Your information, what you need to know
This privacy notice explains why we collect information about you, how that information will be used, how we keep it safe and confidential and what your rights are in relation to this.
Why we collect information about you
We keep data on you relating to who you are, where you live, what you do, your family, possibly your friends, your employers, your habits, your problems and diagnoses, the reasons you seek help, your appointments, where you are seen and when you are seen, who by, referrals to specialists and other healthcare providers, tests carried out here and in other places, investigations and scans, treatments and outcomes of treatments, your treatment history, the observations and opinions of other healthcare workers, within and without the NHS as well as comments and aide memoires reasonably made by healthcare professionals in this practice who are appropriately involved in your health care.
When registering for NHS care, all patients who receive NHS care are registered on a national database, the database is held by NHS Digital, a national organisation which has legal responsibilities to collect NHS Data.
If your health needs require care from others outside this practice we will exchange with them whatever information about you is necessary for them to provide that care. When you make contact with healthcare providers outside the practice but within the NHS it is usual for them to send us information relating to that encounter. We will retain part or all of those reports. Normally we will receive equivalent reports of contacts you have with non NHS services but this is not always the case.
Your consent to this sharing of data, within the practice and with those others outside the practice is assumed and is allowed by the Law.
You have the right to object to our sharing your data in these circumstances but we have an overriding responsibility to do what is in your best interests.
How we keep your information confidential and safe
Everyone working for our organisation is subject to the Common Law Duty of Confidence. Information provided in confidence will only be used for the purposes advised with consent given by the patient, unless there are other circumstances covered by the law. The NHS Digital Code of Practice on Confidential Information applies to all NHS staff and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. All our staff are expected to make sure information is kept confidential and receive regular training on how to do this.
The health records we use will be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. Your records are backed up securely in line with NHS standard procedures. We ensure that the information we hold is kept in secure locations, is protected by appropriate security and access is restricted to authorised personnel.
We are committed to protecting your privacy and will only use information collected lawfully in accordance with:
- Data Protection Legislation
- General Data Protection Regulation
- Human Rights Act
- Common Law Duty of Confidentiality
- NHS Codes of Confidentiality and Information Security
- Health and Social Care Act 2015
- And all applicable legislation
We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if we reasonably believe that others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (such as a risk of serious harm to yourself or others) or where the law requires information to be passed on.
How we use your information
Improvements in information technology are also making it possible for us to share data with other healthcare organisations for the purpose of providing you, your family and your community with better care. For example it is possible for healthcare professionals in other services to access your record with your permission when the practice is closed. This is explained further in the Local Information Sharing section below.
Under the powers of the Health and Social Care Act 2015, NHS Digital can request personal confidential data from GP Practices without seeking patient consent for a number of specific purposes, which are set out in law.
You can choose to withdraw your consent to your personal data being shared for these purposes. When we are about to participate in a new data-sharing project we will display prominent notices in the Practice and on our website at least four weeks before the scheme is due to start. Instructions will be provided to explain what you have to do to ‘opt-out’ of the new scheme. Please be aware that it may not be possible to opt out of one scheme and not others, so you may have to opt out of all the schemes if you do not wish your data to be shared.
You can object to your personal information being shared with other healthcare providers but should be aware that this may, in some instances, affect your care as important information about your health might not be available to healthcare staff in other organisations. If this limits the treatment that you can receive then the practice staff will explain this to you at the time you object.
To ensure you receive the best possible care, your records are used to facilitate the care you receive. Information held about you may be used to help protect the health of the public and to help us manage the NHS.
Circumstances under which we may share your data
Information will be used by the CCG for clinical audit to monitor the quality of the service provided to patients with long terms conditions. When required, information will be held centrally and used for statistical purposes (e.g. the National Diabetes Audit). When this happens, strict measures are taken to ensure that individual patients cannot be identified from the data.
We get requests from organisations to use our information for research purposes – we will always ask your permission before releasing any information for this purpose. Research organisations do not usually approach patients directly but will ask us to make contact with suitable patients to seek their consent.
Improving Diabetes Care
Information that does not identify individual patients is used to enable focused discussions to take place at practice-led local diabetes review meetings between health care professionals. This enables the professionals to improve the management and support of these patients.
National screening programmes
The NHS provides national screening programmes so that certain diseases can be detected at an early stage. These currently apply to bowel cancer, breast cancer, aortic aneurysms and diabetic retinal screening service. The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme.
Individual Funding Request
An ‘Individual Funding Request’ is a request made on your behalf, with your consent, by a clinician, for funding of specialised healthcare which falls outside the range of services and treatments that CCG has agreed to commission for the local population. An Individual Funding Request is taken under consideration when a case can be set out by a patient’s clinician that there are exceptional clinical circumstances which make the patient’s case different from other patients with the same condition who are at the same stage of their disease, or when the request is for a treatment that is regarded as new or experimental and where there are no other similar patients who would benefit from this treatment. A detailed response, including the criteria considered in arriving at the decision, will be provided to the patient’s clinician.
Invoice validation is an important process. It involves using your NHS number to identify which CCG is responsible for paying for your treatment. Section 251 of the NHS Act 2006 provides a statutory legal basis to process data for invoice validation purposes. We can also use your NHS number to check whether your care has been funded through specialist commissioning, which NHS England will pay for. The process makes sure that the organisations providing your care are paid correctly.
NHS payments processes
Contract holding GPs in the UK receive payments from their respective governments on a tiered basis. Most of the income is derived from baseline capitation payments made according to the number of patients registered with the practice on quarterly payment days. These amounts, paid per patient, per quarter vary according to the age, sex and other demographic details for each patient. There are also graduated payments made according to the practice’s achievement of certain agreed national quality targets known as the Quality and Outcomes Framework (QOF), for instance the proportion of diabetic patients who have had an annual review.
Practices can also receive payments for participating in agreed national or local enhanced services, for instance opening early in the morning or late at night or at the weekends. Practices can also receive payments for certain national initiatives such as immunisation programs and practices may also receive incomes relating to a variety of non-patient related elements such as premises. Finally there are short term initiatives and projects that practices can take part in. Practices or GPs may also receive income for participating in the education of medical students, junior doctors and GPs themselves as well as research.
In order to make patient based payments basic and relevant necessary data about you needs to be sent to the various payment services. The release of this data is required by English laws.
Local Information Sharing
Your GP electronic patient record is held securely and confidentially on an electronic system called SystmOne TPP managed by us. If you require attention from a health professional in the Emergency Department, Out Of Hours service, or community service such as the district nurses, the professionals treating you are better able to give you safe and effective care if relevant information from your GP record is available to them.
We are able to share information electronically with other local health and care providers that also use SystmOne. Depending on the service you are using and your health and care needs, this may involve the professional accessing your GP electronic patient record.In all cases, your information is only accessed and used by authorised health and social care professionals in locally based organisations who are involved in providing or supporting your direct care. Your permission will be asked before the information is accessed, other than in exceptional circumstances (e.g. emergencies see below) if the healthcare professional is unable to ask you and this is deemed to be in your best interests (which will then be logged).
There are occasions when intervention is necessary in order to save or protect a patient’s life or to prevent them from serious immediate harm, for instance during a collapse or diabetic coma or serious injury or accident. In many of these circumstances the patient may be unconscious or too ill to communicate. In these circumstances we have an overriding duty to try to protect and treat the patient. If necessary we will share your information and possibly sensitive confidential information with other emergency healthcare services, the police or fire brigade, so that you can receive the best treatment. The law acknowledges this and provides supporting legal justifications.
Individuals have the right to make pre-determined decisions about the type and extent of care they will receive should they fall ill in the future, these are known as “Advance Directives”. If lodged in your records these will normally be honoured despite the observations in the first paragraph.
Regulatory inspection by the Care Quality Commission (CQC)
The Care Quality Commission (CQC) is an organisation established in English law by the Health and Social Care Act. The CQC is the regulator for English health and social care services to ensure that safe care is provided. They inspect and produce reports on all English general practices in a rolling 5 year program. The law allows CQC to access identifiable patient data as well as requiring this practice to share certain types of data with them in certain circumstances, for instance following a significant safety incident.
For more information about the CQC see: www.cqc.org.uk
National Fraud Initiative – Cabinet Office
The use of data by the Cabinet Office for data matching is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under Data Protection legislation. Data matching by the Cabinet Office is subject to a Code of Practice. For further information see: www.gov.uk
National Registries (such as the Learning Disabilities Register) have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user.
Risk Stratification for planning and commissioning of local services
‘Risk stratification for case finding’ is a process for identifying and managing patients who have or may be at-risk of health conditions (such as diabetes) or who are most likely to need healthcare services (such as people with frailty). Risk stratification tools used in the NHS help determine a person’s risk of suffering a particular condition and enable us to focus on preventing ill health before it develops.
Information about you is collected from a number of sources including NHS Trusts, GP Federations and us. A risk score is then arrived at through an analysis of your de-identified information. Only this practice will be able to identify you and the results of any calculated factors, such as your risk of having a heart attack in the next 10 years or your risk of being admitted to hospital. This can help us identify and offer you additional services to improve your health.
Risk-stratification data may also be used to improve local services and commission new services, where there is an identified need. In this area, risk stratification may be commissioned by the Clinical Commissioning Group. Section 251 of the NHS Act 2006 provides a statutory legal basis to process data for risk stratification purposes. Further information about risk stratification is available from: www.england.nhs.uk
If you do not wish information about you to be included in any risk stratification programmes, please let us know. We can add a code to your records that will stop your information from being used for this purpose. Please be aware that this may limit the ability of healthcare professionals to identify if you have or are at risk of developing certain serious health conditions.
Supporting Locally Commissioned Services
CCGs support GP practices by auditing anonymised data to monitor locally commissioned services, measure prevalence and support data quality. The data does not include identifiable information and is used to support patient care and ensure providers are correctly paid for the services they provide.
Supporting Medicines Management
CCGs operate pharmacist and prescribing advice services to support local GP practices with prescribing queries, which may require identifiable information to be shared. These pharmacists work with your usual GP to provide advice on medicines and prescribing queries, and review prescribing of medicines to ensure that it is appropriate for your needs, safe and cost-effective. Where specialist prescribing support is required, the CCG medicines optimisation team may order medications on behalf of your GP Practice to support your care.
In the interests of Public Health
Public health encompasses everything from national smoking and alcohol policies, the management of epidemics such as flu, the control of large scale infections such as TB and Hepatitis B to local outbreaks of food poisoning or Measles. Certain illnesses are also notifiable, i.e. the doctors treating the patient are required by law to inform the Public Health Authorities, for instance Scarlet Fever.
This will necessarily mean the subjects personal and health information being shared with the Public Health organisations.
Some members of society are recognised as needing protection, for example children and vulnerable adults. If a person is identified as being at risk from harm we are expected as professionals to do what we can to protect them. In addition we are bound by certain specific laws that exist to protect individuals. This is called “Safeguarding”.
To ensure that adult and children’s safeguarding matters are managed appropriately, access to identifiable information will be shared in circumstances where it’s legally required for the safety of the individuals concerned.
Summary Care Record (SCR)
The Summary Care Record consists of a basic medical record held on a central government database on every patient registered with a GP surgery in England. Your SCR provides authorised healthcare staff with faster, secure access to essential information about you in an emergency or when you need unplanned care, where such information would otherwise be unavailable.
The basic data is automatically extracted from your GP’s electronic record system and uploaded to the central system. GPs are required by their contract with the NHS to allow this upload. The basic upload consists of current medication, allergies and details of any previous bad reactions to medicines, the name, address, date of birth and NHS number of the patient.
As well as this basic record additional information can be added, and this can be far reaching and detailed. However, whereas the basic data is uploaded automatically any additional data will only be uploaded if you specifically request it and with your consent. This information can include specific care plans or instructions for other healthcare professionals i.e. a pain management plan or ‘do not resuscitate’ plan for the ambulance service.
Summary Care Records can only be viewed within the NHS on NHS smartcard controlled screens or by organisation, such as pharmacies, contracted to the NHS.
Please be aware that if you choose to opt-out of SCR, NHS healthcare staff caring for you outside of this surgery may not be aware of your current medications, allergies you suffer from and any bad reactions to medicines you have had, in order to treat you safely in an emergency. Your records will stay as they are now with information being shared by letter, email, fax or phone. If you wish to opt-out of having an SCR please return a completed opt-out form to the practice.
We manage patient records in line with the Records Management NHS Code of Practice for Health and Social Care which sets the required standards of practice in the management of records for those who work within or under contract to NHS organisations in England, based on current legal requirements and professional best practice.
|GP patient records||10 years after the death of the patient|
|Adult Health & Social care records||8 years|
|Children’s records||Until 25th birthday|
|Mental Health records||20 years (or 8 years after the patient’s death)|
|Maternity (ante-natal & post-natal)||25 years|
|Cancer records||30 years after diagnosis (or 8 years after the patient’s death)|
|Contraception records||8 years (or 10 years if an implant or device has been fitted)|
|Clinical protocols||25 years|
|Screening records||10 years|
Who are our partner organisations?
We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations:
- NHS Trusts
- Specialist Trusts
- GP Federations
- Independent Contractors such as dentists, opticians, pharmacists
- Private Sector Providers
- Voluntary Sector Providers
- Ambulance Trusts
- Clinical Commissioning Groups
- Social Care Services
- Local Authorities
- Education Services
- Fire and Rescue Services
- Other ‘data processors’
We will never share your information outside of health partner organisations without your explicit consent unless there are exceptional circumstances such as when the health or safety of others is at risk, where the law requires it or to carry out a statutory function.
Within the health partner organisations (NHS and Specialist Trusts) and in relation to the above mentioned themes – Risk Stratification, Invoice Validation, Supporting Medicines Management, Summary Care Record – we will assume you are happy for your information to be shared unless you choose to opt-out (see below).
This means you will need to express an explicit wish to not have your information shared with the other organisations; otherwise it will be automatically shared. We are required by law to report certain information to the appropriate authorities. This is only provided after formal permission has been given by a qualified health professional. There are occasions when we must pass on information, such as notification of new births, where we encounter infectious diseases which may endanger the safety of others, such as meningitis or measles (but not HIV/AIDS), and where a formal court order has been issued. Our guiding principle is that we are holding your records in strictest confidence.
Your right to withdraw consent for us to share your personal information (Opt-Out)
If you are happy for your data to be extracted and used for the purposes described in this privacy notice then you do not need to do anything. If you do not want your information to be used for any purpose beyond providing your care you can choose to opt-out. If you wish to do so, please let us know so we can code your record appropriately. We will respect your decision if you do not wish your information to be used for any purpose other than your care but in some circumstances we may still be legally required to disclose your data.
There are two main types of opt-out.
Type 1 Opt-Out
If you do not want information that identifies you to be shared outside the practice, for purposes beyond your direct care, you can register a ‘Type 1 Opt-Out’. This prevents your confidential personal information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.
Type 2 Opt-Out
NHS Digital collects information from a range of places where people receive care, such as hospitals and community services. If you do not want your personal confidential information to be shared outside of NHS Digital, for purposes other than for your direct care, you can register a ‘Type 2 Opt-Out’. For further information about Type 2 Opt-Outs, please contact NHS Digital Contact Centre at firstname.lastname@example.org referencing ‘Type 2 Opt-Outs – Data Requests’ in the subject line; or call NHS Digital on (0300) 303 5678; or visit the website content.digital.nhs.uk/article/7092/Information-on-type-2-opt-outs
If you wish to discuss or change your opt-out preferences at any time please contact: Practice Manager or IM&T Manager at the practice.
NHS Digital is developing a new system to give you more control over how your identifiable information is used. We will tell you more once details are released.
Access to your information
1. HOW CAN I ACCESS THE INFORMATION YOU HOLD ABOUT ME?
You have a right under the Data Protection laws to have access/copies to the information the surgery holds about you and to have it amended should it be inaccurate.
In order to access your medical record, you need to let the practice know by making a Subject Access Request (SAR).
The practice will respond to your request within one month of receipt of your request. You will need to give adequate information (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified and your records located.
Usually there is no charge to see the information that the practice holds about you unless the request is excessive or complicated.
For information about your hospital medical records, you should write direct to them.
2. HAVE INACCURACIES CORRECTED OR ERASED
If you feel that the personal data that the practice holds about you is inaccurate or incomplete then please let us know and we will update your records within one month of notification. If this incorrect information has been sent onwards, we will also inform any other organisations of this. If it is not possible to correct the information then we will write to you to let you know the reason behind the decision and inform you how you can complain about this.
3. RIGHT TO OBJECT – RESTRICT PROCESSING
As a patient, you have the right to object to personal data about you being used or shared. We will always listen to your concerns and endeavour to manage them to your satisfaction, however we have to balance your concerns with our ability to provide you with safe and effective care.
if you are a carer and have a Lasting Power of Attorney for health and welfare then you can also object to personal data being used or shared on behalf of the patient who lacks capacity.
If you do not hold a Lasting Power of Attorney then you can raise your specific concerns with the patient’s GP. If you have parental responsibility and your child is not able to make an informed decision for themselves, then you can make a decision about information sharing on behalf of your child. If your child is competent then this must be their decision.
Change of Details
It is important that you tell the person treating you if any of your details such as your name or address have changed or if any of your details are incorrect in order for this to be amended. Please inform us of any changes so our records for you are accurate and up to date.
Mobile telephone number
If you provide us with your mobile phone number we will use this to send you reminders about your appointments or other health screening information. Please let us know if you do not wish to receive reminders on your mobile.
Data Protection Legislation requires organisations to register a notification with the Information Commissioner to describe the purposes for which they process personal and sensitive information.
We are registered as a Data Controller and our registration can be viewed online in the public register at: ico.org.uk. Any changes to this notice will be published on our website and at the Practice.
If you have concerns or are unhappy about any of our services, please contact the Practice Manager.
For independent advice about data protection, privacy and data-sharing issues, you can contact:
The Information Commissioner
Phone: 0303 123 1113
Useful links on how NHS uses personal information and your rights:
The NHS Care Record Guarantee
The NHS Care Record Guarantee for England sets out the rules that govern how patient information is used in the NHS, what control the patient can have over this, the rights individuals have to request copies of their data and how data is protected under Data Protection Legislation. digital.nhs.uk
The NHS Constitution
The NHS Constitution establishes the principles and values of the NHS in England. It sets out the rights patients, the public and staff are entitled to. These rights cover how patients access health services, the quality of care you’ll receive, the treatments and programmes available to you, confidentiality, information and your right to complain if things go wrong. www.gov.uk
NHS Digital collects health information from the records health and social care providers keep about the care and treatment they give, to promote health or support improvements in the delivery of care services in England. content.digital.nhs.uk