Home / Privacy Policy GHA

This Privacy Notice explains how the Gibraltar Health Authority (“we”, “us”, “our” or “the GHA”) collects, uses, discloses and protects personal information as a Data Controller in accordance with the Gibraltar General Data Protection Regulation (“Gibraltar GDPR”), the Data Protection Act 2004 (“DPA 2004”) and the Data Sharing (Public Authorities) Act 2021. We are committed to protecting your privacy and handling your personal information responsibly.

In this Privacy Notice when we refer to “Personal data” we are referring to any information relating to you as an identified or identifiable natural person (“data subject”).  When we refer to “Processing” we are referring to any operation or set of operations which is performed on personal data or on sets of personal data whether or not by automated means (although we do not use automated means). Processing includes for instance, collecting, recording, organising, structuring and storage of data, amongst other actions.

Whilst we are based and provide services in Gibraltar only, you should note that if you live or work outside Gibraltar, other laws (including the EU GDPR) may be applicable to you.

About us

The GHA is a statutory authority established under the Gibraltar (Medical and Health) Act 1987. As an organisation we are required to discharge various delegated public functions all of which are set out in the Gibraltar (Medical and Health) Act 1987. Generally, however, when we interact with you, it will be in accordance with our following three functions:

• When we provide you with preventative treatment and diagnostic services in respect of physical and mental health;
• If we provide you with residential services; and
• When we discharge our obligation as the administrator of the Group Practice Medical Scheme. The Group Practice Medical Scheme is the scheme upon which your entitlement to healthcare in Gibraltar is based, which is based on a contributory system.

In accordance with our delegated public function, we presently are tasked with providing services to the following locations, to which this Privacy Notice shall apply:

• St Bernard’s Hospital,
• Ocean Views Hospital; and
• Out of Hospital services delivered by the GHA which includes:
• Community services;
• Dental community services;
• Primary care services; and
• Sexual health services.

Why do we collect information about you

We collect and process your personal information for the following purposes:

• To provide healthcare services and treatment;
• To manage and administer your healthcare records;
• To facilitate communication between healthcare professionals;
• To conduct research, audits, training & teaching and clinical trials;
• To ensure the safety and quality of our services;
• To plan and manage the healthcare system and your entitlement to access healthcare in Gibraltar; and
• To comply with our legal and regulatory obligations.

The type of Personal Information we collect

Throughout your interactions with us, we will require and collect various different types of personal information which pertains to you. However, we will generally collect the following basic types of personal information (which we refer to as your “health records”):

• Basic details & Identifiers (for example, your name, date of birth, next of kin, gender, GHA number, patient identifiers, marital status, occupation, place of birth, copies of passport or ID Card);
• Contact information (for example, address, contact number, email address and phone numbers);
• Employment status;
• Next of kin contacts;
• Details of your GP;
• Financial information (where necessary for payment purposes); and
• Any other information necessary for providing healthcare service, including any information we require from you to assess your entitlement to obtain services under the healthcare group practice medical scheme.

In addition to the above, we will also collect and store, information which concerns your health, which we are compelled under Gibraltar GDPR to treat with greater care than basic personal data (“Special Category Data”):

• Your racial or ethnic origin;
• Your religious or philosophical beliefs;
• Genetic Data (which includes research data);
• Biometric data;
• Your sexual orientation or sex life;
• Relevant information from people who care for you and know you well, such as healthcare professionals and relatives;
• Health and medical information which includes:
• notes and reports about your health, treatment and care, including:
  • your medical conditions (physical and mental).
  • results of investigations, such as X-rays and laboratory tests.
  • Details of your hospital appointments/visits
  • future care you may need.
  • personal information from people who care for and know you, such as relatives and healthcare or social care professionals.
  • other personal information, such as smoking status.
  • Whether you are subject to any protection orders regarding your health, well-being and human rights (safeguarding status).

Generally, we will process personal information in a variety of formats, including paper records, electronically on computer systems and in video and audio files.

How we collect personal information about you

We collect personal information about you in a number of ways:

• Information you provide to us directly when you use our services, whether in person, by telephone or by emails (for instance, from the GHA registration team, Doctors, GPs, persons caring for you);
• Information which we may obtain from the Gibraltar Central Data Repository (“the GCDR”) such as your Unique Identifiers, name, gender, in order to provide you services through electronic means;
• Information provided to us by your authorised representatives (where applicable);
• Information we receive from third parties, such as third party service providers, other hospitals and healthcare providers;
• Information collected through the use by you of our website, platforms and applications;
• Information collected via CCTV footage for the purposes of keeping our premise secure (CCTV is installed across all GHA facilities); and
• Information gathered from publicly available sources.

How do we use your information and what is the legal basis?

How we use your information

We will use your records to directly manage and deliver healthcare to you and to ensure that:

• the staff involved in your care have accurate and up to date information to assess and advise on the most appropriate care for you;
• staff have the information they need to be able to assess and improve the quality and type of care you receive;
• appropriate information is available if you see another healthcare professional or are referred to a specialist or another part of the GHA, social care or tertiary centre healthcare provider; and
• We will provide your information to the GCDR (see section “who do we share your information with?” below)

In addition, we may also use personal information about you to:

• remind you about your appointments and send you relevant correspondence or text messages;
• review the care we provide to ensure it is of the highest standard and quality, e.g. through audit, service improvement and research;
• prepare statistics on GHA performance to meet the needs of the population or for the Ministry for Health;
• help to train and educate healthcare professionals;
• report and investigate complaints, claims and untoward incidents;
• report events to the appropriate authorities when we are required to do so by law;
• carry out quality assurance audits;
• notify our insurers of any potential claims, and to defend or deal with any litigation;
• review your suitability for research studies or clinical trials;
• contact you with regards to patient satisfaction surveys relating to services you have used within our hospital so as to further improve our services to patients; and
• contact you with regards to GHA entitlement.

Where possible, we will always look to anonymise/pseudonymise your personal information so as to protect patient confidentiality, unless there is a legal basis that permits us to use it, and we will only use or share the minimum information necessary.

What is the legal basis?

As a Data Controller, we must establish and publish the lawful basis which we rely on for processing personal data and the Special Category Data which we have noted above. For the most part, we rely on the following legal bases for processing personal data, for the purposes of delivering your care and treatment:

• Public Task: We may need to process your personal data for the performance of tasks carried out in the public interest or in the exercise of the authority vested to the GHA and in order to provide health or social care or treatment or the management of social care systems and services (Article 6(1)(e) and 9(2)(h) Gibraltar GDPR).

In addition to the above, the GHA may rely on the following legal bases for processing your personal information:

 

Type of Processing	Art 6 GDPR	Art 9 GDPR
All health and adult social care providers may have to share information about a patient for their direct care. This would also include: Ø  preventive or occupational medicine, Ø  medical diagnosis, Ø  the provision of health care or treatment, Ø  the provision of social care, or Ø  the management of health care systems or services Ø  waiting list management Ø  performance against national targets Ø  activity monitoring Ø  local clinical audit	6(1)(a) with your consent 6(1)(e) ‘…for the performance of a task carried out in the public interest or in the exercise of official authority…’	9(2)(a) with your explicit written consent 9(2)(h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’
Emergency care and treatment (where the patient is physically or legally incapable of giving consent’)	Art 6(1)d (‘to protect the vital interests of an individual’)	Art 9(2)c (‘vital interests’)
Safeguarding of vulnerable adults and children	Art 6(1) c (‘legal obligation to which the controller is subject’)	Art 9(2) g (‘where the processing is necessary for the purposes of substantial public interest (protection of vulnerable individuals’

 

Who do we share your personal information to?

We may generally share your personal information with the following parties:

• Healthcare professional and providers in your care;
• Research organisations (with your consent);
• Regulatory bodies, auditors, and legal advisors;
• Social services;
• Education services
• Our Data Processors who process data on our behalf; and
• Law Enforcement Agencies.

We will also share your data with the GCDR under the provisions of the Data Sharing (Public Authorities) Act 2021. We will therefore share certain personal information relating to you in order to facilitate your use of e-services and wallet passes. We will not however share any special category data, including medical records and will only share the following personal data:

• Forename & Surname, GHA number, Gender, Date of Birth and address.

The relevant privacy policy for the GCDR may be found here.

International Data Transfers

In certain circumstances, we may transfer your personal information to countries outside of Gibraltar. Generally, we will only transfer your date to the United Kingdom or Countries within the European Economic Area (“EEA”), such as Spain. Under the Data Protection Legislation in Gibraltar, personal data can flow freely from Gibraltar to the United Kingdom or to the EEA (although the same may not be true for inward transfers to Gibraltar, as Gibraltar is no longer a member of the European Union).

We will generally not transfer your personal information to a “third country” outside of the EEA or the United Kingdom. However, should the need arise, we will only perform such transfer where the transfer will be adequately protected by measures such as the following:

• Where the transfer is to a country deemed “adequate” under Gibraltar Legislation; and
• Where ‘appropriate safeguards’ are provided such as:
  • Binding corporate rules;
  • Standard data protection clauses are made;
  • Approved codes of conduct; or
  • Approved certification measures.

In the absence of any of the above safeguards we may also rely on derogations for specific situations as set out in Article 49 Gibraltar GDPR, in particular:

• With your explicit consent;
• To perform a contract we have with a third party which has been concluded in your interest;
• For important reasons of public interest;
• For the establishment, exercise or defence of legal claims; or
• To protect your vital interests or those of a third party (where you are not physically or legally incapable of giving consent).

Finally, we may also perform restricted transfers in ‘one-off’ cases where a transfer is not repetitive, concerns a limited number of data subjects, and is necessary for the purposes of compelling legitimate interests pursued by us, which are not overridden by your interests or rights and freedoms, and only after we have assessed all relevant circumstances.

How long do we keep your information for?

We will retain your personal information in accordance with applicable laws and regulations and in accordance with our Record Management and Retention Policy. We will securely dispose of personal information when it is no longer required for the purposes stated in this Privacy Notice.

How do we secure & maintain your information?

We are committed to taking appropriate measures which are designed to keep your personal data secure. Our technical, administrative and physical procedures are designed to protect personal data from loss, theft, misuse and accidental, unlawful or unauthorised access, disclosure, alteration, use and destruction.

With this in mind, your personal information is held both in paper and electronic formats (including audio recordings and on electronic databases). You should note that everyone employed by the GHA must comply with the Common Law Duty of Confidentiality and various professional standards and requirements.

You should also note that we have a duty to:

• maintain full and accurate records of the care we provide to you;
• keep records about you confidential and secure; and
• provide information in a format that is accessible to you

Existence of automated decision-making and profiling

Profiling refers to the automated processing of personal data to assess specific aspects of an individual.

We may use profiling techniques for healthcare planning purposes. For example, we may use your date of birth and gender to predict healthcare screening requirements such as breast cancer and cervical cancer screening.

We do not use automated decision making.

What rights do you have?

You have certain rights regarding your personal information, including the:

The Right of Access: You have the right to request to see your personal information and learn how it is being used. This is called a Subject Access Request (SAR). Should you wish to make a SAR (for instance to access your health records), please complete the Release of Records Request Form available on the website and send it to releaseofrecords@gha.gi.

If you wish to access any other personal information, please write to –

Privacy@gha.gi

Data Protection Co-Ordinator

St Bernard’s Hospital, 7^th floor

Gibraltar

GX11 1AA.

The Right to Rectification: If you believe your information may be inaccurate or incomplete you may make a request to have your information reviewed. We may however refuse your request if the information is already accurate, if changing it would conflict with other legal obligations, or if we need to keep it as it is for legal or valid reasons.

The Right to Erasure: You have the right to ask us to delete your personal data, for example, when it is no longer needed or if you withdraw your consent. However, this right is not absolute and has exemptions. In general, we may refuse to erase your data if it is needed for:

• protecting freedom of expression or information;
• fulfilling legal obligations;
• public health reasons;
• archiving, research or statistical purposes;
• establishing, exercising, or defending legal claims.

The Right to restrict the processing of your personal information: You have the right to ask the GHA to limit how your personal data is used in certain circumstances. This means that you can request that we temporarily stop using your personal data. However, you should note that this right is not absolute and there may be instances in which we are required to use your data, for example, for legal claims or to protect someone else’s rights.

The Right to object to the processing of your personal information: You have the right to object to how your personal data is used for things like the GHA’s business interests, public services, marketing or research. However, this right is not absolute and we may still use your data if we can show strong reasons that outweigh your rights or if it’s needed for legal reasons.

The Right to withdraw your consent: You can change your mind and take back your consent whenever it applies. If you’ve given us permission to use your personal data, you have the right to withdraw that at any time. To exercise your rights please contact Privacy@gha.gi.

The Right not to be subject to automated decision-making, including profiling: You have the right to challenge any decisions made without human intervention (automated decision making) in some circumstances. Profiling refers to the automated processing of personal data to assess specific aspects of an individual. The GHA may use profiling techniques for healthcare planning purposes. One example of this is use of personal data to predict things such as an individual’s health.

Your Right to complain: We try to meet the highest standards in order to protect your privacy. However, If you are concerned about the way in which we are managing your personal information and think we may have breached any applicable privacy laws, or any other relevant legislation, you have the right to raise any complaints regarding the processing of personal data to us directly on the contact details contained in this Privacy Policy, notably, Privacy@gha.gi.

We will make a record of your complaint and seek to deal with the matter as soon as we can, and keep you informed of the progress of our investigation.

Contact Information

If we have not responded to you within a reasonable time or if you feel that your complaint has not been resolved to your satisfaction, you are entitled to make a complaint to the Information Commissioner under the Data Protection Act which is presently the Gibraltar Regulatory Authority. The Information Commissioner may be contacted on the following details:

Gibraltar Regulatory Authority

2nd Floor, Eurotowers 4

1 Europort Road

Gibraltar

Email: info@gra.gi

Phone: (+350) 200 74636

Fax: (+350) 200 72166

Additional Information

Data Protection Officer

The Data Protection Officer (DPO) employed by HMGoG is responsible for monitoring our compliance with data protection requirements.

The GHA also employs a Data Protection Co-Ordinator. You can contact them with queries or concerns relating to the use of your personal data and how it is being used.  They can be contacted on: privacy@gha.gi

Changes to this Privacy Notice

We may, from time to time, make changes to this Privacy Notice. Where we do so, we will notify the general public of our intention and of the amendments made to the Privacy Notice. Any amended notice will be effective immediately on the date stated therein.

 

© The Gibraltar Health Authority