Everything you need to know about GDPR and what it means for you
On the 25 May 2018 the EU General Data Protection Regulation (EU GDPR) took effect, which has subsequently been written into UK law (UK GDPR) following the withdrawal agreement with the EU.
Our goal is to safeguard the privacy of individuals and the confidentiality, integrity, availability and quality of the information we manage. We do this because it’s what our customers trust us to do with their most sensitive information, not just because it’s required by law.
We have a culture of continuous improvement, so a dedicated team, drawing on legal, privacy, IT and clinical experts work together to manage our business processes, IT and organisational controls, customer literature, and third party arrangements against the requirements of the UK GDPR.
Your Bupa recognition
As part of your Bupa recognition we expect you to share certain information with us. In particular, we may ask you to share information about your Bupa patients with us for the following purposes:
- to provide clinical quality information;
- to allow us to make a funding decision on behalf of a Bupa patient;
- to invoice us for services you provide to Bupa patients;
- to notify us of any serious incidents, or
- to assist us when we’re investigating a Bupa patient’s complaint.
In addition, if you ask us to review your inclusion in our Open Referral Network, we’ll need case summary information from you to allow us to carry out this review.
We’ve assessed each of these information exchanges and concluded that they each take place on a data controller to data controller basis. This means that, because neither party is acting as the other’s data processor and each of us is responsible to the individuals whose personal data we handle.
Transparency with Bupa patients
We keep our privacy notices and customer consent journeys under review. This is to make sure that we’re giving Bupa patients the information they need about when and why their information may be shared with third parties (including healthcare professionals treating them), and obtaining any consents for this, should they be needed.
Please see our updated privacy notice for more information about how we handle personal information.
As Bupa recognised consultants and therapists are data controllers in their own right, we expect them to have the appropriate privacy notices, which we would also expect would include details regarding the sharing of customer personal data with health insurers (including meeting any contractual obligations between us).
The Access to Medical Reports Act 1998 (AMRA)
The AMRA gives insurance companies a means to request written medical reports direct from a doctor (subject to the consent of your patient and the AMRA requirements). This means insurance companies can lawfully obtain such personal data, in accordance with the principles of the UK GDPR.
Each time we need a medical report from a doctor treating a Bupa patient, we ask the patient to complete an AMRA declaration so we know whether they want to see copies of the report before their doctor shares it with us. We explain this in more detail here.
If you’d like to find out more about the UK GDPR, there is further information on the ICO’s website.
Ways to get in touch…
0345 600 5422 ^
Speak to the healthcare provider team
^We may record or monitor our calls. Lines are open Monday to Friday 8am to 6pm.