1. Introduction

The Independent Sector Complaints Adjudication Service (ISCAS) is a not-for-profit private company limited by guarantee and registered in England and Wales (number 7474408). ISCAS is registered with the Information Commissioners Office under reference ZA083742.

ISCAS provides independent adjudication on complaints about ISCAS subscribers. ISCAS is a voluntary subscriber scheme for the vast majority of independent healthcare providers.

This privacy notice applies to personal data held and used (“processed”) by ISCAS about:

  • individual patients and their representatives who refer complaints to us;
  • individual clinicians and other staff working in independent healthcare providers; and
  • other individuals with an interest in our work.

We are committed to protecting your personal information and being transparent about the information we hold and how we will use it. This privacy notice sets out how ISCAS specifically uses your personal data in its work.

2. The types of personal data we hold

Most of the information we hold about individual patients and their representatives is that which you provide to ISCAS in connection with a complaint about an independent healthcare provider. In order to review your complaint ISCAS will require a copy of your medical records from the provider, and we will seek your written consent to obtain your medical records and relevant information regarding the complaint.

Information about individuals working in independent healthcare providers is frequently provided by both individual patients and providers within complaint files. Typically, this information includes details of your name, professional background, place of work, and involvement in the patient care that is the subject of a complaint.

In addition, ISCAS collects your information when you communicate with us directly or attend one of our events. On occasions, we may augment the data we hold from publicly available sources, using targeted internet searches to maintain the accuracy of our data. Typically, this information includes details of your name, professional background, place of work, and details of events attended.

3. How the data is used and the lawful bases for processing

For individuals who are involved in individual complaints, whether as patients or health professionals, we process your data in order to honour patients’ requests, and our contractual obligations to ISCAS subscribers, to adjudicate those complaints. In addition, there may be occasions on which we make use of that data, after appropriate anonymisation, to report on our activities to our subscribers, the public, regulators and other public authorities who may have an interest in complaint handling within the independent healthcare sector.

In relation to personal data that is provided to us by subscribers in relation to individual patient complaints, ISCAS is a data processor and, accordingly, we will only process that data in line with the relevant controller’s instructions.

For individuals who are not involved in individual cases, we process your data in pursuit of our legitimate interests to promote effective complaints handling within the independent healthcare sector. ISCAS is a data controller in relation to such data. We may use your data in the following ways:

  • sending you publications that relate to the activities of ISCAS;
  • sending you event invitations;
  • conducting surveys to enable us to improve our interactions with administration of subscribers.

Communications may be sent by post, telephone or email, depending on the contact details we hold and the preferences expressed by you about the types of communication you wish to receive.

4. Sharing your information with others

We occasionally may share your personal data with a limited number of third parties, with whom we have data protection arrangements in place, for the purposes referred to in this privacy notice. These third parties include our technology providers, Independent Adjudicators and the Centre for Effective Dispute Resolution (CEDR) who administer ISCAS on a day-to-day basis.

No third party is permitted to keep our data once the processing has finished and any transfers outside our secure office premises are always encrypted.

Personal data is NEVER sold to third parties.

An Information Sharing Agreement is in place between ISCAS and separately, the Care Quality Commission (CQC), Healthcare Inspectorate Wales (HIW) and Healthcare Improvement Scotland (HIS). ISCAS also liaises with the system regulator in Northern Ireland and with the professional regulators in all four countries to ensure that information can be shared to improve patient care and complaint handling. ISCAS will update information sharing information on the website from time to time.

5. How we store and protect your data

Access to patient records is restricted to ISCAS staff, the Independent Adjudicators and any independent medical experts engaged by ISCAS, and the CEDR personnel responsible for ISCAS administration.

We take appropriate technical and organisational steps to ensure the security of personal data about individuals, including policies around the use of technology and devices, and limited access to systems. All staff are aware of this policy and their duties under data protection law and receive relevant training.

6. How long your personal data is kept

Patient records are stored securely and are retained only for so long as is necessary to complete our work, including follow up analysis, which is usually no more than two years after completion of an Independent Adjudicator’s decision. Thereafter records are either destroyed securely or in some instances returned to the healthcare provider.

ISCAS considers its relationship with individuals involved in the independent healthcare sector to be life-long. This means that we will retain your details until such time that you tell us that you no longer wish us to keep in touch. In this instance your data will in most part be deleted, though, we are nonetheless likely to retain some of your details (not least to ensure that no more communications are sent to that particular address, email or telephone number).

7. Your rights

Individuals have various rights under data protection law to access and understand personal data held about them, to ask for it to be erased, amended or have it transferred to others, or to ask us to stop processing it.

You have a right to object at any time to ISCAS processing your personal data for any or all of the purposes described in this privacy notice. If there are specific publications or types of communication that you do not wish to receive please let us know and your wishes will be recorded and respected.

Please note that as the ISCAS team are not health professionals, we are not able to provide you with a file containing your medical records (even if you have made a data subject access request to us). You are able to contact the subscriber directly for a copy of this file. This is a restriction rather than an exemption as outlined by the Information Commissioner’s Office (ICO). For further information on exemptions and restrictions, you are free to contact the ICO directly.

To update information that we hold or to update your preferences on the types and methods of communication that you receive from us, please contact the Company Secretary/ registered  Privacy Officer at gmassie@cedr.com.

To exercise any of your other rights, the right of access or to have data erased, please contact the registered Privacy Officer by email at gmassie@cedr.com or by post to: Independent Sector Complaints Adjudication Service,  100 St Paul’s Churchyard, London, EC4M 8BU.

8. This policy

ISCAS will update this privacy notice from time to time. Any substantial changes that affect your rights will be provided to you directly as far as is reasonably practicable. Minor changes will be made as needed, with the latest version always being available on the ISCAS website (www.iscas.org.uk).

9. Contact and complaints

If you have any queries about this privacy notice or how we process your personal data, please contact the ISCAS Company Secretary at gmassie@cedr.com.

The Company Secretary is also our Privacy Officer who will endeavour to ensure that all personal data is processed in compliance with this policy and data protection law. If you are not satisfied with how we are processing your personal data, please notify the ISCAS Company Secretary at gmassie@cedr.com. You can also make a referral to or lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk/concerns, although the ICO recommends that steps are taken to resolve the matter with data processors directly before involving them.