Privacy Notice for Trinity Surgery

How we use your information to provide you with healthcare

• This practice keeps medical records confidential and complies with the General Data Protection Regulation and UK data protection legislation.

 

• We hold your medical record so that we can provide you with safe care and treatment.

 

• We will also use your information so that this practice can check and review the quality of the care we provide. This helps us to improve our services to you.

 

• We will share relevant information from your medical record with other health or social care staff organisations when they provide you with care. For example, your GP will share information when they refer you to a specialist in a hospital, or your GP will send details about your prescription to your chosen pharmacy.

 

• We use a medical record system called SystmOne. Other health and social care organisations, for example GP Out of Hours services and community services, who also use this system may have the ability to view your GP medical record when they are providing care to you. You may be asked if you are happy for your record to be viewed, or in some circumstances you may be sent a verification code to allow services caring for you to view your record. You can choose not to allow other organisations to be able to view your GP medical record.

 

• Healthcare staff working in A&E and out of hours care may also have access to your information. For example, it is important that staff who are treating you in an emergency know if you have any allergic reactions. This information may be obtained from your Summary Care Record or from SystmOne. For more information see https://digital.nhs.uk/summary-care-records

 

• You have the right to request to have any mistakes in your medical record corrected.

Other important information about how your information is used to provide you with healthcare

Registering for NHS care

 

• All patients who receive NHS care are registered on a national database.

 

• This database holds your name, address, date of birth and NHS Number but it does not hold medical information about the care you receive.

 

• The database is held by NHS Digital, a national organisation which has legal responsibilities to hold the NHS register.

 

• More information can be found at: https://digital.nhs.uk/services/systems-and-service-delivery/national-health-application-and-infrastructure-services/primary-care-registration or the phone number for general enquires at NHS Digital is 0300 303 5678

 

 

 

 

Identifying patients who might be at risk of certain diseases

 

• Your medical records may be searched by approved computer programmes so that we can identify patients who might be at high risk from certain diseases such as heart disease or unplanned admissions to hospital.

 

• This means we can offer patients additional care or support as early as possible.

 

• This process may involve linking information from your GP record with information from other health or social care services you have used.

 

 

Safeguarding

 

• Sometimes we need to share information so that other people, including healthcare staff, children or others with safeguarding needs, are protected from risk of harm.

 

• These circumstances are rare.

 

• We do not need your consent or agreement to share information in these circumstances, as we are required to do this.

 

• Please see local policies for more information: http://www.safeguardingpeterborough.org.uk/

 

We are required by law to provide you with the following information about how we handle your information to provide you with healthcare.

 

Purpose of the processing

• To provide direct health or social care to individual patients.

 

• For example, when a patient agrees to a referral for direct care, such as to a hospital, relevant information about the patient will be shared with the other healthcare staff to enable them to give appropriate advice, investigations, treatments and/or care.

 

• To check and review the quality of care. This is called audit and clinical governance.

Lawful basis for processing

• These purposes are supported under the following sections of the General Data Protection Regulation:

Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and

Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...” 

• Healthcare staff will also respect and comply with their obligations under the common law duty of confidence.

Recipient or categories of recipients of the processed data

The data will be shared with:

• healthcare professionals and staff in this surgery;
• local hospitals;
• out of hours services;
• diagnostic and treatment centres;
• screening services;
• or other organisations involved in the provision of direct care to individual patients.

 

• Organisations who help us manage our data for specific purposes, and under formal agreement, include:
• Serco-ASP who provide our End of Life Care Dashboard for clinicians caring for patients who are terminally ill. For more information: http://www.sercoasp.com/

 

• Cambridgeshire & Peterborough NHS Foundation Trust who help identify patients who are frail and may require additional care services. For more information: http://www.cpft.nhs.uk/

 

• ICS Health and Wellbeing who send letters to patients on our behalf, inviting patients to attend a diabetes prevention service where we have identified them as being at risk of developing diabetes. For more information: https://icshealth.co.uk/

 

• Cambridgeshire County Council who collaborates with surgeries to ensure all patients aged +14years with a learning disability within the Cambridgeshire Primary Care Trust are being offered an Annual Learning Disability Health Check. For more information: https://www.cambridgeshire.gov.uk/residents/working-together-children-families-and-adults/working-with-partners/cambridgeshire-learning-disability-partnership-ldp/

 

• Cambridgeshire and Peterborough Integrated Care System has commissioned the Joy Digital Platform.   Joy is a social prescribing software and is a tool to refer patients to non-clinical services and manage caseloads. Joy can be used to add data to the patient’s electronic health record but it is not a replica or substitution for a patient's medical record. Information added to the patient’s medical record by Joy does form part of the medical record and the system administrators in EMIS and SystmOne will be configuring their clinical systems to allow patient’s to access their medical record in line with the current legislation changes.

 

• Greater Peterborough Network who provide clinical support and social prescribing for patients

 

• C&P Integrated Care System who improve quality, safety and efficiency through analysis of data.

 

• Integrated Neighbour Hood Team, North Place who Access patient data to improve health outcomes – PHM Programme

 

• National Services for Health Improvement Ltd which is an independent service provider delivering healthcare strategies to improve health outcomes.

 

• iPlato who provided East of England cervical screening booking services.

 

 

• Everyone Health Ltd, This Data Sharing Agreement (DSA) provides a framework and basis for the sharing of outcome data back from Everyone Health to Parsons Drove Surgery for the purpose of service and referral outcome monitoring. https://everyonehealth.co.uk

 

 

Right to object

 

• You have the right to request to object to information being shared between organisations who are providing you with direct care.

 

• This may affect the care you receive.

 

• You are not able to object to your name, address and other demographic information being sent to, and held by, NHS Digital.

 

• This is necessary if you wish to be registered to receive NHS care.

 

• You are not able to object when information is legitimately shared for safeguarding reasons.

 

• In appropriate circumstances it is a legal and professional requirement to share information for safeguarding reasons. This is to protect people from harm.

 

• The information will be shared with the local safeguarding service(s).

 

Data we get from other organisations

• We receive information about your health from other organisations who are involved in providing you with health and social care.

 

• For example, if you go to hospital for treatment or an operation the hospital will send us a letter to let us know what happens. This means your GP medical record is updated when you receive care from other organisations.

How your information is used for medical research and to measure the quality of care

Medical research using population-based information

We share information from medical records:

• to support medical research when the law allows us to do so, for example to learn more about why people get ill and what treatments might work best;

 

• we will also use your medical records to carry out research within the practice.

This is important because:

• the use of information from GP medical records is very useful in developing new treatments and medicines;

 

• medical researchers use information from medical records to help answer important questions about illnesses and disease so that improvements can be made to the care and treatment patients receive.

 

• We share information with the following medical research organisations with your explicit consent or when the law allows: National Institute for Health Research, Clinical Practice Research Datalink, NIHR Clinical Research Network (CRN) Eastern

 

• You have the right to object to your identifiable information being used or shared for medical research purposes.

Medical research trials that individual patients may agree to take part in

• If the practice takes part in a medical research trial, individual patients may be invited to be part of the trial. In order to take part, patients will be asked to consent to their data being used and shared for the particular research trial.

Checking the quality of care – national clinical audits

This practice contributes to national clinical audits so that healthcare can be checked and reviewed.

• Information from medical records can help doctors and other healthcare workers measure and check the quality of care which is provided to you.

 

• The results of the checks or audits can show where hospitals are doing well and where they need to improve.

 

• The results of the checks or audits are used to recommend improvements to patient care.

 

• Data is sent to NHS Digital which is a national body with legal responsibilities to collect data.

 

• The data will include information about you, such as your NHS Number and date of birth and information about your health which is recorded in coded form - for example the code for diabetes or high blood pressure.

 

• We will only share your information for national clinical audits or checking purposes when the law allows.

 

• For more information about national clinical audits see the Healthcare Quality Improvements Partnership website: https://www.hqip.org.uk/ or phone 020 7997 7370.

 

• You have the right to object to your identifiable information being shared for national clinical audits.

 

We are required by law to provide you with the following information about how we handle your information for research.

 

Purpose of the processing

• Medical research, and to check the quality of care which is given to patients (this is called national clinical audit).

Lawful basis for processing

The following sections of the General Data Protection Regulation mean that we can use medical records for research and to check the quality of care (national clinical audits)

• Article 6(1)(e) – ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’.

For medical research: there are two possible Article 9 conditions.

• Article 9(2)(a) – ‘the data subject has given explicit consent…’ (where an individual has agreed to take part in a specific research trial)

OR

• Article 9(2)(j) – ‘processing is necessary for… scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member States law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject’. (where data is used for medical research using population based information)

To check the quality of care (clinical audit):

• Article 9(2)(h) – ‘processing is necessary for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and services...’

Recipient or categories of recipients of the processed data

• For medical research the data will be shared with NHS Digital, National Institute for Health Research, Clinical Practice Research Datalink,

 

• For national clinical audits which check the quality of care the data will be shared with NHS Digital.

Rights to object and the national data opt-out

• Most of the time, anonymised data is used for research and planning so that you cannot be identified.

 

• From 25^th May 2018, the national data opt-out enables you have a choice about whether you want your identifiable confidential patient information to be used for research and planning.

 

• To find out more or to register your choice under the national data opt-out, please visit nhs.uk. You can change your mind about your choice at any time.

 

How your information is shared so this practice can meet legal requirements

The law requires the practice to share information from your medical records in certain circumstances. Information is shared so that the NHS or Public Health England can, for example:

• plan and manage services;
• check that the care being provided is safe;
• prevent infectious diseases from spreading.

 

We will share information with NHS Digital, the Care Quality Commission and local health protection team (or Public Health England) when the law requires us to do so. Please see below for more information.

 

We must also share your information if a court of law orders us to do so.

NHS Digital

• NHS Digital is a national body which has legal responsibilities to collect information about health and social care services.

 

• It collects information from across the NHS in England and provides reports on how the NHS is performing. These reports help to plan and improve services to patients.

 

• This practice must comply with the law and will send data to NHS Digital, for example, when it is told to do so by the Secretary of State for Health or NHS England under the Health and Social Care Act 2012.

 

• NHS England has established the National Obesity Audit (NOA).  The NOA data collection supports the NHS Long Term Plan, which aims to provide better outcomes for the patient in relation to adult and child weight management services

National Obesity Audit: NHS England Transparency Notice - NHS Digital

 

• NHS Digital is supporting the government response to the Coronavirus outbreak. More details are available at: Coronavirus (COVID-19) response transparency notice - NHS Digital

 

• More information about NHS Digital and how it uses information can be found at:

https://digital.nhs.uk/home

 

• NHS Digital sometimes shares names and addresses of patients suspected of committing immigration offences with the Home Office. More information on this can be found here: https://www.gov.uk/government/publications/information-requests-from-the-home-office-to-nhs-digital

This practice is supporting vital health and care planning and research by sharing your data with NHS Digital. For more information about this see the GP Practice Privacy Notice for General Practice Data for Planning and Research."

 

NHSE/I Population Health Management Development Programme - Cambridgeshire and Peterborough ICS

PHM is about improving the physical and mental health outcomes and wellbeing of people and making sure that access to services is fair, timely, and equal. It helps to reduce the occurrence of ill-health and looks at all the wider factors that affect health and care.

 

This programme of work is aimed at improving the health of both local and national populations. It is being implemented across the NHS and this Practice is taking part in a programme extending across Cambridgeshire and Peterborough.

 

Population Health Management requires health and social care, to work together with communities and partner agencies, for example, GP practices, community service providers, hospitals and other health and social care providers. The organisations will share and combine de-identified information (where information identifying you has been removed) with each other in order to get a view of health and services for the population in a particular area. This information sharing is subject to robust security arrangements and risk assessments.

How will my Personal Information be used?

 

The information needed for this Programme will include information about your health and social care. Information about you and your care will be used in the programme, but in a format that does not directly identify you which we refer to within this privacy notice as pseudonymised. This information will be combined and anything that can identify you (like your name or NHS Number) will be removed and replaced with a unique code. This means that the people working with the data will only see the code and cannot see which patient the information relates to.

 

The information will be used for a number of health and social care related activities such as:

 

• Identifying groups of patients that could benefit from direct interventions
• improving the quality and standards of care provided
• research into the development of new treatments
• preventing illness and diseases
• monitoring safety
• planning services

 

If the PHM programme sees that an individual might benefit from some additional care or support, the programme will send the information back to your GP or hospital provider and they will use the code to identify you and offer you relevant services.

 

Who will my personal information be shared with?

 

Your GP and other care providers will send the information they hold on their systems to the North of England Commissioning Support Unit (NECS) https://www.necsu.nhs.uk/ , who are part of NHS England. NHS Digital (who already holds information about other health and care attendances), will also send the information they hold to NECS. Social care data will also be provided by the Local Authority.

 

NECS will then de-identify (pseudonymise) all the data before sharing the data with Optum Health Solutions UK https://www.optum.co.uk/ who have been contracted by NHS England to link, combine, and analyse the data during the programme.

 

Both NECS and Optum are legally obliged to protect your information and maintain confidentiality in the same way that your GP or hospital provider is.

 

What will happen to my Personal Information when the Project is Finished?

 

On completion of the 22 week programme all data will be securely destroyed from NECS and Optum servers and a certificate of destruction provided to you GP surgery and other healthcare provider. This will not affect personal information already held by your GP or other health and social care providers.

Is using my personal data in this way lawful

Health Care Providers are permitted by data protection law to use information where it is “necessary for medical purposes”. This includes caring for you directly as well as management of health services more generally.

Sharing and using your information in this way helps to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used where allowed by law and in this case, anonymised data is used so that you cannot be identified.

This programme’s legal basis for sharing your information is GDPR Article 6 (1) (e)  “Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.”

 

Can I object to my data being used as part of this programme.

 

Yes. You have the right to opt out of sharing your personal data being used in this way. You can do this in two ways:

1. Opt out of all sharing of your data for other uses outside your GP Practice

This is called a Type 1 opt out and you should request this directly to us, your GP practice. This will be applied not only to this programme but to any others we take part in.

2. National Data Opt-out (opting out of NHS Digital sharing your data)

You can find out more about and register a National Data Opt-out, or change your choice on nhs.uk/your-nhs-data-matters or by calling 0300 3035678.

This applies to identifiable patient data about your health which is called confidential patient information. If you don’t want your confidential patient information to be shared by NHS Digital with other organisations for purposes except your own care - either GP data, or other data it holds, such as hospital data - you can register a National Data Opt-out.

If you have registered a National Data Opt-out, NHS Digital won’t share any confidential patient information about you with other organisations, unless there is an exemption to this, such as where there is a legal requirement or where it is in the public interest to do so, such as helping to manage contagious diseases like coronavirus. You can find out more about exemptions on the NHS website.

Care Quality Commission (CQC)

• The CQC regulates health and social care services to ensure that safe care is provided.

 

• The law says that we must report certain serious events to the CQC, for example, when patient safety has been put at risk.

 

• For more information about the CQC see: http://www.cqc.org.uk/

 

Public Health

• The law requires us to share data for public health reasons, for example to prevent the spread of infectious diseases or other diseases which threaten the health of the population.

 

• We will report the relevant information to local health protection team or Public Health England.

 

• For more information about Public Health England and disease reporting see: https://www.gov.uk/guidance/notifiable-diseases-and-causative-organisms-how-to-report

 

We are required by law to provide you with the following information about how we handle your information and our legal obligations to share data.

 

Purpose of the processing

 

• Compliance with legal obligations or court order.

 

Lawful basis for processing

 

The following sections of the General Data Protection Regulation mean that we can share information when the law tells us to:

• Article 6(1)(c) – ‘processing is necessary for compliance with a legal obligation to which the controller is subject…’

 

• Article 9(2)(h) – ‘processing is necessary for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and services...’

Recipient or categories of recipients of the processed data

• The data will be shared with NHS Digital.
• The data will be shared with the Care Quality Commission.
• The data will be shared with our local health protection team or Public Health England.
• The data will be shared with the court if ordered.

Rights to object and the national data opt-out

• There are very limited rights to object when the law requires information to be shared but government policy allows some rights of objection as set out below.

NHS Digital

• You have the right to object to your identifiable information being shared with NHS Digital for reasons other than your own direct care.

 

• This is called a ‘Type 1’ opt-out – you can ask your practice to apply this code to your record.

 

• https://digital.nhs.uk/about-nhs-digital/our-work/keeping-patient-data-safe/how-we-look-after-your-health-and-care-information/your-information-choices/opting-out-of-sharing-your-confidential-patient-information

 

• From 25^th May 2018, the national data opt-out enables you have a choice about whether you want your identifiable confidential patient information to be used for research and planning. This replaces a ‘Type 2 opt-out’.

 

• To find out more or to register your choice under the national data opt-out, please visit nhs.uk. You can change your mind about your choice at any time.

 

NHS Digital sharing with the Home Office

• There is no right of objection to NHS Digital sharing names and addresses of patients who are suspected of having committed an immigration offence.

Public health

• Legally information must be shared under public health legislation. This means that you are unable to object.

Care Quality Commission

• Legally information must be shared when the Care Quality Commission needs it for their regulatory functions. This means that you are unable to object.

Court order

• Your information must be shared if it ordered by a court. This means that you are unable to object.

 

National screening programmes

 

• The NHS provides national screening programmes so that certain diseases can be detected at an early stage.

 

• These screening programmes include bowel cancer, breast cancer, cervical cancer, aortic aneurysms and a diabetic eye screening service.

 

• The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme.

 

• More information can be found at: https://www.gov.uk/topic/population-screening-programmes

 

We are required by law to provide you with the following information about how we handle your information in relation to our legal obligations to share data.

 

Purpose of the processing

• The NHS provides several national health screening programmes to detect diseases or conditions early such as cervical and breast cancer, aortic aneurysm and diabetes.

 

• The information is shared so that the correct people are invited for screening. This means those who are most at risk can be offered treatment.

Lawful basis for processing

The following sections of the General Data Protection Regulation allow us to contact patients for screening:

• Article 6(1)(e) – ‘processing is necessary…in the exercise of official authority vested in the controller...’

 

• Article 9(2)(h) – ‘processing is necessary for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and services...’

Recipient or categories of recipients of the processed data

• The data will be shared with NHS Digital, hospital laboratory services, local breast screening units, and Health Intelligence who provide diabetic eye screening.

 

• The Practice shares your diabetes related data with the Diabetic Eye Screening Programme operated by Health Intelligence, commissioned by NHS England. For further information: eadesp.co.uk

Rights to object

• For national screening programmes you can opt so that you no longer receive an invitation to a screening programme.

 

• See: https://www.gov.uk/government/publications/opting-out-of-the-nhs-population-screening-programmes

Data we get from other organisations

• We receive information about your screening test results from other organisations who are involved in providing these services.

 

• This means your GP medical record is updated with screening results.

 

Data we hold about you

 

We hold data about you in electronic and paper records. We use a combination of working practices and technology to ensure that your information is kept confidential and secure.

The type of data that we hold about you may include the following:

• Details about you, such as your address and next of kin;
• Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments, etc.
• Notes and reports about your health;
• Details about your treatment and care;
• Results of investigations, such as laboratory tests, x-rays, etc.
• Relevant information from other health professionals, relatives or those who care for you.

 

• Your medical record is held in a computer system called SystmOne. This system is provided to us under a National contract. Your data is held and managed in secure data centres by TPP. For more information: https://www.tpp-uk.com/

 

SMS and Email

• We will hold your mobile phone number and email address where you have provided these to us.

 

• We may use these to send you text messages or emails about your care, for example, messages about appointments, test results, or inviting you to attend for a clinic.

 

• You have the right to provide your mobile number for calls only. If you do not wish to receive text messages from us, please speak to the practice so we can add this to your record to prevent text messages being sent to you.

 

• You have to right to have your email address or mobile phone number removed from your GP record.

 

• We will only use the email address or mobile phone number for direct medical care purposes, unless you have provided us with your explicit consent to email you for other purposes as well, for example, for us to send you surgery newsletters, details from patient participation group meetings, or details about new services.

 

• If you provide your consent for us to send you information other than for your direct care, you can remove this consent at any time.

 

Right to access and correct

 

• You have the right to access the data we hold about you, and request to have any errors or mistakes corrected. Please speak to a member of staff or look at our ‘subject access request’ policy on the practice website http://www.trinity-surgery.co.uk/

 

• We are not aware of any circumstances in which you will have the right to delete correct information from your medical record; although you are free to obtain your own legal advice if you believe there is no lawful purpose for which we hold the information and contact us if you hold a different view.

Retention period

• GP medical records will be kept in line with the law and national guidance. Information on how long records are kept can be found at: https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016

 

Right to complain

• If you have concerns about the way we manage your data. Please contact the Practice Manager.

 

• You have the right to seek independent advice about data protection, as well as the right to complain, by contacting the Information Commissioner’s Office. https://ico.org.uk/global/contact-us/ or call the helpline 0303 123 1113

 

Data Controller contact details

• Trinity Surgery, 29 St Augustines Road, Wisbech, Cambs, PE13 3UZ

Data Protection Registration Number

• Data protection registration number Z4982184

Data Protection Officer

• Data Protection Officer, Cambridgeshire and Peterborough ICB

Postal address: Data Protection Officer, Cambridgeshire and Peterborough ICB, Lockton House, Clarendon Road, Cambridge, CB2 8FH.

Email address: cpicb.dataprotectionofficer@nhs.net

Date last reviewed or updated

• 09/11/2023

This privacy notice lets you know what happens to any personal data that you give to us, or any that we may collect from or about you.

This privacy notice applies to personal information processed by or on behalf of the practice.

This Notice explains

• Who we are, how we use your information and our Data Protection Officer
• What kinds of personal information about you do we process?
• What are the legal grounds for our processing of your personal information (including when we share it with others)?
• What should you do if your personal information changes?
• For how long your personal information is retained by us?
• What are your rights under data protection laws?

The General Data Protection Regulation (GDPR) was incorporated into the UK's Data Protection Act on 25th May 2018. This is a single EU-wide regulation on the protection of confidential and sensitive information.

For the purpose of applicable data protection legislation (including but not limited to the General Data Protection Regulation (Regulation (EU) 2016/679) (the "GDPR"), and the Data Protection Act 2018 (currently in Bill format before Parliament) the practice responsible for your personal data.

This Notice describes how we collect, use and process your personal data, and how, in doing so, we comply with our legal obligations to you. Your privacy is important to us, and we are committed to protecting and safeguarding your data privacy rights

How we use your information and the law.

The practice will be what’s known as the ‘Controller’ of the personal data you provide to us.

We collect basic personal data about you which does not include any special types of information or location-based information. This does however include name, address, contact details such as email and mobile number etc.

We will also collect sensitive confidential data known as “special category personal data”, in the form of health information, religious belief (if required in a healthcare setting) ethnicity, and sex during the services we provide to you and or linked to your healthcare through other health providers or third parties.

Why do we need your information?

The health care professionals who provide you with care maintain records about your health and any treatment or care you have received previously (e.g. NHS Trust, GP Surgery, Walk-in clinic, etc.). These records help to provide you with the best possible healthcare.

NHS health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. Records which the Practice hold about you may include the following information;

• Details about you, such as your address, carer, legal representative, emergency contact details
• Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments, etc.
• Notes and reports about your health
• Details about your treatment and care
• Results of investigations such as laboratory tests, x-rays etc
• Relevant information from other health professionals, relatives or those who care for you

To ensure you receive the best possible care, your records are used to facilitate the care you receive. Information held about you may be used to help protect the health of the public and to help us manage the NHS. Information may be used within the GP practice for clinical audit to monitor the quality of the service provided.

How do we lawfully use your data?

We need to know your personal, sensitive and confidential data in order to provide you with Healthcare services as a General Practice, under the General Data Protection Regulation we will be lawfully using your information in accordance with: -

Article 6, e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;”

Article 9, (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems

This Privacy Notice applies to the personal data of our patients and the data you have given us about your carers/family members.

Risk Stratification

Risk stratification data tools are increasingly being used in the NHS to help determine a person’s risk of suffering a condition, preventing an unplanned or (re)admission and identifying a need for preventive intervention. Information about you is collected from a number of sources including NHS Trusts and from this GP Practice. A risk score is then arrived at through an analysis of your de-identified information is only provided back to your GP as data controller in an identifiable form. Risk stratification enables your GP to focus on preventing ill health and not just the treatment of sickness. If necessary, your GP may be able to offer you additional services. Please note that you have the right to opt out of your data being used in this way.

Medicines Management

The Practice may conduct Medicines Management Reviews of medications prescribed to its patients. This service performs a review of prescribed medications to ensure patients receive the most appropriate, up to date and cost-effective treatments.

How do we maintain the confidentiality of your records?

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

• Data Protection Act 2018
• The General Data Protection Regulations 2016
• Human Rights Act 1998
• Common Law Duty of Confidentiality
• Health and Social Care Act 2012
• NHS Codes of Confidentiality, Information Security and Records Management
• Information: To Share or Not to Share Review

Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential.

We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), where the law requires information to be passed on and / or in accordance with the information sharing principle following Dame Fiona Caldicott’s information sharing review (Information to share or not to share) where “The duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles.

Our practice policy is to respect the privacy of our patients, their families and our staff and to maintain compliance with the General Data Protection Regulations (GDPR) and all UK specific Data Protection Requirements. Our policy is to ensure all personal data related to our patients will be protected.

All employees and sub-contractors engaged by our practice are asked to sign a confidentiality agreement. The practice will, if required, sign a separate confidentiality agreement if the client deems it necessary. If a sub-contractor acts as a data processor for the practice an appropriate contract (art 24-28) will be established for the processing of your information.

In certain circumstances you may have the right to withdraw your consent to the processing of data. Please contact the Data Protection Officer in writing if you wish to withdraw your consent. If some circumstances we may need to store your data after your consent has been withdrawn to comply with a legislative requirement.

Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified. Sometimes your information may be requested to be used for research purposes – the surgery will always gain your consent before releasing the information for this purpose in an identifiable format.  In some circumstances you can Opt-out of the surgery sharing any of your information for research purposes.

With your consent we would also like to use your information to

We would however like to use your name, contact details and email address to inform you of services that may benefit you, with your consent only. There may be occasions were authorised research facilities would like you to take part on innovations, research, improving services or identifying trends.

At any stage where we would like to use your data for anything other than the specified purposes and where there is no lawful requirement for us to share or process your data, we will ensure that you have the ability to consent and opt out prior to any data processing taking place. This information is not shared with third parties or used for any marketing and you can unsubscribe at any time via phone, email or by informing the practice DPO as below.

Where do we store your information Electronically?

All the personal data we process is processed by our staff in the UK however for the purposes of IT hosting and maintenance this information may be located on servers within the European Union.

No 3rd parties have access to your personal data unless the law allows them to do so and appropriate safeguards have been put in place. We have a Data Protection regime in place to oversee the effective and secure processing of your personal and or special category (sensitive, confidential) data.

Who are our partner organisations?

We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations;

• NHS Trusts / Foundation Trusts
• GP’s
• eMBED Health
• Independent Contractors such as dentists, opticians, pharmacists
• Private Sector Providers
• Voluntary Sector Providers
• Ambulance Trusts
• Clinical Commissioning Groups
• Social Care Services
• NHS England (NHSE) and NHS Digital (NHSD)
• Local Authorities
• Education Services
• Fire and Rescue Services
• Police & Judicial Services
• Voluntary Sector Providers
• Private Sector Providers
• Other ‘data processors’ which you will be informed of

You will be informed who your data will be shared with and in some cases asked for consent for this to happen when this is required.

We may also use external companies to process personal information, such as for archiving purposes. These companies are bound by contractual agreements to ensure information is kept confidential and secure. All employees and sub-contractors engaged by our practice are asked to sign a confidentiality agreement. If a sub-contractor acts as a data processor for the practice an appropriate contract (art 24-28) will be established for the processing of your information.

How long will we store your information?

We are required under UK law to keep your information and data for the full retention periods as specified by the NHS Records management code of practice for health and social care and national archives requirements. More information on records retention can be found online at (https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016)

How can you access, amend move the personal data that you have given to us?

Even if we already hold your personal data, you still have various rights in relation to it. To get in touch about these, please contact us. We will seek to deal with your request without undue delay, and in any event in accordance with the requirements of any applicable laws. Please note that we may keep a record of your communications to help us resolve any issues which you raise.

Right to object: If we are using your data because we deem it necessary for our legitimate interests to do so, and you do not agree, you have the right to object. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases). Generally, we will only disagree with you if certain limited conditions apply.

Right to withdraw consent: Where we have obtained your consent to process your personal data for certain activities (for example for a research project), or consent to market to you, you may withdraw your consent at any time.

Right to erasure: In certain situations (for example, where we have processed your data unlawfully), you have the right to request us to "erase" your personal data. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases) and will only disagree with you if certain limited conditions apply. If we do agree to your request, we will Delete your data but will generally assume that you would prefer us to keep a note of your name on our register of individuals who would prefer not to be contacted. That way, we will minimise the chances of you being contacted in the future where your data are collected in unconnected circumstances. If you would prefer us not to do this, you are free to say so.

Right of data portability: If you wish, you have the right to transfer your data from us to another data controller. We will help with this with a GP to GP data transfer and transfer of your hard copy notes

Access to your personal information

Data Subject Access Requests (DSAR): You have a right under the Data Protection legislation to request access to view or to obtain copies of what information the surgery holds about you and to have it amended should it be inaccurate. To request this, you need to do the following:

• Your request should be made to the Practice – for information from the hospital you should write direct to them
• There is no charge to have a copy of the information held about you
• We are required to respond to you within one month
• You will need to give adequate information (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified, and your records located information we hold about you at any time.

What should you do if your personal information changes?

You should tell us so that we can update our records please contact the Practice Manager as soon as any of your details change, this is especially important for changes of address or contact details (such as your mobile phone number), the practice will from time to time ask you to confirm that the information we currently hold is accurate and up-to-date.