How We Use Your Data

Service User Data Protection 

1.     Policy Aim

Pain Association Scotland is a Scottish registered charity that delivers professionally led pain management in the community. Our service is specifically designed to target those who are affected by Long Term (Chronic Painful) Conditions.

 We are committed to ensuring that your privacy is protected. This policy sets out how we use your personal data and provides you with information on your rights in relation to that data. Any personal data about you which is provided to us by you or by a third party shall only be used by us in accordance with this policy and Data Protection Law.

Pain Association Scotland is committed to ensuring that good data protection practice is embedded in the culture of our staff and our organisation. Pain Association Scotland is committed to:

Ensuring that we comply with the GDPR Data Protection Principles when processing any personal data and that we meet our legal obligations as laid down in Data Protection Law (including the GDPR and all relevant EU and UK data protection legislation).

2.     Scope

 This policy applies to all personal data processed by Pain Association Scotland and is part of our approach to compliance with Data Protection Law. All Pain Association Scotland staff are expected to comply with this policy.

 3.     Data Protection Principles

 Pain Association Scotland confirms that it complies with the following data protection principles and undertakes to ensure that when it processes personal data:

  • it is processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

  • it is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; (‘purpose limitation’)

  • It is all adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; (‘data minimisation’)

  • it is all accurate and, where necessary, kept up to date and that reasonable steps will be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)

  • it is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; (‘storage limitation’)

  • it is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

 4.     Process and Procedures

 Pain Association Scotland will:

  • only collect and process the personal data that is necessary for the purpose or purposes that we have identified in advance.

  • ensure that the legal basis for processing your data is identified in advance.

  • ensure that as far as possible the personal data we hold is accurate.

  • only process your data for as long as is it required for our purposes and then we will securely dispose of, or delete your data.

  • provide data subjects with information on why we are asking for that data and what we intend to do with it.

  • not do anything with your data that you would not expect given the content of this policy and the fair processing or privacy notice.

  • ensure that appropriate technical and organisational measures are in place to ensure the security of your personal data.

Pain Association Scotland will ensure that all staff who handle personal data are aware of their responsibilities under this policy and other relevant data protection and information security policies and that they are adequately trained and supervised. Any employee who breaches this policy may be subject to disciplinary proceedings.

 5.  Use of Personal Data

 Pain Association Scotland processes personal data in the course of the provision of pain management services in the community. We may collect and use (“process”) the following personal data in relation to our service users:-

  • name

  • address, telephone number, fax number, email address, IP and MAC address

  • age/date of birth

  • medical information relevant to the chronic pain you wish to manage, in particular, how long you have had that pain, details of visits to your GP about the pain and how you are coping with the pain in daily life.

  • Community Health Index (CHI) number

We will collect this data from you when you:- register with us as a member of Pain Association Scotland; register for any of our services; fill in feedback forms or complete a survey issued by us; use our online Spider evaluation service; and contact us directly about any of our services.

Where you have been referred to Pain Association Scotland by a third party, for example, your GP, we will also receive personal data about you from that third party.

The personal data we hold about you is processed by us to enable us to provide you with the services you have engaged us to provide, including reporting back to your GP and/or any other organisation or service which has referred you to us. We may also use your personal data to contact you by telephone to remind you about a pain management group appointment, to cancel or reschedule an appointment, inform you of management group changes or to evaluate the service we have provided to you and to contribute to national statistics on chronic pain. Where your we use data for statistical purposes that data is fully anonymised.

We would also like to use your personal data to send updates and information to you about our other services. We would like to contact you by post, telephone, email and SMS. If you agree to being contacted in this way, please circle the method(s) by which you consent to being contacted.

  • Post

  • Email

  • Telephone

 You have a right at any time to stop us contacting you about our other services in this way and if this is the case, please contact:- Sonia Cottom – info@painassociation.com

Your data will be stored securely in our servers which are hosted by a third party. We have an agreement in place with that third party to ensure that they only act according to our instructions and that they have in place appropriate security provisions.

6.   Special Categories of Personal Data

 In order to provide services to our clients and service users we require to collect some data from you which is classified under data protection law as “special categories of personal data”.

 Special categories of personal data include the following personal data revealing:

  • Racial or ethnic origin,

  • Political opinions,

  • Religious or philosophical beliefs,

  • Trade union membership,

  • The processing of genetic data, biometric data for the purpose of uniquely identifying a natural person,

  • Data concerning health

  • Data concerning a natural person’s sex life or sexual orientation.

Pain Association Scotland only processes such data concerning the health of service users as is necessary to deliver the service you have engaged us to provide in relation to the management of chronic pain suffered by you.

We will only collect and process this type of personal data in the following circumstances:-

  • Where you have given explicit consent

  • Where you are a member of former member or person in regular contact with us

 7.  Transfers and Sharing of Personal Data

The personal data held by us will be stored and processed within the United Kingdom.

In order to deliver our services to you we may share your information with third parties, in particular, the National Health Service, your General Practitioner, one or more of our partner self-management groups in Scotland and other health professionals associated with the management of chronic pain. In particular, a record of your attendance at any pain management meetings will be sent to the individual or organisation which referred you to Pain Association Scotland and to your GP, this includes a patient report detailing attendance and a letter to your GP highlighting the enclosed report and confirming that you have either attended, not attended or were unable to attend.  The report includes your name, address, date of birth, CHI number, overall attendance and comments relating to your attendance and whether you wished to be referred to the next course.

We may also share your personal data with NHS clinical staff for the purposes of enrolling you in the “Florence” scheme. Florence is a service operated by SRCL Ltd which sends text messages to patients to remind them about appointments and allows clinicians to manage patients from a web interface.

We may also occasionally share your data with other organisations such as law enforcement or other agencies where required by law; in our opinion such action is reasonably necessary to comply with legal process; to respond to any legal claim or actions; or to protect our rights, our service user’s rights or the general public.

 

8.   Data Subject Rights

 Pain Association Scotland will ensure that it has procedures in place to allow data subjects to exercise the following data subject rights under the GDPR:

Subject access: the right to request information about how personal data is being processed including whether personal data is being processed and the right to be allowed access to that data and to be provided with a copy of that data along with the right to obtain the following information:

  • the purpose of the processing;

  • the categories of personal data;

  • the recipients to whom data has been disclosed or which will be disclosed;

  • the retention period;

  • the right to lodge a complaint with the ICO;

  • the source of the information if not collected direct from the subject; and

  • the existence of any automated decision making.

Rectification: the right to allow you to rectify inaccurate personal data concerning you without undue delay.

Erasure: the right to have data erased in certain circumstances, and to have confirmation of erasure, but only where:

  • the data is no longer necessary in relation to the purpose for which it was collected;

  • where consent is withdrawn;

  • where there is no legal basis for the processing; or

  • there is a legal obligation to delete data.

Restriction of processing: the right to ask for certain processing to be restricted in the following circumstances:  

  • if you contest the accuracy of your personal data;

  • if our processing is unlawful and you do not want it to be erased;

  • if we no longer need the data for the purpose of the processing but it is required by you for the establishment, exercise or defence of legal claims; or

  • if you have objected to the processing, pending verification of that objection.

Data portability: you have the right to receive a copy of the personal data you have provided to us and certain information generated by us, if our processing is carried by automated means, which will allow you to transfer it to another data controller.  This only applies in relation to the data being processed by consent or under a contract to provide you with a service.

 Object to processing: you have an absolute right to object to any direct marketing that we are sending to you and there are no exemptions to this which would allow you to refuse to comply.

Pain Association Scotland is committed to facilitating and complying with any request from a data subject who wishes to exercise their rights under Data Protection Law in a transparent manner and without undue delay.

Should you wish to exercise any of the rights noted above, please contact Sonia Cottom at info@painassociation.com.

9.  Retention of Personal Data

We will keep your personal data for as long as you are using our services. We are conscious that while you may consider that you are using our services, your contact with Pain Association Scotland may be infrequent. We will therefore generally consider you to be using our services for a period of five years from the date on which you last attended a management group (unless you expressly inform us that you are no longer using our services). Once you cease using our services, your personal data will be securely destroyed if it is no longer required for the purpose for which it was obtained. If you have consented to receive marketing information from us, we will retain any personal data used for marketing purposes until you notify us that you no longer wish to receive this information. Please see our Data Retention Policy for further information. 

10. Responsibility for the Processing of Personal Data

 Pain Association Scotland is registered as a data controller with the Information Commissioner’s Office (Registration Number: ZA288174).

If you have any concerns or wish to exercise any of your rights under the GDPR then you can contact Sonia Cottom in the following ways:

 Pain Association Scotland

Suite D

Moncrieffe Business Park

Friarton Road

Perth

PH2 8DG

Email: info@painassociation.com

Tel: 0800 783 6059

 11. Cookies

 Where you access and use the Pain Association Scotland website we will also collect website usage information using cookies. We use your information collected from the website to personalise your repeat visits to our website.

Cookies are pieces of information that a website transfers to your hard drive to store and sometimes track information about you. Cookies are specific to the server that created them and cannot be accessed by other servers, which means that they cannot be used to track your movements around the web. Passwords are not stored in cookies. The information collected by cookies does not personally identify you. It includes general information about your computer settings, your connection to the internet (operating system and platform, IP address, your browsing patterns, timings of browsing on the Site etc).

By accessing our website, you agree that these terms relating to the use of cookies apply whenever you access the Site on any device.

Types of cookie that may be used during your visit to our website:

The following types of cookie are used on our website. We do not list every single cookie used by name – but for each type of cookie we tell you how you can control its use.

1. Personalisation cookies

These cookies are used to recognise repeat visitors to the website and in conjunction with other information we hold to attempt to record specific browsing information (that is, about the way you arrive at the website pages you view, options you select, information you enter and the path you take through the website).

2. Analytics cookies

These monitor how visitors move around the website and how they reached it. This is used so that we can see total (not individual) figures on which types of content users enjoy most, for instance.

3. Third-party service cookies

Social sharing, video and other services we offer are run by other companies. These companies may drop cookies on your computer when you use them on our site or if you are already logged in to them.

4. Site management cookies

These are used to maintain your identity or session on the website. For instance, where our website runs on more than one server, we use a cookie to ensure that you are sent information by one specific server (otherwise you may log in or out unexpectedly). These cookies cannot be turned off individually but you could change your browser setting to refuse all cookies (see above) if you do not wish to accept them.

12. Enquiries and Complaints

We are committed to ensuring that your personal data is processed lawfully, fairly and securely. If you have any questions or concerns about this Notice or the way in which we process your data please contact Sonia Cottam at the address above and we will attempt to resolve any issues you have. If you remain unsatisfied you can contact the Information Commissioner’s Office at:-

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 0303 123 1113

www.ico.org.uk

13.  Monitoring and Review

This policy was last updated in February 2018 and shall be regularly monitored, reviewed and updated by Pain Association Scotland every two years. When we update this notice, we will inform you of any changes that have been made by providing you with a copy of the revised policy.