How we use your personal information
This privacy notice explains what information this GP practice holds about you, why we hold that information and how that information may be used. The healthcare professionals who provide you with care maintain records about your health and any treatment or care you have received previously (e.g. NHS Trust, GP Surgery, Walk-in clinic, etc.). These records help to provide you with the best possible healthcare.
NHS health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. Records which this GP Practice holds about you may include the following information; details about you, such as your address, carer, legal representative, emergency contact details.
We also hold the following:
- Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments, etc.
- Notes and reports about your health
- Details about your treatment and care
- Results of investigations such as laboratory tests, x-rays etc.
We hold relevant information from other health professionals, relatives or those who care for you to ensure you receive the best possible care and your records are used to facilitate the care you receive. Information held about you may be used to help protect the health of the public and to help us manage the NHS. Information may be used within the GP practice for clinical audit to monitor the quality of the service provided.
Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified. Sometimes your information may be requested to be used for research purposes – the surgery will always gain your consent before releasing the information for this purpose.
How do we ensure your records are held confidentiality?
We are committed to protecting your privacy and will only use information collected lawfully in accordance with:
- Data Protection Act 2018
- General Data Protection Regulations 2018
- Human Rights Act 1998
- Common Law Duty of Confidentiality
- Health and Social Care Act 2012
- NHS Codes of Confidentiality
- Information Security and Records Management
- Information: To Share or Not to Share Review
Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential.
We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), where the law requires information to be passed on and in accordance with the new information sharing principle following Dame Fiona Caldicott’s information sharing review (Information: To share or not to share) where “The duty to share information can be as important as the duty to protect patient confidentiality.”
This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles. They should be supported by the policies of their employers, regulators and professional bodies.
Change of Details
It is important that you tell the practice if any of your details such as your name or address have changed or if any of your details such as date of birth is incorrect in order for this to be amended. You have a responsibility to inform us of any changes so your record is accurate and up to date.
You have the right to object to our sharing your data in these circumstances but we have an overriding responsibility to do what is in your best interests. Please see below.
YOUR SUMMARY CARE RECORD
Your summary care record is an electronic record of your healthcare history (and other relevant personal information) held on a national healthcare records database provided and facilitated by NHS England.
This record may be shared with other healthcare professionals and additions to this record may also be made by relevant healthcare professionals and organisations involved in your direct healthcare.
You may have the right to demand that this record is not shared with anyone who is not involved in the provision of your direct healthcare. If you wish to enquire further as to your rights in respect of not sharing information on this record then please contact our Data Protection Officer.
To find out more about the wider use of confidential personal information and to register your choice to opt out if you do not want your data to be used in this way, please visit https://www.nhs.uk/your-nhs-data-matters/.
Note if you do choose to opt out, you can still consent to your data being used for specific purposes. However, if you are happy with this use of information you do not need to do anything. You may however change your choice at any time.
We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.
|1) Data Controller contact details||
Jenner House Surgery
159 Cove Road
|2) Data Protection Officer contact details||
Primary Care Data Protection Officer
|3) Purpose of the processing||Direct Care is care delivered to the individual alone, most of which is provided in the surgery. After a patient agrees to a referral for direct care elsewhere, such as a referral to a specialist in a hospital, necessary and relevant information about the patient, their circumstances and their problem will need to be shared with the other healthcare workers, such as specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.|
|4) Lawful basis for processing||
The Law says we need a legal basis to handle your personal and healthcare information.
CONTRACT: We have a contract with NHS England to deliver healthcare services to you. This contract provides that we are under a legal obligation to ensure that we deliver medical and healthcare services to the public.
CONSENT: Sometimes we also rely on the fact that you give us consent to use your personal and healthcare information so that we can take care of your healthcare needs.
Please note that you have the right to withdraw consent at any time if you no longer wish to receive services from us.
NECESSARY CARE: Providing you with the appropriate healthcare, where necessary. The Law refers to this as ‘protecting your vital interests’ where you may be in a position not to be able to consent.
LAW: Sometimes the Law obliges us to provide your information to an organisation (see above).
The Law states that personal information about your health falls into a special category of information because it is very sensitive. Reasons that may entitle us to use and process your information may be as follows:
PUBLIC INTEREST: Where we may need to handle your personal information when it is considered to be in the public interest. For example, when there is an outbreak of a specific disease and we need to contact you for treatment, or we need to pass your information to relevant organisations to ensure you receive advice and/or treatment;
CONSENT: When you have given us consent;
VITAL INTEREST: If you are incapable of giving consent, and we have to use your information to protect your vital interests (e.g. if you have had an accident and you need emergency treatment);
DEFENDING A CLAIM: If we need your information to defend a legal claim against us by you, or by another party;
PROVIDING YOU WITH MEDICAL CARE: Where we need your information to provide you with medical and healthcare services
The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:
Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”
We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”*
|5) Recipient or categories of recipients of the processed data||
The data will be shared with Health and care professionals and support staff in this surgery and at hospitals, diagnostic and treatment centres who contribute to your personal care.
We are currently preparing detailed breakdowns for each of the ways in which we use your information. These will be available in the practice.
|6) Rights to object||You have the right to object to some or all the information being processed under Article 21. Please contact the Data Controller or the practice. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance|
|7) Right to access and correct||You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law. Your request may be made either verbally or in writing to the practice.|
|8) Retention period||The data will be retained in line with the law and national guidance. https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016|
|9) Right to Complain.||
If you are happy for your data to be extracted and used for the purposes described in this privacy notice then you do not need to do anything. If you have any concerns about how your data is shared then please contact the practice. Please contact the Practice Manager in the first instance Marie Edwards 01252 548141
You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/
or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)
WHO WE MAY PROVIDE YOUR PERSONAL INFORMATION TO, AND WHY
Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care Services, important information about you is collected to help ensure you get the best possible care and treatment. This information may be passed to other approved organisations where there is a legal basis, to help with planning services, improving care, research into developing new treatments and preventing illness. All of this helps in providing better care to you and your family and future generations. However, as explained in this privacy notice, confidential information about your health and care is only used in this way where allowed by law and would never be used for any other purpose without your clear and explicit consent.
We may pass your personal information on to the following people or organisations, because these organisations may require your information to assist them in the provision of your direct healthcare needs. It, therefore, may be important for them to be able to access your information in order to ensure they may properly deliver their services to you:
- Hospital professionals (such as doctors, consultants, nurses, etc);
- Other GPs/Doctors;
- Nurses and other healthcare professionals;
- Any other person that is involved in providing services related to your general healthcare, including mental health professionals.
OTHER PEOPLE WHO WE PROVIDE YOUR INFORMATION TO
- Clinical Commissioning Groups;
- Local authorities;
- Community health services;
- For the purposes of complying with the law e.g. Police, Solicitors, Insurance Companies;
- Anyone you have given your consent to, to view or receive your record, or part of your record. Please note, if you give another person or organisation consent to access your record we will need to contact you to verify your consent before we release that record. It is important that you are clear and understand how much and what aspects of, your record you give consent to be disclosed.
- Extended Access – we provide extended access services to our patients which means you can access medical services outside of our normal working hours. In order to provide you with this service, we have formal arrangements in place with the Clinical Commissioning Group and with other practices whereby certain practices offer this service on our behalf for you as a patient to access outside of our opening hours.
This means, those practices will have to have access to your medical record to be able to offer you the service; your information is only available to other Practices if you attend another practice for a consultation.
Please note to ensure that those practices comply with the law and to protect the use of your information, we have very robust data sharing agreements and other clear arrangements in place to ensure your data is always protected and used for those purposes only.
Farnborough Practices as follows:
- Alexander House Surgery
- Giffard Drive Surgery
- Mayfield Medical Centre
- North Camp Surgery
- Voyager Family Health
- Data Extraction by the Clinical Commissioning Group – the clinical commissioning group at times extracts medical information about you, but the information we pass to them via our computer systems cannot identify you to them. This information only refers to you by way of a code that only your practice can identify (it is pseudo-anonymised).
This therefore protects you from anyone who may have access to this information at the Clinical Commissioning Group from ever identifying you as a result of seeing the medical information and we will never give them the information that would enable them to do this.
There are good reasons why the Clinical commissioning Group may require this pseudo-anonymised information. This information is used to plan and improve services. The information collected includes data such as the area patients live, age, gender, ethnicity, language preference, country of birth and religion. The CCG also collects information about whether patients have long term conditions such as diabetes; blood pressure, cholesterol levels and medication
The data shared is always anonymised, you will never be identified.
Sometimes we may provide information about you in an anonymised form. If we do so, then none of the information we provide to any other party will identify you as an individual and cannot be traced back to you.
The Practice does not record telephone calls or has any CCTV mechanisms installed.
Access and Subject Access Requests
You have the right to see what information we hold about you and to request a copy of this information.
If you would like a copy of the information we hold about you please contact our Administrator on 01252 548141 ext 224.
We will provide this information free of charge however, we may in some limited and exceptional circumstances have to make an administrative charge for any extra copies if the information requested is excessive, complex or repetitive.
We have one month to reply to you and give you the information that you require. We would ask, therefore, that any requests you make are in writing and it is made clear to us what and how much information you require, please complete the Data Subject Access Form, available on our website, or pop into the Practice to obtain a hard copy. A link to this form can be found on our website. Please fill in the form and return to the Practice via post or email.
Should we need to clarify what you require, we have one month to reply from when that is received.
You may ask us if you wish to have online access to your medical record. However, there will be certain protocols that we have to follow in order to give you online access, including written consent and production of documents that prove your identity.
Please note that when we give you online access, the responsibility is yours to make sure that you keep your information safe and secure if you do not wish any third party to gain access.
For the purposes of data protection, your coded history only will be visible online.
THIRD PARTIES MENTIONED ON YOUR MEDICAL RECORDS
Sometimes we record information about third parties mentioned by you to us during any consultation. We are under an obligation to make sure we also protect that third party’s rights as an individual and to ensure that references to them which may breach their rights to confidentiality, are removed before we send any information to any other party including yourself. Third parties can include: spouses, partners, and other family members.
We will never pass on your personal information to anyone else who does not need it, or has no right to it, unless you give us clear consent to do so.
REQUESTS FROM THIRD PARTIES FOR YOUR MEDICAL RECORDS
It is the policy of Jenner House Surgery that on request of extracts or access to your full medical record by a third party for non-NHS services (e.g. claims, insurance); that we will not share this directly with the requestor. In these circumstances, the practice will contact the patient directly (the Data Controller); advise them of the request and provide the patient with their medical record for onward forwarding.
We firmly believe patients should be in control of what is shared with third parties from their medical records.
Please see Privacy Notice for Under 16s. The principles of this notice remain the same; however there is additional information on sharing information with parents/guardians.
IF ENGLISH IS NOT YOUR FIRST LANGUAGE
If English is not your first language you can view this Privacy Notice on our website, which can be translated into 103 different languages.
The only website this Privacy Notice applies to is the Surgery’s website. If you use a link to any other website from the Surgery’s website then you will need to read their respective privacy notice. We take no responsibility (legal or otherwise) for the content of other websites.
We take the security of your information very seriously and we do everything we can to ensure that your information is always protected and secure. We regularly update our processes and systems and we also ensure that our staff are properly trained. We also carry out assessments and audits of the information that we hold about you and make sure that if we provide any other services, we carry out proper assessments and security reviews.
Published: 24th May 2018, updated 12th March 2019
- Access to Medical Records Policy
- Application Form for Access to Health Records
- Consent Policy
- Data Protection by Design and Default Declaration
- Data Protection Impact Assessment Policy
- Disclosure and Sharing of Patient Information Policy
- Freedom of Information Act Policy
- General Data Protection Regulation (GDPR) Policy
- Manual and Electronic Transfer of Patient Data Procedure
- Patient Data Protection Policy
- Records Retention Policy
- Sharing and Accessing Electronic Patient Records
- Who We Share Your Data With and Why