Privacy Notice – INRstar

This Privacy Notice will explain how Haygarth Doctors uses your personal data in relation to INRstar.

Haygarth Doctors is the data controller for personal information we process. The Practice is committed to protecting your personal information and respecting your privacy. We have a legal duty to explain how we use personal information about you as a registered patient at the practice. The purpose of this Privacy Notice is to notify our patients who have undergone or currently undergoing anticoagulant care, information in relation to the INRstar system and the migration to a new Cloud-First technology.

What is INRstar?

INRstar is the name of the anticoagulation management software that we use in Practice to ensure anticoagulation services are safe, effective and cost efficient. This software is developed and supported by a company called LumiraDX Care Solutions Ltd and is hosted on the secured NHS IT network infrastructure.

We use INRstar to help support our patients on Warfarin with anticoagulation. The support software is used to help clinicians determine the best possible care for patients undergoing anticoagulant care, and to record a patient’s therapy and treatments.

LumiraDX Care Solutions Ltd are classed as our data processor under the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR). This means, as a Practice, we have contracted with this company to process personal data on our behalf, with the appropriate assurances that they meet all the data protection requirements as a data processor.

On the 30th July 2021, LumiraDX Care Solutions Ltd moved the current location of the INRstar software to a new Cloud-First technology, within England in a UK Government approved data centre. The move of the data held within INRstar and the IT infrastructure that supports the software to Cloud-First technology, aligns with the NHS Architectural principle which help to define best practice on the use of information technology to improve health and social care services in the UK. Cloud-First technology offers enhanced security, increased reliability, and improved system performance at peak times, and enables LumiraDX Care Solutions Ltd to provide a robust service for its clinicians and their patients whilst providing confidence that the data they hold remains safe and secure.

What does this mean for you as a patient?

There are no changes to the clinical system itself, or logic within, and so should not result in any changes to patient management in any way. Importantly, your data will not have been modified during the migration unless authorised by your care team and will only be processed in accordance with this Privacy Notice.

What information do we collect about you within INRstar?

For the purposes of providing your direct care and treatment through INRstar, we collect the following personal information:

  • Your name
  • Date of birth
  • Address
  • Age
  • Gender
  • NHS number
  • Anticoagulation treatment information:
    • Diagnosis
    • Anticoagulation drug
    • Duration of therapy
  • Comments and notes that are entered by clinicians managing your care and treatment

How is your personal information collected?

The information we hold can be collected through the following routes:

  • Direct interactions with you as our patient and direct input by the clinician involved in your direct care and treatment.
  • Information can be imported directly from our main clinical system into INRstar, which includes your demographic details, and your treatment information can be filed back from INRstar to the main clinical system within the Practice.

How do we use your information within INRstar?

We use INRstar to help support our patients on Warfarin with anticoagulation.

Sharing your information

We may share your personal information, subject to agreement on how it will be used, with the following organisations in connection with your care:

  • Secondary care hospitals (NHS Trusts/Foundation Trusts)
  • Health Boards
  • Other GPs such as those practices working under a cluster arrangement
  • Out of hours providers
  • Diagnostic or treatment centres
  • Independent contractors such as dentists, opticians, pharmacists
  • Private sector providers
  • Ambulance Trusts
  • Social Care Services
  • Digital Health and Care Wales
  • NHS Wales Shared Services
  • Legal and Risk Services
  • Health and Care Research Wales
  • Public Health Wales
  • Healthcare Quality and Improvement Partnership
  • Local Authorities
  • Education Services
  • Fire and Rescue Services
  • Police & Judicial Services
  • Voluntary Sector Providers

Access and security of your personal information

As a Practice, we ensure the security of your personal information and to protect our patient’s confidentiality. The following measures have been implemented to secure your information:

  • Access to the system can only be achieved via the secure NHS IT network infrastructure.
  • All users accessing the system will use their own user accounts, with a secure username and password.
  • Users of the system will only be granted access where it is required for their role and permissions on the system should be appropriate to the role they hold within the Practice.
  • LumiraDX Care Solutions Ltd hold ISO:27001 accreditation, which is the international standard for information security.
  • Access to your information within INRstar is restricted to a very limited number of individuals within LumiraDX Care Solutions Ltd, and this is part of their role to support and maintain the INRstar system. All individuals with access to patient data are DBS checked prior to access being provided and are made aware of their responsibilities whilst handling and protection personal information.
  • Personal data held within the INRstar system is stored within England in a UK Government approved data centre.
    Retaining and storing your information within INRstar
    We are required by UK law to keep your information and data for a defined period, often referred to as a retention period. The Practice will keep your information in line with the practice records management policy. The data stored within INRstar remains within the UK and is held by our data processor as per the terms of our contractual agreement with LumiraDX Care Solutions Ltd. Within INRstar patient records are retained for 10 years post death, and as a Practice we can request for data to be removed sooner, if required.

Data processors and sub-processors

For the purposes of INRstar, LumiraDX Care Solutions Ltd are our data processor as per the Data Protection Act 2018. To help provide us with the support we require, our data processor has contracted with the following sub-processor to support the products they deliver to practices:

  • Amazon Web Services (AWS) – Infrastructure as a Service (IaaS), supports LumiraDX Care Solutions Ltd with their Cloud-First technology and storage space for the data within the INRstar system.

Legal basis for processing your information in INRstar

The legal basis used to process your personal information, for the purposes of INRstar, relates to your direct care and treatment. We rely on the following condition to lawfully process your information:
Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
For the purposes of INRstar we also process special category information, for example data concerning your health, and we need to meet an additional condition in the UK GDPR to process this information. We rely on the following condition to lawfully process your information:
Article 9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and service.

Your rights in relation to INRstar

The UK GDPR includes a number of rights for individuals. We must generally respond to requests in relation to your rights within one month, although there are some exceptions to this. The availability of some of these rights depends on the legal basis that applies in relation to the processing of your personal data. For INRstar, the following rights are listed and how they apply are described below.
Right to be Informed
Your right to be informed is met by the provision of this privacy notice, and similar information when we communicate with you directly – at the point of contact.

Right of Access

You have the right to obtain a copy of personal data that we hold about you and other information specified in the UK GDPR, although there are exceptions to what we are obliged to disclose. A situation in which we may not provide all the information is where in the opinion of an appropriate health professional disclosure would be likely to cause serious harm to your, or somebody else’s physical or mental health.

Right to Rectification

You have the right to ask us to rectify any inaccurate data that we hold about you.
Right to Restriction of Processing
You have the right to request that we restrict processing of personal data about you that we hold. You can ask us to do this for example where you contest the accuracy of the data.

Right to Object

You have the right to object to processing of personal data about you on grounds relating to your particular situation. The right is not absolute, and we may continue to use the data if we can demonstrate compelling legitimate grounds, unless your object relates to marketing.

Right to complain to the Information Commissioner

You have the right to complain to the Information Commissioner if you are not happy with any aspect of Practices processing of personal data or believe that we are not meeting our responsibilities as a data controller. The contact details for the Information Commissioner are:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow SK9 5AF
Website: www.ico.org.uk
Tel: 0303 123 1113

Contact Details of our Data Protection Officer and Further Information

The Practice is required to appoint a Data Protection Officer (DPO). This is an essential role in facilitating practice accountability and compliance with UK Data Protection Law.
Our Data Protection Officer is:
Digital Health and Care Wales,
Information Governance, Data Protection Officer Support Service
4th Floor, Tŷ Glan-yr-Afon
21 Cowbridge Road East
Cardiff
CF11 9AD
Email: DHCWGMPDPO@wales.nhs.uk