GDPR & How We Use Your Data | Jenner House Surgery

Privacy Notice

How we use your personal information

This privacy notice explains what information this GP practice holds about you, why we hold that information and how that information may be used. The healthcare professionals who provide you with care maintain records about your health and any treatment or care you have received previously (e.g. NHS Trust, GP Surgery, Walk-in clinic, etc.). These records help to provide you with the best possible healthcare.

NHS health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. Records which this GP Practice holds about you may include the following information; details about you, such as your address, carer, legal representative, emergency contact details.

We also hold the following:

Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments, etc.
Notes and reports about your health
Details about your treatment and care
Results of investigations such as laboratory tests, x-rays etc.

We hold relevant information from other health professionals, relatives or those who care for you to ensure you receive the best possible care and your records are used to facilitate the care you receive. Information held about you may be used to help protect the health of the public and to help us manage the NHS. Information may be used within the GP practice for clinical audit to monitor the quality of the service provided.

Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified. Sometimes your information may be requested to be used for research purposes – the surgery will always gain your consent before releasing the information for this purpose.

How do we ensure your records are held confidentiality?

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

Data Protection Act 2018
General Data Protection Regulations 2018 
Human Rights Act 1998 
Common Law Duty of Confidentiality 
Health and Social Care Act 2012 
NHS Codes of Confidentiality
Information Security and Records Management
Information: To Share or Not to Share Review

Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential.

We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), where the law requires information to be passed on and in accordance with the new information sharing principle following Dame Fiona Caldicott’s information sharing review (Information: To share or not to share) where “The duty to share information can be as important as the duty to protect patient confidentiality.”

This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles. They should be supported by the policies of their employers, regulators and professional bodies.

Change of Details

It is important that you tell the practice if any of your details such as your name or address have changed or if any of your details such as date of birth is incorrect in order for this to be amended. You have a responsibility to inform us of any changes so your record is accurate and up to date.

You have the right to object to our sharing your data in these circumstances but we have an overriding responsibility to do what is in your best interests. Please see below.

Your Summary Care Record

Your summary care record is an electronic record of your healthcare history (and other relevant personal information) held on a national healthcare records database provided and facilitated by NHS England.

This record may be shared with other healthcare professionals and additions to this record may also be made by relevant healthcare professionals and organisations involved in your direct healthcare.

You may have the right to demand that this record is not shared with anyone who is not involved in the provision of your direct healthcare. If you wish to enquire further as to your rights in respect of not sharing information on this record then please contact our Data Protection Officer.

To find out more about the wider use of confidential personal information and to register your choice to opt out if you do not want your data to be used in this way, please visit https://www.nhs.uk/your-nhs-data-matters/.

Note if you do choose to opt out, you can still consent to your data being used for specific purposes. However, if you are happy with this use of information you do not need to do anything. You may however change your choice at any time.

We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.

1) Data Controller contact details	Jenner House Surgery 159 Cove Road Farnborough Hampshire GU14 0HQ
2) Data Protection Officer contact details	Laura Taw Primary Care Data Protection Officer [email protected]
3) Purpose of the processing	Direct Care is care delivered to the individual alone, most of which is provided in the surgery. After a patient agrees to a referral for direct care elsewhere, such as a referral to a specialist in a hospital, necessary and relevant information about the patient, their circumstances and their problem will need to be shared with the other healthcare workers, such as specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.
4) Lawful basis for processing	The Law says we need a legal basis to handle your personal and healthcare information. CONTRACT: We have a contract with NHS England to deliver healthcare services to you. This contract provides that we are under a legal obligation to ensure that we deliver medical and healthcare services to the public. CONSENT: Sometimes we also rely on the fact that you give us consent to use your personal and healthcare information so that we can take care of your healthcare needs. Please note that you have the right to withdraw consent at any time if you no longer wish to receive services from us. NECESSARY CARE: Providing you with the appropriate healthcare, where necessary. The Law refers to this as ‘protecting your vital interests’ where you may be in a position not to be able to consent. LAW: Sometimes the Law obliges us to provide your information to an organisation (see above). SPECIAL CATEGORIES The Law states that personal information about your health falls into a special category of information because it is very sensitive. Reasons that may entitle us to use and process your information may be as follows: PUBLIC INTEREST: Where we may need to handle your personal information when it is considered to be in the public interest. For example, when there is an outbreak of a specific disease and we need to contact you for treatment, or we need to pass your information to relevant organisations to ensure you receive advice and/or treatment; CONSENT: When you have given us consent; VITAL INTEREST: If you are incapable of giving consent, and we have to use your information to protect your vital interests (e.g. if you have had an accident and you need emergency treatment); DEFENDING A CLAIM: If we need your information to defend a legal claim against us by you, or by another party; PROVIDING YOU WITH MEDICAL CARE: Where we need your information to provide you with medical and healthcare services. The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR: Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’. Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…” We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”^*
5) Recipient or categories of recipients of the processed data	The data will be shared with Health and care professionals and support staff in this surgery and at hospitals, diagnostic and treatment centres who contribute to your personal care. We are currently preparing detailed breakdowns for each of the ways in which we use your information. These will be available in the practice.
6) Rights to object	You have the right to object to some or all the information being processed under Article 21. Please contact the Data Controller or the practice. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance
7) Right to access and correct	You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law. Your request may be made either verbally or in writing to the practice.
8) Retention period	The data will be retained in line with the law and national guidance. https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016
9) Right to Complain.	If you are happy for your data to be extracted and used for the purposes described in this privacy notice then you do not need to do anything. If you have any concerns about how your data is shared then please contact the practice. Please contact the Practice Manager in the first instance on 01252 548141 You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/ or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate) There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)

WHO WE MAY PROVIDE YOUR PERSONAL INFORMATION TO, AND WHY

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care Services, important information about you is collected to help ensure you get the best possible care and treatment. This information may be passed to other approved organisations where there is a legal basis, to help with planning services, improving care, research into developing new treatments and preventing illness. All of this helps in providing better care to you and your family and future generations. However, as explained in this privacy notice, confidential information about your health and care is only used in this way where allowed by law and would never be used for any other purpose without your clear and explicit consent.

We may pass your personal information on to the following people or organisations, because these organisations may require your information to assist them in the provision of your direct healthcare needs. It, therefore, may be important for them to be able to access your information in order to ensure they may properly deliver their services to you:

Hospital professionals (such as doctors, consultants, nurses, etc);
Other GPs/Doctors;
Pharmacists;
Nurses and other healthcare professionals;
Dentists;
Any other person that is involved in providing services related to your general healthcare, including mental health professionals.

OTHER PEOPLE WHO WE PROVIDE YOUR INFORMATION TO

Commissioners;
Clinical Commissioning Groups;
Local authorities;
Community health services;
e.g. Care and Health Information Exchange (CHIE) – formerly Hampshire Health Record

The CHIE is an electronic summary record for people living in Hampshire, Portsmouth and Southampton. GP Surgeries, hospitals, social care and community care teams collect information about you and store it electronically on separate computer systems. The Care and Health Information Exchange stores summary information from these organisations in one place so that – with your consent – professionals can view it to deliver better care to you. This record contains more information than the SCR, but is only available to organisations in Hampshire. For more information Visit http://chie.org.uk/
For the purposes of complying with the law e.g. Police, Solicitors, Insurance Companies;

Anyone you have given your consent to, to view or receive your record, or part of your record. Please note, if you give another person or organisation consent to access your record we will need to contact you to verify your consent before we release that record. It is important that you are clear and understand how much and what aspects of, your record you give consent to be disclosed.

Extended Access – we provide extended access services to our patients which means you can access medical services outside of our normal working hours. In order to provide you with this service, we have formal arrangements in place with the Clinical Commissioning Group and with other practices whereby certain practices offer this service on our behalf for you as a patient to access outside of our opening hours.

This means, those practices will have to have access to your medical record to be able to offer you the service; your information is only available to other Practices if you attend another practice for a consultation.

Please note to ensure that those practices comply with the law and to protect the use of your information, we have very robust data sharing agreements and other clear arrangements in place to ensure your data is always protected and used for those purposes only.

We are also sometimes legally obliged to disclose information about patients to relevant authorities. In these circumstances, the minimum identifiable information that is essential to serve that legal purpose will be disclosed.

That organisation will also have a professional and contractual duty of confidentiality. Data will be anonymised if at all possible before disclosure if this would serve the purpose for which the data is required.

Organisations that we are sometimes obliged to release information to include:

NHS Digital (e.g. the National Diabetes Audit)
CQC
DVLA
GMC
HMRC
NHS Counter Fraud
Police
The Courts
Public Health England
Local Authorities (Social Services)
The Health Service Ombudsman

In the event of actual or possible legal proceedings, we may need to disclose information from an individual’s GP record to a medical defence organisation.

Farnborough Practices as follows:

Alexander House Surgery
Giffard Drive Surgery
Mayfield Medical Centre
North Camp Surgery
Voyager Family Health
The Frailty Service
Salus

Data Extraction by the Clinical Commissioning Group – the clinical commissioning group at times extracts medical information about you, but the information we pass to them via our computer systems cannot identify you to them. This information only refers to you by way of a code that only your practice can identify (it is pseudo-anonymised).

This therefore protects you from anyone who may have access to this information at the Clinical Commissioning Group from ever identifying you as a result of seeing the medical information and we will never give them the information that would enable them to do this.

There are good reasons why the Clinical commissioning Group may require this pseudo-anonymised information. This information is used to plan and improve services. The information collected includes data such as the area patients live, age, gender, ethnicity, language preference, country of birth and religion. The CCG also collects information about whether patients have long term conditions such as diabetes; blood pressure, cholesterol levels and medication

The data shared is always anonymised, you will never be identified.

Third party processors

In order to deliver the best possible service, the practice will share data (where required) with other NHS bodies such as other GP practices and hospitals. In addition the practice will use carefully selected third party service providers. When we use a third party service provider to process data on our behalf then we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately. Examples of functions that may be carried out by third parties includes:

Companies that provide IT services & support, including our core clinical systems; systems which manage patient facing services (such as our website and service accessible through the same); data hosting service providers; systems which facilitate appointment bookings or electronic prescription services; document management services etc.
Delivery services (for example if we were to arrange for delivery of any medicines to you).
Payment providers (if for example you were paying for a prescription or a service such as travel vaccinations).

ANONYMISED INFORMATION

Sometimes we may provide information about you in an anonymised form. If we do so, then none of the information we provide to any other party will identify you as an individual and cannot be traced back to you.

RECORDED INFORMATION

The Practice does not record telephone calls.

Access and Subject Access Requests

You have the right to see what information we hold about you and to request a copy of this information.

If you would like a copy of the information we hold about you please contact our Administrator on 01252 548141 ext 205

We will provide this information free of charge however, we may in some limited and exceptional circumstances have to make an administrative charge for any extra copies if the information requested is excessive, complex or repetitive.

We have one month to reply to you and give you the information that you require. We would ask, therefore, that any requests you make are in writing and it is made clear to us what and how much information you require, please complete the Data Subject Access Form, available on our website, or pop into the Practice to obtain a hard copy. A link to this form can be found on our website. Please fill in the form and return to the Practice via post or email.

Should we need to clarify what you require, we have one month to reply from when that is received.

Online Access

You may ask us if you wish to have online access to your medical record. However, there will be certain protocols that we have to follow in order to give you online access, including written consent and production of documents that prove your identity.

Please note that when we give you online access, the responsibility is yours to make sure that you keep your information safe and secure if you do not wish any third party to gain access.

For the purposes of data protection, your coded history only will be visible online.

THIRD PARTIES MENTIONED ON YOUR MEDICAL RECORD

Sometimes we record information about third parties mentioned by you to us during any consultation. We are under an obligation to make sure we also protect that third party’s rights as an individual and to ensure that references to them which may breach their rights to confidentiality, are removed before we send any information to any other party including yourself. Third parties can include: spouses, partners, and other family members.

We will never pass on your personal information to anyone else who does not need it, or has no right to it, unless you give us clear consent to do so.

REQUESTS FROM THIRD PARTIES FOR YOUR MEDICAL RECORD

It is the policy of Jenner House Surgery that on request of extracts or access to your full medical record by a third party for non-NHS services (e.g. claims, insurance); that we will not share this directly with the requestor. In these circumstances, the practice will contact the patient directly (the Data Controller); advise them of the request and provide the patient with their medical record for onward forwarding.

We firmly believe patients should be in control of what is shared with third parties from their medical record.

UNDER 16s

Please see Privacy Notice for Under 16s. The principles of this notice remain the same; however there is additional information on sharing information with parents/guardians.

IF ENGLISH IS NOT YOUR FIRST LANGUAGE

If English is not your first language you can view this Privacy Notice on our website, which can be translated into 103 different languages.

OUR WEBSITE

The only website this Privacy Notice applies to is the Surgery’s website. If you use a link to any other website from the Surgery’s website then you will need to read their respective privacy notice. We take no responsibility (legal or otherwise) for the content of other websites.

SECURITY

We take the security of your information very seriously and we do everything we can to ensure that your information is always protected and secure. We regularly update our processes and systems and we also ensure that our staff are properly trained. We also carry out assessments and audits of the information that we hold about you and make sure that if we provide any other services, we carry out proper assessments and security reviews.

Text Messaging, Email, Telephoning and contacting you.

Because we are obliged to protect any confidential information we hold about you and we take this very seriously, it is imperative that you let us know immediately if you change any of your contact details.

We may contact you using SMS texting to your mobile phone in the event that we need to notify you about appointments and other services that we provide to you involving your direct care, therefore you must ensure that we have your up to date details. This is to ensure we are sure we are actually contacting you and not another person.

If you do not wish to be contacted by text or email please notify the surgery.

Coronavirus (COVID-19) pandemic and your information

The ICO recognises the unprecedented challenges the NHS and other health professionals are facing during the Coronavirus (COVID-19) pandemic.

The ICO also recognise that ‘Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health.’

The Government have also taken action in respect of this and on 20th March 2020 the Secretary of State for Health and Social Care issued a Notice under Regulation 3(4) of The Health Service (Control of Patient Information) Regulations 2002 requiring organisations such as GP Practices to use your information to help GP Practices and other healthcare organisations to respond to and deal with the COVID-19 pandemic.

In order to look after your healthcare needs during this difficult time, we may urgently need to share your personal information, including medical records, with clinical and non-clinical staff who belong to organisations that are permitted to use your information and need to use it to help deal with the Covid-19 pandemic. This could (amongst other measures) consist of either treating you or a member of your family and enable us and other healthcare organisations to monitor the disease, assess risk and manage the spread of the disease.

Please be assured that we will only share information and health data that is necessary to meet yours and public healthcare needs.

The Secretary of State for Health and Social Care has also stated that these measures are temporary and will expire on 31 March 2021 unless a further extension is required. Any further extension will be provided in writing and we will communicate the same to you via this privacy notice.

Please also note that the data protection and electronic communication laws do not stop us from sending public health messages to you, either by phone, text or email as these messages are not direct marketing.

It may also be necessary, where the latest technology allows us to do so, to use your information and health data to facilitate digital consultations and diagnoses and we will always do this with your security in mind.

If you are concerned about how your information is being used, please contact our DPO using the contact details provided in this Privacy Notice.

Summary Care Record –

For the duration of the COVID 19 pandemic extended access has been deemed necessary on a national basis. Full details can be found here https://digital.nhs.uk/services/summary –care –records scr/scr –coronavirus –covid –19 –supplementary –privacy –notice

Update: 02nd June 2021

General Practice Data for Planning and Research (GPDPR)

Purpose: Patients personal confidential data will be extracted and shared with NHS Digital in order to support vital health and care planning and research. Further information can be found here

Patients may opt out of having their Personal identifiable data shared for Planning or Research by applying a National Data Opt Out or a Type 1 Opt Out. Details of how to Opt Out can be found on our Privacy Notice. For the National Data Opt Out patients are required to register their preference below.

https://www.nhs.uk/your-nhs-data-matters/

For Type 1 Opt Out, which means that no personal confidential data will be shared outside of the practice for this purpose, patients can complete the form within the link and return it to their registered practice for action by the 23^rd June 2021. https://nhs-prod.global.ssl.fastly.net/binaries/content/assets/website-assets/data-and-information/data-collections/general-practice-data-for-planning-and-research/type-1-opt-out-form.docx

Legal Basis : The legal basis for this activity can be found at this link : General Practice Data for Planning and Research: NHS Digital Transparency Notice – NHS Digital

Processor: NHS Digital

Transparency Information

Organisation/Activity	Rationale
Shared Care Records	Purpose To ensure you receive effective, safe care, we will, through digital means enable your record to be available to those providing your care in whichever care setting you are seen, such as an A&E attendance, a physiotherapy appointment, a social care needs assessment. In order to achieve this, the aim of Shared Care Records is to enable health and care staff to view your information, to save valuable time in getting you the right treatment. Your information will only be available to the staff involved in your direct care, and not at any other time, or for any other reason. Further information can be found here (https://www.frimleyhealthandcare.org.uk/about/shared-care-record-how-your-data-is-used/) Legal Basis – Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’ Processor – Insert local supplier reference (optional)
Summary Care Record	Purpose – The NHS in England uses a national electronic record called the Summary Care Record (SCR) to support patient care. It contains key information from your GP record. Your SCR provides authorised healthcare staff with faster, secure access to essential information about you in an emergency or when you need unplanned care, where such information would otherwise be unavailable. Legal Basis – Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’ Further information can be found here Controller of summary care record data – NHS Digital
Test requests and results	Purpose – Some basic identifying details, the type of test requested and if required any relevant health information is shared with Pathology Laboratories when tests such as blood or urine tests need to be undertaken. The laboratory will also hold the details of the request and the result. The result/report will be sent electronically to the practice who will hold it in the patient’s record. Legal Basis – Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’ Controller of test data – The laboratory that process the request and result are a controller of the data generated by the test process.
Research	Purpose – We may share personal confidential or anonymous information with research companies. Where you have opted out of having your identifiable information shared for this purpose then it will not be used. Details on how to opt out are here. Legal Basis – consent is required to share confidential patient information for research, unless there is have support under the Health Service (Control of Patient Information Regulations) 2002 (‘section 251 support’) applying via the Confidentiality Advisory Group in England and Wales The organisation leading the research will be the controller of data disclosed to them.
Individual Funding Requests	Purpose – We may need to process your personal information where we are required to apply for funding for a specific treatment for you for a particular condition that is not routinely available. Legal Basis – The clinical professional who first identifies that you may need the treatment will explain to you the information that is needed to be collected and processed in order to assess your needs and commission your care; they will gain your explicit consent to share this. You have the right to withdraw your consent at any time. If you are happy for the request to be made, the basis for processing your data is: Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’ Your data will be disclosed to the Clinical Commissioning Group who manages the individual funding request process.
Child Health Information Service	Purpose – We wish to make sure that your child has the opportunity to have immunisations and health checks when they are due. We share information about childhood immunisations, the 6-8 week new baby check and breast-feeding status with health visitors and school nurses. Legal Basis – Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’ Controller to which data is disclosed: INSERT LOCAL REF
Risk Stratification – Preventative Care	Purpose – ‘Risk stratification for case finding’ is a process for identifying and managing patients who have or may be at-risk of health conditions (such as diabetes) or who are most likely to need healthcare services (such as people with frailty). Risk stratification tools used in the NHS help determine a person’s risk of suffering a particular condition and enable us to focus on preventing ill health before it develops. Information about you is collected from a number of sources including NHS Trusts and your GP Practice. A risk score is then arrived at to help us identify and offer you additional services to improve your health. In addition data with your identity removed is used to inform the development and delivery of services across the local area. If you do not wish information about you to be included in any risk stratification programmes, please let us know. We can add a code to your records that will stop your information from being used for this purpose. Please be aware that this may limit the ability of healthcare professionals to identify if you have or are at risk of developing certain serious health conditions. Legal Basis Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’. Risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority (approval reference (CAG 7-04)(a)/2013)) and this approval has been extended to the end of September 2020 NHS England Risk Stratification which gives us a statutory legal basis under Section 251 of the NHS Act 2006 to process data for risk stratification purposes which sets aside the duty of confidentiality. We are committed to conducting risk stratification effectively, in ways that are consistent with the laws that protect your confidentiality. Controller to which data is disclosed: INSERT LOCAL REF (NB identifiable data is not disclosed to other controllers)
Public Health Screening programmes (identifiable) Notifiable disease information (identifiable) Smoking cessation (anonymous) Sexual health (anonymous)	Purpose – The NHS provides national screening programmes so that certain diseases can be detected at an early stage. These currently apply to bowel cancer, breast cancer, aortic aneurysms and diabetic retinal screening service. The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme. Personal identifiable and anonymous data is shared. More information can be found at: https://www.gov.uk/guidance/nhs-population-screening-explained [Or insert relevant link] or speak to the practice Legal Basis Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’. Controller to which data is disclosed: Public Health Services (England), & ANY LOCAL REF (i.e. Council)
NHS Trusts	Purpose – Personal information is shared with Hospitals, Community Services, Mental Health Services and others in order to provide you with care services. This could be for a range of services, including treatment, operations, physio, and community nursing, ambulance service. Legal Basis Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’. Controller to which data is disclosed: LOCAL REF
Care Quality Commission	Purpose – The CQC is the regulator for the English Health and Social Care services to ensure that safe care is provided. They will inspect and produce reports back to the GP practice on a regular basis. The Law allows the CQC to access identifiable data but only where it is needed to conduct their services. More detail on how they ensure compliance with data protection law (including GDPR) and their privacy statement is available on CQC website: https://www.cqc.org.uk/about-us/our-policies/privacy-statement Legal Basis – Article 6(1)c “processing is necessary for compliance with a legal obligation to which the controller is subject.” And Article 9(2)h ‘management of health and care services’ Controller data is disclosed to – Care Quality Commission
Payments	Purpose – Payments to the practice come in many different forms. Some payments are based on the number of patients that receive specific services, such as diabetic reviews and immunisation programmes. In order to make patient based payments basic and relevant necessary data about you needs to be sent to the various payment services, this data contains limited identity if needed, such as your NHS number. The release of this data is required by English laws. Legal Basis – Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.” And Article 9(2)(h) ‘as stated below Controllers that data is disclosed to – NHS England, CCG, Public Health
Patient Record data base support	Purpose – The practice uses electronic patient records. Our supplier of the electronic patient record system is: INSERT Our supplier does not access identifiable records without permission of the practice and this is only given where it is necessary to investigate issues on a particular record Legal Basis Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘management of health and care services’.
Medicines optimisation	Purpose – We use software packages linked to our patient record system to aid when prescribing drugs. These ensure that prescribing is effective. We do not share your identifiable data with the companies that provide these packages Legal Basis Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’.
Clinical Audit	Purpose – Information will be used by the CCG for clinical audit to monitor the quality of the service provided to patients with long term conditions. When required, information will be held centrally and used for statistical purposes (e.g. the National Diabetes Audit). When this happens, strict measures are taken to ensure that individual patients cannot be identified from the data. Legal Basis Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘management of health and care services’. Controller – Somerset Clinical Commissioning Group
National Fraud Initiative – Cabinet Office	Purpose – The use of data by the Cabinet Office for data matching is carried out with statutory authority. It does not require the consent of the individuals concerned under Data Protection legislation. Data matching by the Cabinet Office is subject to a Code of Practice. For further information see: https://www.gov.uk/government/publications/code-of-data-matching-practice-for-national-fraud-initiative NFI activities vary each year, so data would only be disclosed if required by the focus of their activities Legal Basis – Part 6 of the Local Audit and Accountability Act 2014 Controller – Cabinet Office
National Registries	Purpose – National Registries (such as the Learning Disabilities Register) have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user. Legal Basis – Section 251 of the NHS Act 2006
Police	Purpose – The police may request information in relation to on-going enquiries, all requests are reviewed and only appropriate information will be shared under legislation. Legal Basis – Article 6(1)e – task carried out in the public interest Article 9(2)c – Vital Interests Article 9(2)f – Legal claims or judicial acts Article 9(2)g – Reasons of substantial public Controller disclosed to – Police