclose personal data to relevant institutions or accreditation bodies for the purpose of certifying completion or participation or for recording continuing professional development points, when individuals participate in our educational activities.

 

We may disclose personal data to data linkage authorities for linking data from different healthcare data sources, where this is approved by the relevant research ethics committee.

 

How we store personal data

 

OPC is committed to ensuring that any personal data we hold is as safe as reasonably possible, both while it is being processed and when it is stored.  We store the personal data we collect on secure databases, electronic and hard copy files. Personal data is only stored in the UK and within the European Economic Area (EEA) in line with data protection laws. We apply similar data storage restrictions and assurances to personal data or information collected in Australia, USA and Singapore.

 

We have policies and procedures for the secure, permanent destruction of personal data when it is no longer required.

 

How long we keep personal data

 

We retain the personal data we collect for as long as needed to continue to meet the purposes for which the information is collected. We will delete personal data in line with our records retention policy or as required by law.

 

OPC will continue to hold data in research databases such as OPCRD in perpetuity unless the participating practice or healthcare provider notifies OPC in writing to destroy the data, subject to any applicable legal requirements for data retention. Please note it is not possible to remove a patient’s data from anonymised research data or datasets, results or publications, as the patient cannot be identified in order to remove them.

 

A data controller can request at any time for their patients’ data to be removed from OPC databases without disclosing the identity of patients; subject to any requirements on data retention by applicable data law(s).

 

Data security - how we protect and secure personal data

 

OPC takes preserving and protecting a person’s identity and personal data very seriously and it is a key responsibility of all our staff, contractors and partners. We have technical and organisational procedures in place to prevent unauthorised access or disclosure of personal data we hold.

 

We also make sure that any contractors and third parties we deal with have an obligation to keep secure all personal data they process on our behalf.

 

The steps we take to keep the personal data we collect secure include:

 

  • Regularly assessing the risk of misuse, loss, interference, modification, unauthorised access or disclosure of personal data.

  • Putting measures in place to address the above risks including robust information technology security, data encryption, restricted user access, and data security and protection policies.

  • Regularly ensuring that our staff and contractors only access personal data when needed.

  • Ensuring our staff and contractors are regularly trained on data protection at least annually. This includes compulsory annual certified data security training and Good Clinical Practice (GCP) training.

  • Conducting regular internal audits to assess compliance with these measures and applicable data laws.

  • Undertaking and complying with the UK Data Security and Protection Toolkit (DSPT ref: 8HR85) assessment annually. This assessment ensures we comply with the UK’s National Data Guardian’s Data Security Standards and the GDPR.

  • ISO 27001 and ISO 9001 certification (certificate number 385342022). These accreditations demonstrate that OPC operates in accordance with a global framework of information security and quality assurance and management.

  • OPC is a registered data controller with the UK Information Commissioner’s Office, registration number: ZA197058.

 

Your data protection rights (UK)

 

Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information. Note that these rights apply to the data we hold in our capacity as data controller. We will try to assist with any requests we receive from data subjects, however rights are only exercisable against data controllers under the GDPR and so we may need to pass your request (or ask that you approach) to the relevant entity that controls the data (e.g. your GP practice):

 

  • Your right of access

You have the right to ask us for copies of your personal data held by OPC.

 

  • Your right to rectification

You have the right to ask OPC to change or correct information you think is inaccurate about you. You also have the right to ask OPC to complete information you think is incomplete.

 

  • Your right to erasure

You have the right to ask OPC to erase your personal data in certain circumstances.

 

  • Your right to restriction of processing

You have the right to ask OPC to restrict the processing of your information in certain circumstances.

 

  • Your right to object to processing

You have the right to object to processing if we are able to process your information because the process is in our legitimate interests.

 

  • Your right to data portability

This only applies to information you have given to OPC. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information with your consent.

 

You are not required to pay any charge for exercising your rights. We have one month to respond to you. Please note that we are only able to help you exercise your data protection rights if we hold your personal data and we can identify you.

 

Please send an email to us (Email: dataprotection@optimumpatientcare.org) if you wish to make a request, or contact our office line on (Tel: 01223 967855).

 

You can opt out of sharing data (UK)

 

You have the right to opt out of the sharing of your patient data by your practice or healthcare provider with OPC. Opting out of sharing your health information will not affect the care you receive from your practice or healthcare provider.

 

If you do not wish for your data to be shared by your practice or healthcare provider, or you would like your data to be removed from our databases, please contact your practice or healthcare provider who can provide OPC with a code to remove your data without disclosing your identity. Individuals in England can also opt-out of data sharing through the National Data Opt Out scheme.

 

It is not possible to remove a patient from anonymised research datasets, research results or publications, as patients cannot be identified from anonymised information.

 

 

 

 

Contact OPC

 

If you have any questions or complaints or you require any information about how we handle personal data at OPC, please contact our Data Protection Team by email, phone or post using the details below:

 

Write to us:        Optimum Patient Care, 5 Coles Lane, Cambridge, CB24 3BA

Email us:             dataprotection@optimumpatientcare.org

Phone us:           01223 967 855

 

Our Data Protection or Privacy Officer is Francis Appiagyei.

You can email him at francis@optimumpatientcare.org or write to him using our postal address above. Please mark the envelope ‘OPC Global Data Protection Officer’.

 

 

Complaints

 

You can make a complaint about the way we process your personal data to the UK Information Commissioner’s Office (ICO) using their contact information below.

 

Phone:                 0303 123 1113

Post:                     Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

ICO website:       https://ico.org.uk/make-a-complaint/

 

 

Changes to this Privacy Notice

 

We keep our privacy notice under regular review to make sure it is up to date and accurate. When we make changes to this notice, we will amend the last updated date at the bottom of this page. Any update to this notice will be applied to the handling of personal data as of that update date.

 

 

Privacy Notice last updated 21 June 2024

SEE MORE HERE

bottom of page