General Privacy Notice (Including special provisions under the COVID-19 pandemic)
This practice’s primary purpose is to provide the best care possible for you. In order to do this, we need to collect, store and share information about you.
This privacy notice is designed to explain what happens to any personal data that you give us or any information concerning you that is collected by other organisations, for instance, if you attend an Accident and Emergency department. This includes how your data is held and/or processed by us.
This notice includes:
Under the 2018 Data Protection Act (incorporating the General Data Protection Regulation -GDPR) the practice is known as the Data Controller. As such we are responsible for keeping your data up to date and accurate, as well as storing it safely and sharing it securely. If you have a problem or a question, you should contact the Practice Manager in the first instance. The Act stipulates also that public sector organisations should provide access to an independent Data Protection Officer and their contact details are provided in the summary below.
The Information We Hold On You
Our practice keeps data on you relating to who you are, where you live, your contact details, your family, details of your occupation -if any - and possibly your employers, your habits, your health problems and diagnoses, the reasons you seek help as well at your appointments. Your record also contains details if you have a carer, where you are seen, when you are seen, and who by, all referrals to specialists and other health and social care providers, tests carried out here and in other places, investigations and scans, treatments and outcomes of treatments, your treatment history, the observations and opinions of other health care workers, within and without the NHS as well as comments and aide memoires reasonably made by healthcare professionals in this practice who are appropriately involved in your health care. All of this data helps us in providing you with the best possible care and as quickly as possible in an emergency.
All health related data is seen as ‘special category’ or ‘sensitive data’ under the 2018 Data Protection Act which means that it is shared and processed with particular care. This applies to your data whether it is in electronic formats or on paper.
When registering for NHS care, all patients who receive NHS care are registered on a national database, the database is held by NHS Digital, a national organisation which has legal responsibilities to collect NHS data.
Why We Hold and Process Data
We hold and process your data in order to provide you with direct care. Anonymised and pseudonymised patient data, in other words data that cannot be used to identify you is also used to:
Special Provisions During The COVID-19 Pandemic
The NHS faces severe pressure during the pandemic. This makes it even more important to share health and care data across relevant organisations.
Using Regulation 3 (4) of the Health Service (Control of Patient Information) Regulations 2002 and related legislation, the Secretary of State for Health has issued a notice (the COPI notice) that requires health organisations including GP surgeries, local authorities and government bodies to share confidential patient information. There are new services and information flows that have been set up to manage the outbreak. For instance, this practice is part of a Primary Care Network and is part of a ‘buddy system’ so that if its staff are so affected by the virus, that the practice cannot operate, colleagues from other practices and other organisations can still provide you with care.
All patients registered with a GP have a Summary Care Record (SCR) unless they have chosen not to have one. This record gives professionals in the healthcare system away from your practice access to your information when you need it. If you have expressed a preference to only have core information shared in the Summary Care Record or to opt out of the SCR completely. These preferences will be respected. For all other patients the SCR will be used to share additional information as required. Changes to your opt-out preferences will be suspended and not processed for the duration of the outbreak.
Automated processing of data will be used to identify vulnerable patients and patients needing to be shielded.
NHS England and NHS Improvement and NHSX have developed a single, secure data-store to gather data from across the health and care system to inform the Covid 19 response.
Any data-flows used to share data specifically to manage Covid 19 during the pandemic will cease once the COPI notice is withdrawn.
Because of the importance of sharing data for us all (defined as “public interest” under the 2018 Data Protection Act) any patient opt-out including the National Data Opt-out will not apply. It may also take the practice longer to respond to Data Subject Access Requests (DSARs)
During this period we may also offer you a consultation by video-conferencing link.
Who Do We Share Information With
As GPs, we cannot provide all your treatment ourselves, so we need to delegate this responsibility to others within the practice and with other organisations such as pharmacies or hospitals.
If your care requires treatment outside the practice, we will exchange with those providing such care and treatment whatever information may be necessary to provide you with safe, high quality care. The practice also delivers services and treatment to our patients as part of, and in association with local primary care networks and beyond.
Once you have seen any outside care provider, they will normally send us details of the care they have provided you with, so that we can understand your health and treatment better.
The sharing of data, within the practice and with those others outside the practice is assumed and is allowed by law (including the Data Protection Act 2018) however, we will gladly discuss this with you in more detail if you would like to know more.
We have an overriding responsibility to do what is in your best interests under the 2018 Data Protection Act ‘in performance of a public task’ (see legal bases in the summary below). The Practice team (clinicians, administration and reception staff) only access the information they need to allow them to perform their function and fulfil their roles. The summary also contains details of your rights in relation to your data under the Act and how to exercise them.
We do share anonymised data with the South West London Clinical Commissioning Group, The Sutton GP Federation and NHS England. This data is extracted by secure data extraction tools such as EMIS Enterprise and/or Apollo
This practice does NOT share your data with insurance companies, except by your specific instruction or consent.
Your data is NOT shared for any marketing purpose.
Communication With Patients
The practice will use your contact details in order to inform you of progress in your treatment or to work with you in managing your health. Because we can communicate and get data to you more quickly and more securely, we prefer to use email and text messaging services. Please ensure that we have your current email address and mobile telephone so that we can do this. If you would prefer us NOT to communicate with you in these ways, please let us know.
Safeguarding and the Caldicott Guardian
The practice is dedicated to safeguarding all its patients, including children and vulnerable adults. This means that information will be shared by the practice in their best interests. Such decisions are the ultimate responsibility of the practice’s Caldicott Guardian. The Caldicott Guardian is the senior person - always a doctor and often a partner within a practice- responsible for protecting the confidentiality of people’s health and care information. The duty to share data for the benefit of individuals is as important as the duty to protect patient confidentiality and actions taken as a result of safeguarding concerns will override data protection.
The practice will conduct reviews of medicines prescribed to its patients. Reviews of this data allow us to test and update our prescribing to ensure that you receive the most appropriate and cost-effective treatments. These reviews may take the form of internal audits or those conducted by the local Medicine Management Team.
Electronic tools of prediction, based upon algorithms and artificial intelligence are used within the NHS to determine a patient’s future risks and treatment needs. Wherever we can, we want to prevent admissions to A&E and secondary care which would be otherwise necessary. Such preventative care may, for instance, use these tools to determine the risk and consequence of a future fall in an elderly patient. Under Covid 19 these tools are being used to identify vulnerable patients and patients who need to be shielded.
However, under the 2018 Data Protection Act, when the COPI notice described above is withdrawn, you do have the right to opt out of having your data processed in such automated ways. If you wish to opt out of this, please contact the practice.
Research and Planning
The practice takes part in research that uses anonymised or pseudonymised data. This means that patient data cannot be traced back to individuals and is therefore no longer personal data under the 2018 Data Protection Act. You may be contacted by researchers conducting research into specific conditions who wish to use your personal data. In order to include your personal data, these projects require your specific consent.
Anonymised or pseudonymised patient data held by the practice may also be used to evaluate present services that provide direct care or to plan future ones within the practice or across the local area.
Identifiable patient data may be used in planning and managing the response of the NHS to the Covid 19 virus. This will continue until the COPI notice above is withdrawn.
Opt-Outs (The National Data Opt-out) and Your Right to Object.
You cannot opt-out of your data being shared for the purposes of providing you with direct care. You can exercise your right to object to a specific process involving your data. If you wish to do this then you must contact the practice’s Data Protection Officer at email@example.com.
You can opt-out from having your confidential data (i.e. data that can identify you) being used for purposes beyond direct care, such as research and planning. To do this, you can check or change your preferences at www.nhs.uk/your-nhs-data-matters on-line and read the information and follow the instructions if you wish to opt out. This opt-out is recorded against your NHS number on the NHS ‘spine’.
There are some situations where your data will be shared in addition to providing you with direct care. These include:
You can find out more about how your patient information is used at https://www.hra.nhs.uk/information-about-patients/ and https//understandingpatienttdata.org.uk/what-you-need-know.
Please note that you can change your choice at any time.
This practice is currently compliant with the national data opt-out policy.
How Is Your Information Stored
How Is Your Information Stored
The practice stores the main patient record via a contracted data processor in the cloud. The contracted processor for the practice is Egton Medical Information Systems (EMIS). They can be contacted via EMIS, Rawdon House, Green Lane, Yeadon, Leeds LS19 7BY.
How Long Is The Information Retained
How Long Is The Information Retained
The medical record is retained at the patient’s
practice for the lifetime of the patient, after which it is sent to Primary
Care Services England (PCSE). If you move to another practice your records will
be transferred to that practice.
Data Protection Officer
Purpose of Processing your personal information
Direct Care delivered to the individual alone, much of which is provided in the surgery.
After a patient agrees to a referral for direct care elsewhere, such as a referral to a specialist in a hospital, necessary and relevant information about the patient, their circumstances and their problem will need to be shared with the other healthcare workers, such as specialist, therapists, technicians etc.
The information that is shared is to enable the other healthcare and social care professionals to provide the most appropriate advice, investigations, treatments, therapies and or care.
Lawful Basis for Processing your personal information
The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:
Article 6 (1) (c) – the processing is necessary for compliance with a legal obligation to which the controller (the practice is subject) and/or
Article 6(1)(e) ‘…the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
Health data is defined as a special kind of personal data and is also processed by the practice under
Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services..’
The sharing of your personal data also takes place in accordance with the common law duty of confidentiality. Performance of this duty does not require consent from the patient where the proposed use of their data is either for individual care or in the public interest.
Recipient or categories of recipients of your personal data
The data will be shared with health and care professionals and support staff in this surgery and at hospitals, diagnostic and treatment centres who contribute to your personal care.
This practice is also part of a Neighbourhood Multi-Disciplinary Team based upon the CASS Primary Care Network designed to bring together a number of service providers to help patients with more than one need.
Your right to object
You have the right to object to some or all of the information being processed, which is detailed under Article 21. Exercising your right to object may well prevent the referral or course of treatment from going ahead.
Please contact the practice’s Data Protection Officer at firstname.lastname@example.org.
You should be aware that this is a right to
raise an objection, this is not the same as having an absolute right to have
your wishes granted in every circumstance.
Your right to access and correction
You have the right to access your data and to have any inaccuracies corrected.
There is no right to have your medical records deleted except when ordered by a court of Law.
How long do we hold your personal data for?
We retain your personal data in line with both national guidance and law, which can be found here:
right to complain
If you have a question or wish to complain about the use of your data, you should approach the Practice Manager or contact the Data Protection Officer at:
The use of personal data is overseen by the Information Commissioners Office, often known as the ICO.
If you wish to complain or raise a concern with the ICO, they can be contacted via their website: https://ico.org.uk/global/contact-us/
Or you can also call their helpline
Tel: 0303 123 1113 (local rate)
01625 545 745 (national rate