Privacy Notice

We understand how important it is to keep your personal information safe and secure and we take this very seriously. We have taken steps to make sure your personal information is looked after in the best possible way, and we review this regularly.

Please read this privacy notice (‘Privacy Notice’) carefully, as it contains important information about how we use your personal and special category information (For example Healthcare, Biometric, Genetic,) held at the practice

This Notice describes how we collect, use and process your data, and how, in doing so, we comply with our legal obligations to you. Your privacy is important to us, and we are committed to protecting and safeguarding your data privacy rights

If you are unclear about how we process or use your personal and healthcare information, or you have any questions about this Privacy Notice or any other issue regarding your personal and healthcare information, then please contact our Data Protection Officer.

This Notice explains:

  • Who we are
  • How we use your information and the law
  • Our Data Protection Officer
  • Why do we need your information?
  • Your Summary Care Record
  • Special Category Information-Your Health Data
  • Other NHS and non-NHS organisations who we share your data with and why
  • Your Patient Rights
  • Why NHS Digital collects patient data
  • Opting Out- Type 1 and National Data opt out
  • How long will you store my information?
  • Protecting Patients Data
  • Medicine’s Management
  • Covid-19 and your data
  • PHM Population Health Management
  • Social Prescribers
  • Risk Stratification
  • National Screening Programme
  • Where to make a complaint

Who we are

We, at the (‘the Surgery’) situated at are a Data Controller of your information. This means we are responsible for collecting, storing and handling your personal and healthcare information when you register with us as a patient.

There may be times where we also process your information. That means we use it for a particular purpose and, therefore, on those occasions we may also be Data Processors. The purposes for which we use your information are set out in this Privacy Notice.

How we use your information and the law

The Practice will be what’s known as the ‘Controller’ of the personal data you provide to us.

We are required to provide you with this Privacy Notice by UK Law GDPR General Data Protection Regulation & DPA Data Protection Act 2018. It explains how we use the personal and healthcare information we collect, store and hold about you. The Law says:

  • We must let you know why we collect personal and healthcare information about you
  • We must let you know how we use any personal and/or healthcare information we hold on you
  • We need to inform you in respect of what we do with it
  • We need to tell you about who we share it with or pass it on to and why
  • We need to let you know how long we can keep it for.

We collect basic personal data about you which does not include any special types of information or location-based information.  This does however include name, address, contact details such as email and mobile number etc.

We will also collect sensitive confidential data known as “special category personal data”, in the form of health information, religious belief (if required in a healthcare setting) ethnicity, and sex during the services we provide to you and or linked to your healthcare through other health providers or third parties.

If you are unclear about how we process or use your personal and healthcare information, or you have any questions about this Privacy Notice or any other issue regarding your personal and healthcare information, then please contact our Data Protection Officer.

Our Data Protection Officer

The Data Protection Officer for the Surgery is Kelly-Anne Gast. You can contact her if:

  1. You have any questions about how your information is being held.
  2. If you require access to your information or if you wish to make a change to your information.
  3. If you wish to make a complaint about anything to do with the personal and healthcare information, we hold about you.
  4. Or any other query relating to this Policy and your rights as a patient.

Kelly can be contacted here:

kelly@almc.co.uk

Why do we need your information?

The health care professionals who provide you with care maintain records about your health and any treatment or care you have received previously (e.g., NHS Trust, GP Surgery, Walk-in Centre, OOH, etc.). These records help to provide you with the best possible healthcare.

NHS health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. Records which we hold about you may include the following information.

  • Details about you, such as your address, carer, legal representative, emergency contact details
  • Any contact the surgery has had with you, such as appointments, surgery visits, emergency appointments, etc.
  • Notes and reports about your health
  • Details about your treatment and care
  • Results of investigations such as laboratory tests, x-rays etc
  • Relevant information from other health professionals, relatives or those who care for you

To ensure you receive the best possible care, your records are used to facilitate the care you receive. Information held about you may be used to help protect the health of the public and to help us manage the NHS. Information may be used within the GP practice for clinical audit to monitor the quality of the service provided.

Your Summary Care Record

Your summary care record is an electronic record of your healthcare history (and other relevant personal information) held on a national healthcare records database provided and facilitated by NHS England. This record may be shared with other healthcare professionals and additions to this record may also be made by relevant healthcare professionals and organisations involved in your direct healthcare. You have the choice of what information you would like to share and with whom.

  • Authorised healthcare staff can only view your SCR with your permission.
  • The information shared will solely be used for the benefit of your care.
  • Your options are outlined below.
    • Express consent for medication, allergies and adverse reactions only. You wish to share information about medication, allergies and adverse reactions only.
    • Express consent for medication, allergies, adverse reactions and additional information. You wish to share information about medication, allergies and adverse reactions and further medical information that includes: Your significant illnesses and health problems, operations and vaccinations you have had in the past, how you would like to be treated (such as where you would prefer to receive care), what support you might need and who should be contacted for more information about you.
    • Express dissent for Summary Care Record (opt out). Select this option, if you DO NOT want any information shared with other healthcare professionals involved in your care.

Please note that it is not compulsory for you to complete a consent form. If you choose not to complete a consent form, a Summary Care Record containing information about your medication, allergies and adverse reactions and additional further medical information will be created for you as described in point b) above.

You may have the right to demand that this record is not shared with anyone who is not involved in the provision of your direct healthcare. If you wish to enquire further as to your rights in respect of not sharing information on this record, then please contact our Data Protection Officer.

To find out more about the wider use of confidential personal information and to register your choice to opt out if you do not want your data to be used in this way, please visit:

www.nhs.uk/your-nhs-data-matters

Please note: if you do choose to opt out, you can still consent to your data being used for specific purposes. However, if you are happy with this use of information you do not need to do anything. You may however change your choice at any time.

Special Category Information- Your Health Data

The Law states that personal information about your health falls into a special category of information because it is very sensitive. Reasons that may entitle us to use and process your information may be as follows:

PUBLIC INTEREST: Where we may need to handle your personal information when it is in the public interest. For example, when there is an outbreak of a specific disease and we need to contact you for treatment, or we need to pass your information to relevant organisations to ensure you receive advice and/or treatment.

CONSENT: When you have given us consent.

VITAL INTEREST: If you are incapable of giving consent, and we must use your information to protect your vital interests (e.g., if you have had an accident and you need emergency treatment).

DEFENDING A CLAIM: If we need your information to defend a legal claim against us by you, or by another party.

PROVIDING YOU WITH MEDICAL CARE: Where we need your information to provide you with medical and healthcare services

Retention Period

We carefully consider any personal information that we store about you, and we will not keep your information for longer than is necessary for the purposes as set out in this Privacy Notice.

Other NHS and NON-NHS organisations who we share your data with and why

Sometimes the practice shares information with other organisations that do not directly treat you, for example, Clinical Commissioning Groups (CCG). Normally, it will not be possible to identify you from this information. This information is used to plan and improve services. The information collected includes data such as the area patients live, age, gender, ethnicity, language preference, country of birth and religion. The CCG also collects information about whether patients have long term conditions such as diabetes, blood pressure, cholesterol levels and medication. However, this information is anonymous and does not include anything written as notes by the GP and cannot be linked to you. (Please note this is not an exhaustive list and will change from practice to practice the main systems are included in the list below.)

Local Data Sharing Agreements:

Sirona

Sirona Community nurses and other health care professionals can access GP information about people on their caseloads who have recently been discharged from hospital, or who are housebound, or who require longer term rehabilitation from the GP record. This information can be read by the healthcare professional to improve the patients care, but they are not able to amend the GP medical record.

*You can find more information available on their website www.sirona-cic.org.uk and view their Privacy Notice directly using this link www.sirona-cic.org.uk/policies.

Connecting Care

Connecting Care* enables a range of health care organisations, including local NHS hospital, the Ambulance Service and the Out of Hours service provided by Brisdoc. This information can be read by the healthcare professional to improve the patients care, but they are not able to amend the GP medical record.

*You can find more information available on their website using this link

You can view their Privacy Notice here: www.connectingcarebnssg.co.uk.

www.connectingcarebnssg.co.uk/what-this-means-for-me/what-if-i-don-t-want-my-information-shared

One Care

One Care – This agreement allows patients from the surgery to be seen and treated by GPs from other surgeries in the evening and at weekend. The agreement allows a GP in other localities to access the GP record securely and allows information about the consultation to be written into the record.

*You can find more information available on their website onecare.org.ukYou can view their Privacy Notice using this link onecare.org.uk/privacy-policy.

St Peter’s Hospice

St Peter’s Hospice – this agreement enables hospice staff to read the records of patients in their care. This information can be read by the healthcare professional to improve the patients care, but they are not able to amend the GP medical record

*You can find more information available on their website  www.stpetershospice.org.uk and view their Privacy Notice directly using this link www.stpetershospice.org.uk/about/privacy-policy.

AccuRX

AccuRX-AccuRx is a British software company that has developed a messaging service for doctor surgeries to communicate with patients via SMS and Video messaging

*You can find more information available on their website  www.accurx.com and can view their Privacy Notice directly using this link Privacy Policy (accurx.com).

EMIS Health

EMIS Health-formerly known as Egton Medical Information Systems, supplies electronic patient record systems and software used in primary care, acute care and community pharmacy in the United Kingdom.

*You can find more information available on their website www.emishealth.com and can view their Privacy Notice directly using this link www.emishealth.com/legal.

econsult

econsult – Health is a collection of digital triage solutions for Primary and Emergency Care eConsult enables NHS based GP practices to offer online consultations to their patients. This allows patients to submit their symptoms or requests to their own GP electronically, and offers around the clock NHS self-help information, signposting to services, and a symptom checker.

*You can find more information available on their website econsult.net and can view their Privacy Notice directly using this link econsult.net/privacy-policies.

Patient Access

Patient Access – Patient Access connects you to local health services when you need them most. Book GP appointments, order repeat prescriptions and discover local health services for you or your family via your mobile or home computer

*You can find more information available on their website www.patientaccess.com.

www.support.patientaccess.com/privacy-policy

MJOG

MJOG – is the leading automated SMS, Email and Voice patient messaging service which delivers quick and efficient communications between health care providers and their patients across the NHS and private healthcare

*You can find more information available on their website www.mjog.com.

www.mjog.com/privacy-policy

GetUbetter app

GetUbetter app – provide NHS Organisatons with new ways to support   people with common MSK conditions via end-to-end digital injury support and condition management. getUBetter – Privacy Policy.

*If you require any further information on any of the above, please do not hesitate to ask the Data Protection Officer Kelly@almc.co.uk

Please note: if you give another person or organisation consent to access your record, we will need to contact you to verify your consent before we release that record. It is important that you are clear and understand how much and what aspects of your record you give consent to be disclosed.

Anonymised Information

Sometimes we may provide information about you in an anonymised form. If we do so, then none of the information we provide to any other party will identify you as an individual and cannot be traced back to you.

Your patient rights

The Law gives you certain rights to your personal and healthcare information that we hold, as set out below:

Right of Access

Subject Access Requests

You have the right to see what information we hold about you and to request a copy of this information.

If you would like a copy of the information, we hold about you please contact a member of the practice or contact our Data Protection Officer kelly@almc.co.uk

We will provide this information free of charge however, we may in some limited and exceptional circumstances must make an administrative charge for any extra copies if the information requested is excessive, complex or repetitive. We have one month to reply to you and give you the information that you require. We would ask, therefore, that any requests you make are in writing and it is made clear to us what and how much information you require.

Online Access

You may ask us if you wish to have online access to your medical record and there are several ways you can do this, i.e., Patient Access NHS App. However, there will be certain protocols that we have to follow in order to give you online access, including written consent and production of documents that prove your identity.

Please note that when we give you online access, the responsibility is yours to make sure that you keep your information safe and secure if you do not wish any third party to gain access.

www.nhs.uk/using-the-nhs/nhs-services/the-nhs-app/privacy

Freedom of Information Requests – The Freedom of Information Act 2000 (FOIA) gives you as a patient a general right to certain information held on behalf of public authorities. You can request any non-personal information that the GP practice holds that doesn’t fall under an exemption within Data Protection Law. You can find out more information here- The Information Commissioner’s Office has guidance on making FOI requests including request to public bodies: www.ico.org.uk/for-the-public/official-information.

Right to rectification

We want to make sure that your personal information is accurate and up to date. You may ask us to correct any information you think is inaccurate. It is very important that you make sure you tell us if your contact details including your mobile phone number has changed.

If considered appropriate, a retrospective entry can be made by a clinician if you have concerns regarding the accuracy of your clinical record.

Right to object

If we are using your data because we deem it necessary for our legitimate interests to do so, and you do not agree, you have the right to object. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases). Generally, we will only disagree with you if certain limited conditions apply i.e., safeguarding reasons.

We cannot share your information with anyone else for a purpose that is not directly related to your health, e.g., medical research, educational purposes, etc. We would ask you for your consent in order to do this however, you have the right to request that your personal and healthcare information is not shared by the Surgery in this way. Please note the anonymised Information section in this Privacy Notice.

Right to withdraw consent

Where we have obtained your consent to process your personal data for certain activities (for example for a research project), or consent to market to you, you may withdraw your consent at any time.

Right to erasure

In certain situations (for example, where we have processed your data unlawfully), you have the right to request us to “erase” your personal data. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases) and will only disagree with you if certain limited conditions apply. If we do agree to your request, we will delete your data but will generally assume that you would prefer us to keep a note of your name on our register of individuals who would prefer not to be contacted. That way, we will minimise the chances of you being contacted in the future where your data are collected in unconnected circumstances. If you would prefer us not to do this, you are free to say so.

You have the right to ask for your information to be removed however, if we require this information to assist us in providing you with appropriate medical services and diagnosis for your healthcare, then removal may not be possible.

Right of data portability

Even if we already hold your personal data, you still have various rights in relation to it. To get in touch about these, please contact us. We will seek to deal with your request without undue delay, and in any event in accordance with the requirements of any applicable laws. Please note that we may keep a record of your communications to help us resolve any issues which you raise.

If you wish, you have the right to transfer your data from us to another data controller. We will help with this with a GP-to-GP data transfer and transfer of your hard copy notes. How can you access, amend move the personal data that you have given to us?

Under 16s

Up until the age of 16 your parents will be able to access your medical information. This means they can discuss your care with staff at the Practice and may request to see copies of your medical information, unless you request us to withhold this information from them.

If you do not want your parents to have access to your medical information, please speak to a member of the Practice team. (Please see separate Privacy Notice for 13–16-year-olds).

Why NHS Digital collects general practice data

NHS Digital is the national custodian for health and care data in England and has responsibility for standardising, collecting, analysing, publishing and sharing data and information from across the health and social care system, including general practice.

NHS Digital collected patient data from general practices using a service called the General Practice Extraction Service (GPES), which has operated for over 10 years and now needs to be replaced.

NHS Digital has engaged with doctors, patients, data and governance experts to design a new approach to collect data from general practice that:

  • reduces burden on GP practices
  • explains clearly how data is used
  • supports processes that manage and enable lawful access to patient data to improve health and social care

In a letter to all GPs, 19 July 2021, Parliamentary Under Secretary of State Jo Churchill set out a new process for commencing data collection, moving away from a previously fixed date of 1 September.

  • Your GP holds your health record, and it is used by them and other parts of the NHS for your direct care.
  • NHS Digital also uses some of this data for research, planning, and improving the NHS for everyone.

About the General Practice Data for Planning and Research programme

NHS Digital is making improvements to how data is collected from general practice, this new framework for data extraction is called the General Practice Data for Planning and Research data collection (GPDPR). The goal of this new system is to:

  • reduce burden on GP practices in managing access to patient data and maintain compliance with relevant data protection legislation
  • improve protections through the consistent and rigorous review of all applications for access to patient data
  • make it easier for patients to understand how their health and care data is being used, including increasing use of Trusted Secure Environments that avoids data flowing outside the NHS

This new NHS Digital service will collect data from GP practices in England and will analyse, publish statistical data and provide safe, secure, lawful and appropriate access to GP data for health and social care purposes. This will include planning, commissioning, policy development, public health purposes (including COVID-19) and research.

NHS Digital is engaging with the British Medical Association (BMA), Royal College of General Practitioners (RCGP) and the National Data Guardian (NDG) to ensure relevant safeguards are in place for patients and GP practices.

Protecting patient data

All data will be pseudonymised and encrypted by your GP system suppliers on your behalf before it is transferred to NHS Digital. Access to GP data will only be via a Trusted Research Environment (TRE) and never copied or shipped outside the NHS secure environment, except where individuals have consented to their data being accessed, e.g., written consent for a research study.

As with the COVID-19 collection, access to the data will be through the NHS Digital Data Access Request Service (DARS) and will be subject to a robust approvals process, which includes oversight by the Independent Group Advising on Release of Data (IGARD) and a Professional Advisory Group, which is made up of representatives from the BMA and RCGP.

TYPE 1 OPT OUTS – Opting out of sharing your Data outside your GP Practice

If you don’t want your identifiable patient data to be shared for purposes except for your own care, you can opt-out by registering a Type 1 Opt-out or a National Data Opt-outor both.

These opt-outs are different, and they are explained in more detail below. Your individual care will not be affected if you opt-out using either option.

Opt-outs

We want to make the position around opt-out much simpler. While 1 September has been seen by some as a cut-off date for opt-out, after which data extraction would begin, I want to reassure you that this will not be the case and data extraction will not commence until we have met the tests.

We are introducing three changes to the opt-out system which mean that patients will be able to change their opt-out status at any time:

  • Patients do not need to register a Type 1 opt-out by 1 September to ensure their GP data will not be uploaded
  • NHS Digital will create the technical means to allow GP data that has previously been uploaded to the system via the GPDPR collection to be deleted when someone registers a Type 1 opt-out
  • The plan to retire Type 1 opt-outs will be deferred for at least 12 months while we get the new arrangements up and running, and will not be implemented without consultation with the RCGP, the BMA and the National Data Guardian

Together, these changes mean that patients can have confidence that they will have the ability to opt-in or opt-out of the system, and that the dataset will always reflect their current preference. And we will ensure it is easy for them to exercise the choice to optout.

National Data Opt-Outs (opting out of NHS Digital sharing your data)

  • NHS Digital will collect data from GP medical records about patients who have registered a National Data Opt-out. The National Data Opt-out applies to identifiable patient data about your health, which is called confidential patient information.
  • NHS Digital won’t share any confidential patient information about you – this includes GP data, or other data we hold, such as hospital data – with other organisations, unless there is an exemption to this. For example: – If we have a legal Obligation to share the data or if it is in the public interest.
  • To find out more information about this please how to register a National Data Opt-Out, please read the GP Data for Planning and Research Transparency Notice.

Data Security and Governance

The Government has committed that access to GP data will only be via a Trusted Research Environment (TRE) and never copied or shipped outside the NHS secure environment, except where individuals have consented to their data being accessed e.g., Written consent for a research study. This is intended to give both GPs and patients a very high degree of confidence that their data will be safe, and their privacy protected.

Once the data is collected, it will only be used for the purposes of improving health and care. Patient data is not for sale and will never be for sale.

Transparency, communications and engagement

NHS Digital are developing a communications strategy delivered through four phases.

  • Listening – where we listen to stakeholders and gather views on how best to communicate with the profession, patients and the public and give them the opportunity to inform the development of the programme in areas such as opt-outs, trusted research environments and other significant areas
  • Consultation – a series of events where we can explain the programme, listen and capture feedback and co-design the information campaign
  • Demonstration – show how feedback is being used to develop the programme and shape communications to the healthcare system and the public
  • Delivery – of an information campaign to inform the healthcare system and the public about changes to how their GP data is used, that utilises the first three phases to ensure the campaign is accessible, has wide reach and is effective

Data saves lives. The vaccine rollout for COVID-19 could not have been achieved without patient data. The discovery that the steroid Dexamethasone could save the lives of one third of the most vulnerable patients with COVID-19 – those on ventilators – could not have been made without patient data from GP practices in England. That insight has gone on to save a million lives around the globe. That is why this programme is so important.

The NHS Digital web pages also provide further information at www.digital.nhs.uk – General Practice Data for Planning and Research (GPDPR).

Q&A NHS Digital & Data Collections

Why NHS Digital collects general practice data?

  • NHS Digital is the national custodian for health and care data in England and has responsibility for standardising, collecting, analysing, publishing and sharing data and information from across the health and social care system, including general practice.
  • NHS Digital collected patient data from general practices using a service called the General Practice Extraction Service (GPES), now known as GPDPR which has operated for over 10 years and now needs to be replaced.
  • NHS Digital has engaged with doctors, patients, data and governance experts to design a new approach to collect data from general practice that:
    • reduces burden on GP practices
    • explains clearly how data is used
    • supports processes that manage and enable lawful access to patient data to improve health and social care

Does NHS Digital sell my Data to third parties?

The NHS shares some data, in which nobody can identify you, with trusted third parties, in order to improve the NHS for you and everyone else.

This includes with:

  • NHS planners
  • university researchers
  • scientists researching medicines

We only share data when there is a proven benefit to the NHS, and access is strictly controlled.

Your data won’t be shared with

  • Your data is not shared for commercial purposes
  • Your data is not shared with insurers
  • Your data is not sold

Opting out

If you don’t want your identifiable patient data to be shared for purposes except for your own care, you can opt-out by registering a Type 1 Opt-out or a National Data Opt-out, or both. These opt-outs are different, and they are explained in more detail below. Your individual care will not be affected if you opt-out using either option.

Type 1 Opt-out (opting out of NHS Digital collecting your data)

Collect data from GP practices about patients who have registered a Type 1 Opt-out with their practice. More information about Type 1 Opt-outs is in our GP Data for Planning and Research Transparency Notice, including a form that you can complete and send to your GP practice.

If you register a Type 1 Opt-out after this collection has started, no more of your data will be shared with us. We will however still hold the patient data which was shared with us before you registered the Type 1 Opt-out.

If you do not want NHS Digital to share your identifiable patient data with anyone else for purposes beyond your own care, then you can also register a National Data Opt-out.

National Data Opt-out (opting out of NHS Digital sharing your data)

Collect data from GP medical records about patients who have registered a National Data Opt-out. The National Data Opt-out applies to identifiable patient data about your health, which is called confidential patient information.

NHS Digital won’t share any confidential patient information about you – this includes GP data, or other data we hold, such as hospital data – with other organisations, unless there is an exemption to this.

To find out more information and how to register a National Data Opt-Out, please read our GP Data for Planning and Research Transparency Notice and see our infographic of how data currently flows.

NHS Digital

NHS Digital is a national body which has legal responsibilities to collect information about health and social care services. It collects information from across NHS providers in England and provides reports on how the NHS is performing. These reports help plan and improve services to patients. This practice must comply with the law and send data to NHS Digital when it is told to do so by the Secretary of State for Health or NHS England under the Health & Social Care Act 2012.

More information about NHS Digital and how it uses information can be found at:  www.digital.nhs.uk/home.

HOW THE NHS USE YOUR INFORMATION-National Data Opt-Out

The Practice is one of many organisations working in the health and care system to improve care for patients and the public.

National Data Opt-out (opting out of NHS Digital sharing your data)

General Practice Data for Planning and Research (GPDPR) – NHS Digital.

NHS Digital will collect data from GP medical records about patients who have registered a National Data Opt-out. The National Data Opt-out applies to identifiable patient data about your health, which is called confidential patient information.

NHS Digital won’t share any confidential patient information about you – this includes GP data, or other data we hold, such as hospital data – with other organisations, unless there is an exemption to this.

To find out more information and how to register a National Data Opt-Out, please read our GP Data for Planning and Research Transparency Notice.

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. **Practice is currently compliant with the national data opt-out policy.

How long will we store your information?

We are required under UK law to keep your information and data for the full retention periods as specified by the NHS Records management code of practice for health and social care and national archives requirements.

More information on records retention can be found online at www.digital.nhs.uk – Records Management Code of Practice for Health and Social Care 2016.

How do we lawfully use your data?

We need to know your personal, sensitive and confidential data in order to provide you with healthcare services as a General Practice, under the General Data Protection Regulation we will be lawfully using your information in accordance with:

  • Article 6, e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;”
  • Article 9, (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems

This Privacy Notice applies to the personal data of our patients and the data you have given us about your carers/family members.

Your Summary Care Record

Your summary care record is an electronic record of your healthcare history (and other relevant personal information) held on a national healthcare records database provided and facilitated by NHS England. This record may be shared with other healthcare professionals and additions to this record may also be made by relevant healthcare professionals and organisations involved in your direct healthcare. You have the choice of what information you would like to share and with whom.

  • Authorised healthcare staff can only view your SCR with your permission.
  • The information shared will solely be used for the benefit of your care.
  • Your options are outlined below.
    • Express consent for medication, allergies and adverse reactions only. You wish to share information about medication, allergies and adverse reactions only.
    • Express consent for medication, allergies, adverse reactions and additional information. You wish to share information about medication, allergies and adverse reactions and further medical information that includes: Your significant illnesses and health problems, operations and vaccinations you have had in the past, how you would like to be treated (such as where you would prefer to receive care), what support you might need and who should be contacted for more information about you.
    • Express dissent for Summary Care Record (opt out). Select this option, if you DO NOT want any information shared with other healthcare professionals involved in your care.

Please note that it is not compulsory for you to complete a consent form. If you choose not to complete a consent form, a Summary Care Record containing information about your medication, allergies and adverse reactions and additional further medical information will be created for you as described in point b) above.

You may have the right to demand that this record is not shared with anyone who is not involved in the provision of your direct healthcare. If you wish to enquire further as to your rights in respect of not sharing information on this record, then please contact our Data Protection Officer.

To find out more about the wider use of confidential personal information and to register your choice to opt out if you do not want your data to be used in this way, please visit:

www.nhs.uk/your-nhs-data-matters.

Please note: if you do choose to opt out, you can still consent to your data being used for specific purposes. However, if you are happy with this use of information you do not need to do anything. You may however change your choice at any time.

Risk Stratification

Risk stratification data tools are increasingly being used in the NHS to help determine a person’s risk of suffering a condition, preventing an unplanned or (re)admission and identifying a need for preventive intervention. Information about you is collected from several sources including NHS Trusts and from this GP Practice. A risk score is then arrived at through an analysis of your de-identified information is only provided back to your GP as data controller in an identifiable form. Risk stratification enables your GP to focus on preventing ill health and not just the treatment of sickness. If necessary, your GP may be able to offer you additional services. Please note that you have the right to opt out of your data being used in this way, however you should be aware that your decision may have a negative impact on the timely and proactive provision of your direct care.

National screening programs

The NHS provides national screening programs so that certain diseases can be detected at an early stage. These screening programs include bowel cancer, breast cancer, cervical cancer, aortic aneurysms and a diabetic eye screening service.

The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening program.

More information can be found at www.gov.uk/topic/population-screening-programmes.

Medicines Management

The Practice may conduct Medicines Management reviews of medications prescribed to its patients. This service performs a review of prescribed medications to ensure patients receive the most appropriate, up to date and cost-effective treatments.

How do we maintain the confidentiality of your records?

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

  • Data Protection Act 2018
  • The General Data Protection Regulations 2016
  • Human Rights Act 1998
  • Common Law Duty of Confidentiality
  • Access to Medical Records Act 1990
  • Health and Social Care Act 2012
  • NHS Codes of Confidentiality, Information Security and Records Management
  • Information: To Share or Not to Share Review

All our staff receive appropriate and regular training to ensure they are aware of their personal responsibilities and have legal and contractual obligations to uphold confidentiality, enforceable through disciplinary procedures. Our staff have access to personal information where it is appropriate to their role and is strictly on a need-to-know basis. Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential.

We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e., life or death situations), where the law requires information to be passed on and / or in accordance with the information sharing principle following Dame Fiona Caldicott’s information sharing review (Information to share or not to share) where “The duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles.

Our practice policy is to respect the privacy of our patients, their families and our staff and to maintain compliance with the General Data Protection Regulations (GDPR) and all UK specific Data Protection Requirements. Our policy is to ensure all personal data related to our patients will be protected.

All employees and sub-contractors engaged by our practice are asked to sign a confidentiality agreement. The practice will, if required, sign a separate confidentiality agreement if the client deems it necessary.  If a sub-contractor acts as a data processor for Walkden Medical Centre an appropriate contract (art 24-28) will be established for the processing of your information.

In certain circumstances you may have the right to withdraw your consent to the processing of data. Please contact the Practice Manager in writing if you wish to withdraw your consent.  In some circumstances we may need to store your data after your consent has been withdrawn to comply with a legislative requirement.

Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified. Sometimes your information may be requested to be used for research purposes – the surgery will always gain your consent before releasing the information for this purpose in an identifiable format.   In some circumstances you can Opt-out of the surgery sharing any of your information for research purposes.

We would however like to use your name, contact details and email address to inform you of services that may benefit you, with your consent only.  There may be occasions were authorised research facilities would like you to take part on innovations, research, improving services or identifying trends.

At any stage where we would like to use your data for anything other than the specified purposes and where there is no lawful requirement for us to share or process your data, we will ensure that you have the ability to consent and opt out prior to any data processing taking place.
This information is not shared with third parties or used for any marketing and you can unsubscribe at any time via phone, email or by informing the Practice Manager.

Updating your records

Under your ‘Right to rectification’ you can ask us to amend your details at any time if they are incorrect. For example, if you change your address or if you need to update your mobile or email address with us. It’s important that we have the most up to date contact details for you as we may need to contact you in the event of an emergency.  If you do provide us with your mobile phone number, we may use this to send you reminders about any appointments or other health screening information being carried out. You can opt out of being contacted if you wish to, but we may need to contact you due to public interest for example for COVID reasons. This is usually a government requirement, and we must comply by law so we will have a legal obligation to comply with this, GDPR Article 6 (c).

Third Parties

Sometimes we record information about third parties mentioned by you to us during any consultation. We are under an obligation to make sure we also protect that third party’s rights as an individual and to ensure that references to them which may breach their rights to confidentiality, are removed before we send any information to any other party including yourself. Third parties can include: spouses, partners, and other family members.

Who are our partner organisations?

We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations.

  • NHS Trusts / Foundation Trusts
  • Out of Hours / Extended Hours services 111
  • GPs
  • NHS Commissioning Support Units
  • Independent Contractors such as dentists, opticians, pharmacists
  • Private Sector Providers
  • Voluntary Sector Providers
  • Ambulance Trusts
  • Clinical Commissioning Groups
  • Social Care Services
  • NHS England (NHSE) and NHS Digital (NHSD)
  • Local Authorities
  • Education Services
  • Fire and Rescue Services
  • Police & Judicial Services
  • Voluntary Sector Providers
  • Private Sector Providers
  • Other ‘data processors’ You will be informed who your data will be shared with and in some cases asked for consent for this happen when this is required.

We may also use external companies to process personal information, such as for archiving purposes. These companies are bound by contractual agreements to ensure information is kept confidential and secure.

Social Prescribers

Social prescribing is when health professionals refer patients to support in the community, in order to improve their health and wellbeing. The concept has gained support in the NHS organisations of the United Kingdom as well as in Ireland and the Netherlands and forms part of the NHS Long Term Plan, also known as the NHS 10-Year Plan.

The practice uses the following Social Prescribers who will have access to your data for these specified purposes and will ask for your consent before any information is shared between your GP and the social prescriber there will also be a Data Sharing Agreement between the practice and the Social Prescriber so that we all keep your information safe.

At Montpelier Health Centre, we use Wellspring Healthy Living Centre.

At Pilning Surgery, we use Southern Brooks Community Partnerships.

All our Social Prescribers use a system called Elemental when they receive a patient referral which has been approved by NHS.

Elemental Software offers a social prescribing platform that helps scale and measure the impact of social prescribing projects. The partnership will see EMIS -Health deliver the Elemental’s Social Prescription Connector to GP practices. The hope is that connecting primary care to social prescribing data will free up GP appointments while also helping patients make positive lifestyle changes. See here for their Privacy Notice Privacy Policy – Elemental Software.

What is Population Health Management?

This work is aimed at improving the health of an entire population.

It is about improving the physical and mental health outcomes and wellbeing of people and making sure that access to services is fair and equal. It helps to reduce the occurrence of ill-health and looks at all the wider factors that affect health and care.

The project requires health care organisations to work together with communities and partner agencies. The organisations will share information with each other in order to get a view of health and services for the population in a particular area.

In your area, a population health management programme has been introduced. The programme will combine information from GP practices, community service providers, hospitals and other health and care providers.

How Will my Personal Data be Used?

The information will include information about your health care.

The information will be combined and anything that can identify you (like your name or NHS Number) will be removed and replaced with a code.

This means that the people working with the data will only see the code and cannot see which patient the information relates to.

If we see that an individual might benefit from some additional care or support, we will send the information back to your GP or hospital provider and they will use the code to identify you and offer you services.

The information will be used for a number of healthcare related activities such as:

  • improving the quality and standards of care provided
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services

Who Will My Personal Data Be Shared With?

Your GP and hospital providers will send the information they hold on their systems to the South Central and West Commissioning Support Unit, who are part of NHS England.

They will link all the information together in order to review and make decisions about the whole population or particular patients that might need support. During this process any identifiable data will be removed before it is shared with Optum Healthcare.

Both the Commissioning Support Unit and Optum are required to protect your information and maintain confidentiality in the same way that your doctor or hospital provider is.

Is Using My Information in This Way Lawful?

Health Care Providers are permitted by data protection law to use information where it is ‘necessary for medical purposes’. This includes caring for you directly as well as management of health services more generally.

Some of the work that happens at a national level with your information is required by other parts of the law. For more information, speak to our Data Protection Officer.

Sharing and using your information in this way helps to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law and in the majority of cases, anonymised data is used so that you cannot be identified.

What will Happen to My Information When the Project is Finished?

Once the 20-week programme has completed the information will be securely destroyed.

Can I Object?

You have a right to object to information being used in this way.

You also have a number of other information rights. See our main privacy policy for more information.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters.

We also collect personal information about you when it is sent to us from the following:

  • hospital, a consultant or any other medical or healthcare professional, or any other person involved with your general healthcare.
  • Avon & Somerset Police Firearms department
  • Court Orders
  • Immigration matters
  • Solicitors
  • Fire Brigade
  • Social Services
  • Education

CORONOVIRUS PANDEMIC-DATA PROTECTION

The ICO recognises the unprecedented challenges the NHS and other health professionals are facing during the Coronavirus (COVID-19) pandemic.

The ICO also recognise that ‘Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health.’

The Government have also acted in respect of this and on 20th March 2020 the Secretary of State for Health and Social Care issued a Notice under Regulation 3(4) of The Health Service (Control of Patient Information) Regulations 2002 requiring organisations such as GP Practices to use your information to help GP Practices and other healthcare organisations to respond to and deal with the COVID-19 pandemic.

In order to look after your healthcare needs during this difficult time, we may urgently need to share your personal information, including medical records, with clinical and non-clinical staff who belong to organisations that are permitted to use your information and need to use it to help deal with the Covid-19 pandemic. This could (amongst other measures) consist of either treating you or a member of your family and enable us and other healthcare organisations to monitor the disease, assess risk and manage the spread of the disease.

Please be assured that we will only share information and health data that is necessary to meet yours and public healthcare needs.

The Secretary of State for Health and Social Care has also stated that these measures are temporary and will expire on 30th September 2021 unless a further extension is required. Any further extension will be will be provided in writing and we will communicate the same to you.

Please also note that the data protection and electronic communication laws do not stop us from sending public health messages to you, either by phone, text or email as these messages are not direct marketing.

It may also be necessary, where the latest technology allows us to do so, to use your information and health data to facilitate digital consultations and diagnoses and we will always do this with your security in mind.

If you are concerned about how your information is being used, please contact our DPO using the contact details provided in this Privacy Notice.

Information Commissioner

Objections / Complaints

Should you have any concerns about how your information is managed at the GP practice, please contact the Practice Manager.

If you are still unhappy following a review by the GP practice, you have a right to lodge a complaint with a supervisory authority: You have a right to complain to the UK supervisory Authority as below.

Wycliffe house
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 01625 545745

www.informationcommissioner.gov.uk

If you are happy for your data to be extracted and used for the purposes described in this privacy notice, then you do not need to do anything.  If you have any concerns about how your data is shared, then please contact the Practice Manager

If you would like to know more about your rights in respect of the personal data we hold about you, please contact the Data Protection Officer as stated in section 2.

Our practice website

The only website this Privacy Notice applies to is the Surgery’s website. If you use a link to any other website from the Surgery’s website, then you will need to read their respective privacy notice. We take no responsibility (legal or otherwise) for the content of other websites.

If English isn’t your first language

If English is not your first language you can request a translation of this Privacy Notice. Please contact our Data Protection Officer.

Cookies

The Surgery’s website uses cookies. For more information on which cookies, we use and how we use them, please contact our Data Protection Officer.

Security

We take the security of your information very seriously and we do everything we can to ensure that your information is always protected and secure. We regularly update our processes and systems, and we also ensure that our staff are properly trained. We also carry out assessments and audits of the information that we hold about you and make sure that if we provide any other services, we carry out proper assessments and security reviews.

Data Storage

NHS Digital sub-contract Amazon Web Services (AWS) to store your patient data. We have been informed that the data will always remain in the UK and will be fully encrypted both in transit and at rest. We have further been advised that AWS offers the very highest levels of security and support. The Practice do not have any influence over how the data is stored as this is decided centrally by NHS Digital.

This Privacy Notice was last updated 29/07/2021 by the Data Protection Officer Kelly-Anne Gast ALMC