ST GEORGES MEDICAL PRACTICE
PRACTICE PRIVACY NOTICE
Your Information, Your Rights
The following notice reminds you of your rights and how your GP Practice will use your information for lawful purposes in order to deliver your care and the effective management of the local NHS system.
This notice reflects how we use information for the management of patient records, communication concerning your clinical, social and supported care, ensuring the quality of your care and the best clinical outcomes are achieved through clinical Audit and retrospective review and the management of clinical planning of services to ensure that appropriate care is in place for our patients today and in the future.
As a practice we are committed to protecting your privacy and will only use information collected lawfully in accordance with the:-
- Data Protection Act 1998
- Human Rights Act 1998
- Common Law Duty of Confidentiality
- Health and Social care Act 2012
- NHS Codes of Confidentiality and Information Security
As data controllers, GP’s have the responsibility under the Data Protection Act 1998. This means ensuring that your personal confidential data is handled clearly and transparently, and in a reasonably expected way.
The Health and Social Care Act 2012 changed the way that personal confidential data is processed, therefore it is important that our patients are aware of and understand these changes, and that you have an opportunity to object and know how to do so.
What information do we collect and use?
Our GP practice holds information about you and this document outlines how that information is used, with whom we may share that information, how we keep it secure (confidential) and what your rights are in relation to this.
All personal data must be processed fairly and lawfully, whether is it received directly from you or from a third party in relation to the your care.
We will collect the following types of information from you or about you from a third party (provider organisation) engaged in the delivery of your care:
- Personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified from the data. This includes, but is not limited to name, date of birth, full postcode, address, next of kin and NHS Number.
- ‘Special category / sensitive data’ such as medical history including details of appointments and contact with you, medication, emergency appointments and admissions, clinical notes, treatments, results of investigations, supportive care arrangements, social care status, race, ethnic origin, genetics and sexual orientation.
Your healthcare records contain information about your health and any treatment or care you have received previously (e.g. from an acute hospital, GP surgery, Community Care provider, mental health care provider, walk-in-centre, social services). These records may be electronic, a paper record or a mixture of both. We use a combination of technologies and working practices to ensure that we keep your information secure and confidential.
To ensure you receive the best possible care, your records are used to facilitate the care you receive. Information held about you may be used to help protect the health of the public and to help us manage the NHS. Information may be used for clinical Audit to monitor the quality of the service provided and to plan NHS services.
Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified.
Sometimes your information may be requested to be used for research purposes – the surgery or organisation concerned will always endeavour to gain your consent before releasing the information.
The NHS Care Record Guarantee for England sets out the rules that govern how patient information is used in the NHS and what control patients can have over this.
The NHS Constitution https://www.gov.uk/government/publications/the-nhs-constitution-for-england stablishes the principles and values of the NHS in England. It sets out rights to which patients, public and staff are entitled, and pledges which the NHS is committed to achieve, together with responsibilities, which the public, patients and staff owe to one another to ensure that the NHS operates fairly and effectively.
Why do we collect this information?
The NHS Act 2006 and the Health and Social Care Act 2012 invests statutory functions on GP Practices to promote and provide the health service in England, improve quality of services, reduce inequalities, conduct research, review performance of services and deliver education and training. To do this we will need to process your information in accordance with current data protection legislation to:
- Protect your vital interests;
- Pursue our legitimate interests as a provider of medical care, particularly where the individual is a child or a vulnerable adult;
- Perform tasks in the public’s interest;
- Deliver preventative medicine, medical diagnosis, medical research; and
- Manage the health and social care system and services.
We can only use any information that may identify you (known as personal information) in accordance with the Data Protection Act 1998 (http://www.legislation.gov.uk/ukpga/1998/29/contents) and other laws such as the Health and Social Care Act 2012 (http://www.legislation.gov.uk/ukpga/2012/7/contents/enacted), however only the minimum necessary identifiers are used in processing personal information for the purpose.
We also have a Common Law Duty of Confidentiality to protect your information. This means that where a legal basis for using your personal or confidential information does not exist, we will not do so.
Apart from direct health care sensitive personal information may also be used in the following cases:
- To respond to patients, carers or Member of Parliament communication
- We have received consent from individuals to be able to use their information for a specific purpose.
- There is an over-riding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime.
- There is a legal requirement that will allow us to use or provide information (e.g. a formal court order).
- For the health and safety of others, for example to report an infectious disease such as Meningitis or measles.
- We have special permission for health and research purposes (granted by the Health Research Authority).
- We have special permission called a ‘Section 251 agreement’ (Section 60 of the Health and Social Care Act 2001 as re-enacted by Section 251 of the NHS Act 2006) which allows the Secretary of State for Health to make regulations to set aside the common law duty of confidentiality for defined medical purposes. An example of where this is used is in risk stratification. Further information can be found on the Health Research Authority’s web site here http://www.hra.nhs.uk/about-the-hra/ourcommittees/section-251/what-is-section-251/
How is the information collected?
Your information will be collected either electronically using secure NHS Mail or a secure electronic transferred over an NHS encrypted network connection. In addition physical information will be sent to your practice. This information will be retained within your GP’s electronic patient record or within your physical medical records.
Who will we share your information with?
In order to deliver and coordinate your health and social care, we may share information with the following organisations:
- Local GP Practices in order to deliver extended primary care services
- 111 and Out of Hours Service
- Local Social Services and Community Care services
- Voluntary Support Organisations commissioned to provide services by Darlington CCG
Your information will only be shared if it is appropriate for the provision of your care or required to satisfy our statutory function and legal obligations.
Whilst we might share your information with the above organisations, we may also receive information from them to ensure that your medical records are kept up to date and so that your GP can provide the appropriate care.
How do we maintain the confidentiality of your records?
We are committed to protecting your privacy and will only use information collected lawfully in accordance with the Data Protection At 1998 (which is overseen by the Information Commissioner’s Office), Human Rights Act, the Common Law Duty of Confidentiality and the NHS Codes of Confidentiality and Security.
Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential. Anyone who received information from an NHS organisation has a legal duty to keep it confidential.
We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (e.g. life or death situations) or where the law requires information to be passed on.
Information is not held for longer than is necessary. We will hold your information in accordance with the Records Management Code of Practice for Health and Social Care 2016.
The NHS Digital Code of Practice on Confidential Information (http://webarchive.nationalarchives.gov.uk/20180328130852tf_/http://content.digital.nhs.uk/article/4979/Assuring-information/) applies to all of our staff, and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. All practice staff are expected to make sure information is kept confidential and receive annual training on how to do this. This is monitored by the practice and can be enforced through disciplinary procedures.
We also ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only and protect personal and confidential information held on equipment such as laptops with encryption (which masks data so that unauthorised users cannot see or make sense of it).
We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where information that could or does identify a person is processed.
We have a senior person responsible for protecting the confidentiality of patient information and enabling appropriate information sharing. This person is called the Caldicott Guardian. The Caldicott Guardian for the practice is Practice Manager Liz Stewart, who can be contacted using the contact details at the top of this document.
We are registered with the Information Commissioner’s Office (ICO) as a data controller which describes the purposes for which we process personal data. A copy of the registration is available from the ICO’s web site by searching on our practice name.
How long do you hold information for?
All records held by the practice will be kept for the duration specified by national guidance from the Department of Health, The Records Management Code of Practice for Health and Social Care 2016. Confidential information is securely destroyed in accordance with this code of practice.
Who are our partner organisations?
We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations:
- NHS Trusts
- Specialist Trusts
- Independent Contractors such as dentists, opticians, pharmacists
- Private Sector Providers
- Voluntary Sector Providers
- Ambulance Trusts
- Clinical Commissioning Groups
- Social Care Services
- Local Authorities
- Education Services
- Fire and Rescue Services
- Other ‘data processors’
The Practice Website is provided by Neighbourhood Direct Ltd (a member of Oldroyd Publishing Group Limited) in partnership with Myria Limited and uses the GP Fusion GP Website system.
The Practice Website is https-secured, which means communication between the user’s web browser and the server hosting the website are encrypted and cannot be intercepted on route. It also means a padlock icon is visible in the browser address bar.
Friends and Family Test
Any information supplied via our Friends & Family Test form is stored securely and accessed securely by designated Practice staff. The information is submitted by patients and used for quality monitoring purposes, in line with the expectations of the patients submitting the feedback. The form does not request personal information and is therefore anonymous. Data entered via the FFT form is kept for as long as the site is active unless it is deleted by a site administrator.
The Web Server hosting our Practice Website automatically collects Audit logs of Website usage. These logs include the IP addresses of Website users. Web Server Logs are used to monitor, measure, analyse, improve, and troubleshoot services only. They are not published or passed to any third parties, and are used solely to maintain service quality. Audit logs are kept for 6 months and are automatically deleted.
Our Practice Website includes activity tracking via Google Analytics. Google anonymises the user activity data and does not store IP addresses.
Links to Other Websites Which Request Personal Details
The Practice Website directs patients out to SystmOnline, a third-party secure website service for appointments, request repeat prescriptions and viewing some parts of their medical records.
Secure forms within the SystmOnline site are used to allow Patients to:
- Book an Appointment
- Cancel an Appointment
- Request a Repeat Prescription
- Request a Telephone Consultation
Details entered into secure forms are stored in an encrypted state on the server for up to 28 days. The details submitted are only used for the stated purpose of the form.
Cookies do lots of different jobs, like letting you navigate between pages efficiently, storing your preference and general improving your experience of a website. Cookies make the interaction between you and the website faster and easier.
Cookies may be set by the website you are visiting or they may be set by other websites who run content on the page you are viewing.
A cookie is a simple text file that is stored on your computer or mobile device by a website’s server and only that server will be able to retrieved or read the contents of that cookie. Each cookie is unique to your web browser. It will contain some anonymous information such as a unique identifier and the suite name and some digits and numbers it allows a website to remember things like your preference or login.
Some people find the idea of a website storing information on their computer or mobile device a bit intrusive, particularly when this information is stored and used by a third party without them knowing. Although this is generally quite harmless you may not, for example, want to see advertising that has been targeted to your interest. If you prefer, it is possible to block some or all cookies or even to delete cookies that have already been set, but you need to be aware that you may lose some functions of that website.
Health Risk Screening / Risk Stratification
Health Risk Screening or Risk Stratification is a process that helps your GP to determine whether you are at risk of an unplanned Admission or deterioration in health. By using selected information such as age, gender, NHS number, diagnosis, existing long term condition(s), medication history, patterns of hospital attendances, admissions and periods of access to Community Care your GP will be able to judge if you are likely to need more support and care from time to time, or if the right services are in place to support the local population’s needs.
Risk stratification tools are increasingly being used in the NHS to help determine a person’s risks of suffering from a particular condition, preventing an unplanned or (re)admission and identifying a need for preventative intervention. Information about you is collected from a number of sources including NHS Trusts and from this GP Practice. A risk score is then arrived at through an analysis of your anonymised information using software managed by North of England Commissioning Support Service (NECS). The data is provided back to the GP Practice or member of your care team in an identifiable form. Risk stratification enables your GP Practice to focus on the prevention of ill health and not just the treatment of sickness. If necessary, your GP Practice may be able to offer you additional services.
To summarise Risk Stratification is used in the NHS to:
- Help decide if a patient is at a greater risk of suffering from a particular condition;
- Prevent an emergency admission;
- Identify if a patient needs medical help to prevent a health condition from getting worse; and/or
- Review and amend provision of current health and social care services
Your GP will routinely conduct the risk stratification process outside of your GP appointment. This process is conducted electronically and without human intervention. The resulting report is then reviewed by a multidisciplinary team of staff within the Practice. This may result in contact being made with you if alterations to the provision of your care are identified.
As mentioned above, you have the right to object to your information being used in this way. However you should be aware that your objection may have a negative impact on the timely and proactive provision of your direct care. Please contact the Practice Manager to discuss how disclosure of your personal data can be limited.
If you have received treatment within the NHS, access to your personal information is required in order to determine which Clinical Commissioning Group (CCG) should pay for the treatment or procedure you have received. The validation of invoices is undertaken within a controlled environment for finance within the North of England CSU (NECS). This is carried out via a section 251 agreement and is undertaken to ensure that the CCG is paying for treatments relating to its patients only. The dedicated NECS team receives patient level information (minimal identifiers are used for this purpose, such as NHS number, post code, date of birth) direct from the hospital providers and undertakes a number of checks to ensure that the invoice is valid and that it should be paid for by the CCG. The CCG does not receive or see any patient level information relating to these invoices. Further information about invoice validation can be found on NHS England’s web site here https://www.england.nhs.uk/ourwork/tsd/ig/in-val/
Legal Obligations to Collect and Use Information
In the circumstances where we are required to use personal identifiable data we will only do this if:
- The information is necessary for your direct healthcare
- We have received written consent from you to use your information for a specific purpose e.g. employment
- There is a legal requirement that will allow us to use or provide information e.g. a formal Court order
- We have permission to do so from the Secretary of State for Health & Social Care to use certain confidential patient identifiable information when it is necessary for our work
- Emergency Planning reasons such as protecting the health and safety of others. Typically these relate to severe weather, outbreaks of diseases and major emergency incidents.
Our Commitment to Data Privacy and Confidentiality Issues
We are committed to protecting your privacy and will only process personal confidential data in accordance with the Data Protection Act 1998 (DPA) , the General Data Protection Regulation (GDPR ) 2018, the Common Law Duty of Confidentiality and the Human Rights Act 1998. The various laws and rules about using and sharing confidential information, with which St Georges Medical Practice will comply , are available in ‘A guide to confidentiality in health and social care’ which is published on the NHS Digital website. St Georges Medical Practice also has a local policy on Confidentiality which can be made available on request.
We are legally responsible for ensuring that all personal confidential data that we collect and use i.e. hold, obtain, record, use or share about you is done in compliance with this legislation.
Everyone working for St Georges Medical Practice has legal duty to keep information about you confidential. The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.
All identifiable information that we hold about you will be held securely and confidentially. We use administrative and technical controls to do this. We use strict controls to ensure that only authorised staff has the ability to see information that identifies you where it is appropriate to their role.
All of our staff receive appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures. All staff are trained to ensure they understand how to recognise and report an incident ensuring that the organisations procedures for investigation, managing and learning lessons from incidents.
We will only retain information in accordance with the schedules set out the Records Management Code of Practice for Health & Social Care 2016. St Georges Medical Practice’s Records Management Policy includes guidance around the secure destruction of information in line with the code of practice.
Your information will not be sent outside of the European Economic Area where the laws do not protect your privacy to the same extent as the law in the UK.
Consent and Objections
Do I need to give my consent?
The GDPR sets a high standard for consent. Consent means offering people genuine choice and control over how their data is used. When consent is used properly, it helps you build trust and enhance your reputation.
However consent is only one potential lawful basis for processing information. Therefore your GP practice may not need to seek your explicit consent for every instance of processing and sharing your information, on the condition that the processing is carried out in accordance with this notice.
Your GP Practice will contact you if they are required to share your information for any other purpose which is not mentioned within this notice. Your consent will be documented within your electronic patient record.
If you are happy for your data to be extracted and used for the purposes described in this Privacy Notice, then you do not need to do anything.
If you do not want your personal data being extracted and used for the purposes described in this Fair Processing Notice, then you need to let us know as soon as possible in writing to the Practice Manager.
Please note that withdrawing your consent from sharing data may, in some circumstances, cause a delay in your receiving care.
What will happen if I withhold my consent or raise an objection?
In some instances, you are allowed to request that your confidential information is not used beyond your own care and treatment and to have your objections considered. To support this patients are able to register objections with the GP Practice to either prevent their identifiable data being released outside of the GP Practice (known as a Type 1 objection) or to prevent their identifiable data from any health and social care setting being released by NHS Digital (known as a Type 2 objection) where in either case it is for purposes other than direct patient care. If your wishes cannot be followed, you will be told the reasons (including the legal basis) for that decision. There are certain circumstances where a person is unable to opt out but these are only where the law permits this such as in adult or children’s safeguarding situations.
You have the right to write to withdraw your consent to any time for any particular instance of processing, provided consent is the legal basis for the processing. Please contact your GP Practice for further information and to raise your objection.
Change of Details
It is important that you tell the person treating you if any of your details such as your name or address have changed or if any of your details such as date of birth is incorrect in order for this to be amended. You have a responsibility to inform us of any changes so our records are accurate and up to date for you.
Who is the Data Controller?
The Data Controller, responsible for keeping your information secure and confidential is Liane Cotterill, Senior Governance Manager & Data Protection Office who can be contacted at:
North of England Commissioning Support (NECS), Teesdale House, Westpoint Road, Thornaby, Stockton-on-Tees, TS17.
Tel: 01642 745042
Sharing of Electronic Patient Records within the NHS
Electronic patient records are kept in most places where you receive healthcare. Our local electronic systems (SystmOne) enables your record to be shared with organisations involved in your direct care, such as:
- GP practices
- Community services such as district nurses, rehabilitation services, telehealth and out of hospital services.
- Child health services that undertake routine treatment or health screening
- Urgent care organisations, minor injury units or out of hours services
- Community hospitals
- Palliative care hospitals
- Care Homes
- Mental Health Trusts
- Social Care organisations
In addition, NHS England have implemented the Summary Care Record which contains information including medication you are taking and any bad reactions to medication that you have had in the past.
In most cases, particularly for patients with complex conditions and care arrangements, the shared electronic health record plays a vital role in delivering the best care and a coordinated response, taking into account all aspects of a person’s physical and mental health. Many patients are understandably not able to provide a full account of their care, or may not be in a position to do so. The shared record means patients do not have to repeat their medical history at every care setting.
Your record will be automatically setup to be shared with the organisations listed above; however you have the right to ask your GP to disable this function or restrict access to specific elements of your record. This will mean that the information recorded by your GP will not be visible at any other care setting.
You can also reinstate your consent at any time by giving your permission to override your previous dissent.
Summary Care Records (SCR)
The Summary Care Record is a national scheme to share information about the medicines you are prescribed and any allergies or other adverse reactions you have experienced. Health Professionals at other organisations will only be able to access this information with your permission. You can opt-out of the scheme; please ask at the surgery if you need more information or follow the appropriate link on our website.
Summary Care Record with Additional Information
This is a national scheme to share more detailed information including your current medical problems and your care wishes. Health Professionals at other organisations will only be able to access this information with your permission. This information will only be available to other agencies if you have given us your permission to share it.
Your Right of Access to Your Records
The Data Protection Act and General Data Protection Regulations allows you to find out what information is held about you including information held within your medical records, either in electronic or physical format. This is known as the “right of subject access”. If you would like to have access to all or part of your records, you can make a request in writing to the organisation that you believe holds your information. This can be your GP, or a provider that is or has delivered your treatment and care. You should however be aware that some details within your health records may be exempt from disclosure, however this will in the interests of your wellbeing or to protect the identity of a third party.
Where information from which you can be identified is held, you also have the right to ask to:
- View this or request copies of the records by making a subject access request – also see below.
- Request information is corrected
- Have the information updated where it is no longer accurate
- Ask us to stop processing information about you where we are not required to do so by law – although we will first need to explain how this may affect the care you receive
In theory, you can request any information that the practice holds, that does not fall under an exemption. You may not ask for information that is covered by the Data Protection Act.
The Freedom of Information Act 2000 (FOIA) gives people a general right of access to information held by or on behalf of public authorities, promoting a culture of openness and accountability across the public sector.
If you would like access to your GP record please submit your request in writing to:
St Georges Medical Practice, Yarm Road, Middleton St George, Darlington, DL2 1BY.
If you provide us with your mobile phone number we may use this to send you reminders about any appointments or other health screening information being carried out.
We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate.
In the event that your feel your GP Practice has not complied with the current data protection legislation, either in responding to your request or in our general processing of your personal information, you should raise your concerns in the first instance in writing to the Practice Manager at:
St Georges Medical Practice, Yarm Road, Middleton St George, Darlington, DL2 1BY.
If you remain dissatisfied with our response you can contact the Information Commissioner’s Office at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF – Enquiry Line: 01625 545700 or online at, www.ico.gov.uk
To download a copy of this information, click here.