GDPR – Privacy Notice
The Old Fire Station Surgery has a duty to explain how we use any personal information we collect about you, as a registered patient at the practice. Staff at this practice maintain records about your health and the treatment you receive in electronic and paper format. This Privacy Notice explains why we collect information about you, how that information may be used and which organisations the information will be shared with to ensure you receive the best possible care. This policy is effective from 25th May 2018.
What information do we collect about you?
Your NHS health care record is likely to be electronic and paper, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. The records we hold about you may include the following information:-
How we will use your information
Your data is collected for the purpose of providing direct patient care; however, we can disclose this information if it is required by law, if you give consent or if it is justified in the public interest. The practice may be requested to support research; however, we will always gain your consent before sharing your information for medical research or others when the law allows.
The Practice uses your health information directly to:
Non-clinical practice staff may also access your medical records in order to perform tasks enabling the functioning of the practice. This would include:
Each member of staff who works at the Old Fire Station Surgery has a legal obligation to keep information about you confidential and only accesses patient information when there is a business need to do so.
In order to comply with its legal obligations, this practice may send data to NHS Digital when directed by the Secretary of State for Health under the Health and Social Care Act 2012. Information is used to inform national campaigns regarding uptake of screening and immunisation programmes e.g. breast screening, cervical screening, childhood immunisation and the national Flu campaign.
Additionally, this practice contributes to national clinical audits and will send the data that is required by NHS Digital when the law allows. This may include demographic data, such as date of birth, and information about your health which is recorded in coded form; for example, the clinical code for diabetes or high blood pressure.
Processing your information in this way and obtaining your consent ensures that we comply with Articles 6(1)(c), 6(1)(e) and 9(2)(h) of the GDPR.
Healthy.io – ACR project for patients with diabetes (and/or other conditions)
The data is being processed for the purpose of delivery of a programme, sponsored by NHS Digital, to monitor urine for indications of chronic kidney disease (CKD) which is recommended to be undertaken annually for patients at risk of chronic kidney disease e.g., patients living with diabetes. The programme enables patients to test their kidney function from home. We will share your contact details with Healthy.io to enable them to contact you and send you a test kit. This will help identify patients at risk of kidney disease and help us agree any early interventions that can be put in place for the benefit of your care. Healthy.io will only use your data for the purposes of delivering their service to you. If you do not wish to receive a home test kit from Healthy.io we will continue to manage your care within the Practice. Healthy.io are required to hold data we send them in line with retention periods outlined in the Records Management code of Practice for Health and Social Care. Further information about this is available at: https://lp.healthy.io/minuteful_info/.
Computer System
The Practice computer system is an accredited clinical system which records patient clinical information securely which can be shared with other clinicians, so that everyone caring for you is fully informed about your medical history, including allergies and medication. Our clinical system is accessed by Practice staff and where appropriate allied Healthcare Professionals on site only as we do not permit remote access by none-practice staff.
Maintaining confidentiality and accessing your records
We are committed to maintaining confidentiality and protecting the information we hold about you. Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential and we adhere to the General Data Protection Regulation (GDPR), the NHS Codes of Confidentiality and Security, as well as guidance issued by the Information Commissioner’s Office (ICO).
You have a right to access the information we hold about you, and if you would like to access this information, you will need to complete a Subject Access Request (SAR). Please ask at reception for a SAR form and you will be given further information. Furthermore, should you identify any inaccuracies; you have a right to have the inaccurate data corrected.
For the purposes of managing your health and Health Risk Screening we may need to share your information e.g. by making a referral with your consent to the following organisations:
We will not disclose your information to any third party without your permission unless there are exceptional circumstances or the law requires information to be passed on e.g. the Public Health (Control of Disease) Act 1984, the Public Health (Infectious Diseases) Regulations 1988 and the Road Traffic Act 1988. Anyone who receives information from us is also under a legal duty to keep this information confidential.
We may also be obliged to reveal information about you if we believe you are a risk to yourself or others or if we believe a child or a vulnerable adult would be harmed if we did not reveal the information. We may also have to disclose information to prevent disorder or crime or if we are instructed to by a Court order.
How We Keep Your Information Confidential and Secure
We are committed to protecting your privacy and will only use information collected lawfully in accordance with the General Data Protection Regulation 2018 (GDPR), Article 8 of the Human Rights Act and the NHS Codes of Confidentiality and Security. Everyone working in, or for the NHS must use personal information in a secure and confidential way.
We will only ever use or pass on your information if there is a genuine need to do so and we will not disclose information about you to third parties without your permission unless there are exceptional circumstances, such as when the law requires.
In order to protect your confidentiality if we are sending your information to outside parties, i.e. solicitors, the written information is given to you to pass to them and we will not disclose information to your family, friends and colleagues about any medical matters at all, unless we know that we have your consent to do so, including some teenage patients who have capacity for making their own decisions.
Summary Care Record
A summary of your basic details along with information about your medication is updated daily from the practice to the Summary Care Record on the NHS Spine. This is to allow other health professionals with access to the NHS Spine; for example in A&E to have easy access to limited information if they need it. You can opt out of the summary care record if you wish, please contact our reception team if you wish to do this.
National data opt-out Programme
The national data opt-out is a new service that allows people to opt out of their confidential patient information being used for research and planning.
Using information for a patient’s individual care and treatment is not affected by the new opt-out. Patients do not need to do anything if they are happy about how their confidential patient information is used, and they can change their choice at any time.
The ‘Your Data Matters to the NHS’ awareness campaign will tell the public about how the strict rules around how data can and cannot be used were strengthened from May 2018, and inform them about the new service. The NHS is committed to keeping patient information safe and always being clear about how it is used.
How to opt out
Individuals can set an opt-out online at nhs.uk/your-nhs-data-matters or use a telephone service on 0300 303 5678.
Risk stratification
Risk stratification is a mechanism used to identify and subsequently manage those patients deemed as being at high risk of requiring urgent or emergency care. Usually this includes patients with long-term conditions, e.g. cancer. Your information is collected by a number of sources, including The Old Fire Station Surgery; this information is processed electronically and given a risk score which is relayed to your GP who can then decide on any necessary actions to ensure that you receive the most appropriate care.
Timescales
NHS Digital is developing the system now. Patients and the public will be able to use the system from 25 May 2018. All health and care organisations will be required to uphold patient and public choices by March 2020. The national data opt-out will be introduced alongside the new data protection legislation.
Retention periods
In accordance with the NHS Codes of Practice for Records Management, your healthcare records will be retained for 10 years after death, or if a patient emigrates, for 10 years after the date of emigration. Records of the deceased are returned promptly to Patient Data Services so requests for access are usually directed to them not the practice.
Who else may ask to access your information?
The law courts can insist that we disclose medical records to them
Solicitors may ask for medical reports but these requests must always be accompanied by your signed consent for us to disclose information. When we receive a request we may contact you and you may be asked to collect that information and send it to the requester. We will not release details about other people that are contained in your records (e.g. wife, children, parents etc) unless we also have their consent.
Limited information is shared with Public Health England to help them organise national programmes for Public Health such as childhood immunisations.
Social Services, The Benefits Agency and others may require medical reports on you from time to time. These will often be accompanied by your signed consent to disclose information. Failure to co-operate with these agencies can lead to loss of benefit or other support. However, if we have not received your signed consent we will not normally disclose information about you.
Insurance Companies frequently ask for medical reports on prospective clients and for claims which are accompanied by your signed consent form. We must disclose all relevant medical conditions unless you ask us not to do so. In that case, we would have to inform the insurance company that you have instructed us not to make a full disclosure to them.
You have the right, should you request it, to see reports to insurance companies before they are sent.
What to do if you have any questions
Should you have any questions about our privacy policy or the information we hold about you, you can;
Complaints
If you have any concerns about how we use or share your information, or you do not wish us to share your information, then please contact the surgery who will be able to assist you.
In the event that you are unhappy with any element of our data-processing methods, you have the right to lodge a complaint with the ICO. For further details, visit ico.org.uk and select ‘Raising a concern’.
Our Website
When someone visits our website our website provider collects standard internet log information and details of behaviour patterns which provides activity levels for visitors to the website but does not identify who is visiting the site.