Privacy notice

Privacy notice for Health Service

Updated on 30 April 2020

How the University Health Service process the personal information of staff and students

On this page

How we use your information

The University Health Service provides a range of health support and services for staff and students of the University.

Personal data and Sensitive (special categories) of personal data

The personal data and special categories of personal data processed by the Health Service will vary according to the support required. The summary below provides detail concerning data used in different aspects of Health Service provision.

Mental health support

Referral letters/emails

  • Generally sent by GPs or other health professionals, via letter or nhs.net, telephone. Stored inpatient notes.

Assessment, formulation and care planning

  • Biographical details – name, address, ID. no., DOB, mobile tel., home address, next of kin, email address(es), GP details, engagement with other services, signature re confidentiality boundaries.
  • Assessment documentation – biopsychosocial assessment, including risk assessment; family history, physical, financial etc.

Multi-disciplinary liaison e.g. GPs, statutory health providers, third sector agencies, other internal support services or departments.

  • Data from providers listed. Varies according to circumstances.

Mental health-related training activities

  • Names and email addresses of attendees.

Patient notes

  • Constructed in line with NMC guidelines.

General health support

Medical consultations and First Aid appointments

  • Biographical details – name, address, student number, DOB, mobile number, home address, email address(es), GP details.
  • Assessment documentation - details of diagnosis and any treatment recommendations.
  • Patient notes constructed in line with GMC guidelines.

STI testing appointments

  • Biographical details – name, address, student number, DOB, mobile number, home address, email address(es), GP details.

General enquiries for general and mental health (email, telephone, in-person)

  • Recording varies, dependent on the nature of the enquiry. Often no identifying information is held, but on some occasions, first initial and surname are recorded, along with details of enquiry and advice given.

A text message service to confirm appointments is available where clients indicate they wish to be contacted in that way.

Data controller

The data controller for personal data used in this Directorate is normally the University of Dundee.

Data will be processed using the University’s business systems. The University has contracts with providers for their cloud services to safeguard your data.

Your data may be shared with other medical service providers such as NHS Tayside or your GP. This will be discussed with you on a case by case basis.

Lawful processing

The lawful grounds for processing personal data within the Health Service are normally:

  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes
  • processing is necessary for compliance with a legal obligation to which the controller is subject
  • processing is necessary in order to protect the vital interests of the data subject or of another natural person
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

The lawful grounds for processing special categories of personal data within Research and Innovation Services are normally:

  • the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject
  • processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject
  • processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent
  • processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject
  • processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3

Your rights

The University respects your rights and preferences in relation to your data. If you wish to update, access, erase, limit or complain about the use of your information, please let us know by emailing dataprotection@dundee.ac.uk. You may also wish to contact the Information Commissioner’s Office.

Enquiries

Data Protection

dataprotection@dundee.ac.uk
Corporate information category Data protection