When you register with us and give us your telephone number and email address (or whenever you wish to update your details), you are giving us your permission to contact you for medical reasons, when you have a review due, or regarding an appointment you may have, etc. When sending or leaving messages, we will just say that we are trying to contact you so you may call us back at a more convenient time. We may send a text message to your mobile number if we are unable to get hold of you or leave a message. We may also pass on your contact details on to other NHS or NHS-affiliated services when referring you. This is the minimum level of contact we must have in order to provide medical services to you.
Other options are for you to allow us to contact you with questionnaires/surveys about the services we provide or health services in the local area.
We will never pass your details on to any other person or organisation, except where stated above or if we are legally obliged to do so, unless you give us permission.
From time to time we need to send messages to lots of patients, for example during the 'flu season, where we send letters out to 'at-risk' patients who would benefit from vaccination inviting them to book an appointment. Sending mailings to large numbers of people is always very costly in both time and resources as we have to produce the lists of patients, print letters, fill envelopes and pay for postage. It doesn't sound much until you have to do this for 4500 letters!
There are three ways of reducing the costs practices incur:
- encourage as many patients to book appointments before sending reminder letters by advertising in the surgery or on repeat prescription requests. This reduces the number of letters needed to be sent.
- use a third party company specialising in large mailings, which can print, fold and post a letter for the cost of a stamp.
- send reminders through email or SMS text message
We advertise 'flu clinics first and then do our own mailings, bearing all the costs. However we are aware that costs must be saved so that as much of the NHS's money is spent on caring for patients. Option 2 company known as DocMail has been approved by Connecting For Health. This company has achieved compliance with all the requirements set out by the Department of Health regarding using/keeping/deleting data sent to it and it is used by a number of GP surgeries and health organisations throughout the country.
Information sent to the company is encrypted and consists of the letter we would want to send together with a list of names and addresses we want that letter to go to. No other information is given to the company. The company does not share the information with anyone else and deletes the data after 28 days.
If you have any questions, please ask to speak to a member of the Management Team
West End Surgery uses a data processing company called DocMail to handle some mailings to patients. Typically this is for bulk mailings such as the invitations to attend the flu clinics where it is difficult to accommodate the administrative work involved without affecting our ability to serve patients. This is permissible under guidance from both the Information Commissioner’s Office (ICO) and the Department of Health (DoH) subject to the provisions of the Data Protection Act
Please find below some more information about DocMail and how we work with them to ensure that we protect our patients’ personal data at all times.
1.1 What is DocMail
DocMail is provided by CFH Total Document management Ltd a secure print and mailing company who provide print and mailing services for Local Government, GPs, Dentists, Medical practices, Schools, Exam Boards and Banks etc. throughout the UK.
The system can be found online at http://www.docmail.co.uk/ and requires a secure user name and password for us to log on and upload our letters and address lists to create the printed output for despatch to Royal Mail. The system allows us to upload a letter template and mailing data for the patients we want to write to via a secure web portal.
1.2 The Data Protection Act (1998) (DPA)
West End Surgery Healthcare Practice and DocMail are both fully compliant with the Data Protection Act.
The Information Commissioners Office issued guidance in February 2012 for organisations that outsource some of its data processing to a third party. The Data Protection Act allows outsourcing to take place but stipulates certain conditions that must be met for it to be compliant.
An organisation that processes personal data is required to handle personal data in accordance with the data protection principles. A data controller may choose to use another organisation to process personal data on its behalf – a data processor.
The data controller remains responsible for ensuring its processing complies with the DPA, whether it processes in-house or engages a data processor.
Where a data processor is used the data controller must ensure that suitable security arrangements are in place in order to comply with the seventh data protection principle.
Further extracts from the guidance are reproduced below and the entire document is available on the ICO website.
West End Surgery Healthcare Practice has strictly adhered to this guidance in setting up the partnership with DocMail.
- West End Surgery Healthcare Practice remains the data controller and as such has the responsibility for ensuring compliance with the provisions of the Act. We are not able to pass on those responsibilities to DocMail whose role is that of a data processor.
- There is a written contract between West End Surgery Healthcare Practice and CFH – Total Document management Ltd in addition to the standard terms of business that are published on the DocMail website.
- That contract stipulates that DocMail can only act in accordance with instructions from West End Surgery Healthcare Practice i.e. they can only print and mail letters in accordance with data provided by us. They are not able to do anything else with that data.
- The contract also creates a legal requirement for DocMail to act in accordance with the seventh principle of the Data Protection Act.
- The Partners of West End Surgery Healthcare Practice have satisfied themselves that DocMail have provided sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out.
- The partners have taken, and will continue to take, reasonable steps to ensure that DocMail are compliant with these security measures.
- No data will pass outside of the European Union
1.3 Connecting For Health
DocMail has achieved a 100% rating in the Department of Health's Information Governance Toolkit Assessment for 2011-2012 and we meet with the terms and conditions of the DH Information Governance Assurance Statement. This assessment is publicly available and can be viewed here
1.4 Other Approvals
DocMail is also approved by the following:
- Government Procurement Service for Hybrid Mail - which allows all government organisations to use DocMail.
- Health Trust EuropeOutgoing Mail Solutions - which includes University Hospitals Coventry and Warwickshire NHS trust who visited our premises last week to carry out a site audit.
- 67 Primary Care Trusts for Medical Studies have approved the use of DocMail. 500,000 medical studies packs were sent in 2011 across 200 surgeries
- Caldicott Guardian across a number areas have approved the use of DocMail when asked
- Ethics Committees have approved the use of DocMail by surgeries for use in medical studies
1.5 Accreditations & Security Policies
In addition to the credentials listed above, we have been supplied with DocMail’s Corporate Policies and certifications as detailed below:
- ISO 27001:2005 Information Security management System Certificate
- CFH Site Security Policy
- CFH Information Technology Security Policy
- Information Security Policy
We have permission from DocMail to allow any patient of West End Surgery Healthcare Practice to view them on request. Please ask at reception if you wish to do this.
The data file provided to DocMail will only contain enough data to enable them to fulfil the contract. This means that it will include name and address details and, where appropriate, the date and time of an appointment as well as the name of the clinician you will be seeing or the name of a clinic you will be attending eg Flu Clinic or NHS Health Check. We will of course exercise the same discretion in writing the letters as we would if we were printing and posting them at the surgery.
The letters will be delivered to your address by Royal Mail in the normal way. The letters will carry the DocMail logo and the return address on the reverse side. This address does not identify the letter as having come from a doctor’s surgery.
DocMail delete the personal data 28 days after the mailing.
If you have any questions or require further information about this please ask to speak to the Practice Manager.