Privacy Notice for Direct Care
This practice keeps data on you relating to who you are, where you live, what you do, your family, possibly your friends, your employers, your habits, your problems and diagnoses, the reasons you seek help, your appointments, where you are seen and when you are seen, who by, referrals to specialists and other healthcare providers, tests carried out here and in other places, investigations and scans, treatments and outcomes of treatments, your treatment history, the observations and opinions of other healthcare workers, within and without the NHS as well as comments and aide memoires reasonably made by healthcare professionals in this practice who are appropriately involved in your health care.
When registering for NHS care, all patients who receive NHS care are registered on a national database, the database is held NHS Digital, a national organisation which has legal responsibilities to collect NHS Data.
GPs have always delegated tasks and responsibilities to others that work with them in their surgeries, on average an NHS GP has between 1,500 to 2,500 patients for whom he or she is accountable. It is not possible for the GP to provide hands on personal care for each and every one of those patients in those circumstances, for this reason GPs share your care with others, predominantly within the surgery but occasionally with outside organisations.
If your health needs require care from others elsewhere outside this practice we will exchange with them whatever information about you that is necessary for them to provide that care. When you make contact with healthcare providers outside the practice but within the NHS it is usual for them to send us information relating to that encounter. We will retain part or all of those reports. Normally we will receive equivalent reports of contacts you have with non NHS services but this is not always the case.
Your consent to this sharing of data, within the practice and with those others outside the practice is assumed and is allowed by the Law.
People who have access to your information will only normally have access to that which they need to fulfil their roles, for instance admin staff will normally only see your name, address, contact details, appointment history and registration details in order to book appointments, the practice nurses will normally have access to your immunisation, treatment, significant active and important past histories, your allergies and relevant recent contacts whilst the GP you see or speak to will normally have access to everything in your record.
You have the right to object to our sharing your data in these circumstances but we have an overriding responsibility to do what is in your best interests. Please see below.
We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.
1) Data Controller contact detailsChertsey Health Centre
Family Health Centre
Stepgates
Chertsey
KT16 8HZ2) Data Protection Officer contact detailsDr Neville Blewitt
Chertsey Health Centre
Family Health Centre
Stepgates
Chertsey
KT16 8HZ01932 565655/5611993) Purpose of the processingDirect Care is care delivered to the individual alone, most of which is provided in the surgery. After a patient agrees to a referral for direct care elsewhere, such as a referral to a specialist in a hospital, necessary and relevant information about the patient, their circumstances and their problem will need to be shared with the other healthcare workers, such as specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.4) Lawful basis for processingThe processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:
Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”
We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”*
5) Recipient or categories of recipients of the processed dataThe data will be shared with Health and care professionals and support staff in this surgery and at hospitals, diagnostic and treatment centres who contribute to your personal care.6) Rights to objectYou have the right to object to some or all the information being processed under Article 21. Please contact the Data Controller or the practice. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance7) Right to access and correctYou have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.8) Retention periodThe data will be retained in line with the law and national guidance. NHS Digital: Records Management Code of Practice for Health and Social Care 2016 or speak to the practice.9) Right to ComplainYou have the right to complain to the Information Commissioner’s Office, you can use this link www.ico.org.uk/global/contact-us or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)
* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.
The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.
In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.
Three circumstances making disclosure of confidential information lawful are:
- Where the individual to whom the information relates has consented
- Where disclosure is in the public interest
- Where there is a legal duty to do so, for example a court order
General Data Extraction Service (GPES)
CVDPREVENT Audit
Purpose : NHS England has directed NHS Digital to collect and analyse data in connection with Cardiovascular Disease Prevention Audit (referred hereafter to as “CVDPREVENT Audit”).
The NHS Long Term Plan identifies cardiovascular disease (CVD) as a clinical priority and the single biggest condition where lives can be saved by the NHS over the next 10 years. CVD causes a quarter of all deaths in the UK.
This General Practice Extraction Service (GPES) data will be extracted as an initial full-year extract of data and thereafter as an extract on a quarterly basis. The first extract is scheduled to take place in the second half of 2020-21 financial year and will cover the previous financial year of 2019-20.
Legal Basis: All GP Practices in England are legally required to share data with NHS Digital for this purpose under section 259(1)(a) and (5) of the 2012 Act
More information on this data extraction can be found at NHS Digital: GPES Cardiovascular Disease Prevention Audit
Processor: NHS Digital
General Practice Data for Planning and Research (GPDPR)Purpose: Patients personal confidential data will be extracted and shared with NHS Digital in order to support vital health and care planning and research. Further information can be found NHS Digital Transparency Notice for General Practice Data for Planning and Research
Patients may opt out of having their Personal identifiable data shared for Planning or Research by applying a National Data Opt Out or a Type 1 Opt Out. Details of how to Opt Out can be found on our Privacy Notice. For the National Data Opt Out patients are required to register their preference below.
www.nhs.uk/your-nhs-data-matters
For Type 1 Opt Out, which means that no personal confidential data will be shared outside of the practice for this purpose, patients can complete the form within the link and return it to their registered practice for action by the 23rd June 2021. Register your Type 1 Opt-out preference form
Legal Basis : The legal basis for this activity can be found at this link : General Practice Data for Planning and Research: NHS Digital Transparency Notice – NHS Digital
Processor: NHS Digital
The following table builds upon the information in our Fair Processing notice and is published to ensure transparency. This list is not exhaustive. Where the offering of a service to a patient will inform them about the sharing of their data, e.g. support from smoking cessation services, it is not necessarily included here. This list does not set out uses of anonymous data where identity has been completely removed (such as anonymised data to the Department for Work and Pensions on provision of ‘fit notes’).
Organisation / ActivityRationaleShared Care Record
Purpose
To ensure you receive effective, safe care, we will, through digital means enable your record to be available to those providing your care in whichever care setting you are seen, such as an A&E attendance, a physiotherapy appointment, a social care needs assessment.
In order to achieve this, the aim of Shared Care Records is to enable health and care staff to view your information, to save valuable time in getting you the right treatment. Your information will only be available to the staff involved in your direct care, and not at any other time, or for any other reason.
Further information can be found here www.frimleyhealthandcare.org.uk/about/shared-care-record-how-your-data-is-used
Legal Basis – Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’
Processor – Insert local supplier reference (optional)
Summary Care RecordPurpose – The NHS in England uses a national electronic record called the Summary Care Record (SCR) to support patient care. It contains key information from your GP record. Your SCR provides authorised healthcare staff with faster, secure access to essential information about you in an emergency or when you need unplanned care, where such information would otherwise be unavailable.
Legal Basis – Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’
Further information can be found NHS Digital: Summary Care Records (SCR)
Controller of summary care record data – NHS Digital
Test requests and resultsPurpose – Some basic identifying details, the type of test requested and if required any relevant health information is shared with Pathology Laboratories when tests such as blood or urine tests need to be undertaken. The laboratory will also hold the details of the request and the result. The result/report will be sent electronically to the practice who will hold it in the patient’s record.
Legal Basis – Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’
Controller of test data – The laboratory that process the request and result are a controller of the data generated by the test process.
ResearchPurpose – We may share personal confidential or anonymous information with research companies. Where you have opted out of having your identifiable information shared for this purpose then it will not be used. Details on how to opt out are available at www.nhs.uk/your-nhs-data-matters.
Legal Basis – consent is required to share confidential patient information for research, unless there is have support under the Health Service (Control of Patient Information Regulations) 2002 (‘section 251 support’) applying via the Confidentiality Advisory Group in England and Wales
The organisation leading the research will be the controller of data disclosed to them.
Individual Funding RequestsPurpose – We may need to process your personal information where we are required to apply for funding for a specific treatment for you for a particular condition that is not routinely available.
Legal Basis – The clinical professional who first identifies that you may need the treatment will explain to you the information that is needed to be collected and processed in order to assess your needs and commission your care; they will gain your explicit consent to share this. You have the right to withdraw your consent at any time. If you are happy for the request to be made, the basis for processing your data is: Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’
Your data will be disclosed to the Clinical Commissioning Group who manages the individual funding request process.
Child Health Information ServicePurpose – We wish to make sure that your child has the opportunity to have immunisations and health checks when they are due. We share information about childhood immunisations, the 6-8 week new baby check and breast-feeding status with health visitors and school nurses.
Legal Basis – Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’
Controller to which data is disclosed: INSERT LOCAL REF
Risk Stratification – Preventative CarePurpose – ‘Risk stratification for case finding’ is a process for identifying and managing patients who have or may be at-risk of health conditions (such as diabetes) or who are most likely to need healthcare services (such as people with frailty). Risk stratification tools used in the NHS help determine a person’s risk of suffering a particular condition and enable us to focus on preventing ill health before it develops.
Information about you is collected from a number of sources including NHS Trusts and your GP Practice. A risk score is then arrived at to help us identify and offer you additional services to improve your health.
In addition data with your identity removed is used to inform the development and delivery of services across the local area.
If you do not wish information about you to be included in any risk stratification programmes, please let us know. We can add a code to your records that will stop your information from being used for this purpose. Please be aware that this may limit the ability of healthcare professionals to identify if you have or are at risk of developing certain serious health conditions.
Legal Basis
Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’.
Risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority (approval reference (CAG 7-04)(a)/2013)) and this approval has been extended to the end of September 2020 NHS England Risk Stratification which gives us a statutory legal basis under Section 251 of the NHS Act 2006 to process data for risk stratification purposes which sets aside the duty of confidentiality. We are committed to conducting risk stratification effectively, in ways that are consistent with the laws that protect your confidentiality.
Controller to which data is disclosed: INSERT LOCAL REF
(NB identifiable data is not disclosed to other controllers)
Public Health
Screening programmes (identifiable)
Notifiable disease information (identifiable)
Smoking cessation (anonymous)
Sexual health (anonymous)
Purpose – The NHS provides national screening programmes so that certain diseases can be detected at an early stage. These currently apply to bowel cancer, breast cancer, aortic aneurysms and diabetic retinal screening service. The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme. Personal identifiable and anonymous data is shared. More information can be found at: https://www.gov.uk/guidance/nhs-population-screening-explained or speak to the practice
Legal Basis
Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’.
Controller to which data is disclosed: Public Health Services (England), & ANY LOCAL REF (i.e. Council)
NHS TrustsPurpose – Personal information is shared with Hospitals, Community Services, Mental Health Services and others in order to provide you with care services. This could be for a range of services, including treatment, operations, physio, and community nursing, ambulance service.
Legal Basis
Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’.
Controller to which data is disclosed: LOCAL REF
Care Quality CommissionPurpose – The CQC is the regulator for the English Health and Social Care services to ensure that safe care is provided. They will inspect and produce reports back to the GP practice on a regular basis. The Law allows the CQC to access identifiable data but only where it is needed to conduct their services.
More detail on how they ensure compliance with data protection law (including GDPR) and their privacy statement is available on CQC website: https://www.cqc.org.uk/about-us/our-policies/privacy-statement
Legal Basis – Article 6(1)c “processing is necessary for compliance with a legal obligation to which the controller is subject.” And Article 9(2)h ‘management of health and care services’
Controller data is disclosed to – Care Quality Commission
PaymentsPurpose – Payments to the practice come in many different forms. Some payments are based on the number of patients that receive specific services, such as diabetic reviews and immunisation programmes. In order to make patient based payments basic and relevant necessary data about you needs to be sent to the various payment services, this data contains limited identity if needed, such as your NHS number. The release of this data is required by English laws.
Legal Basis – Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.” And Article 9(2)(h) ‘as stated below
Controllers that data is disclosed to – NHS England, CCG, Public Health
Patient Record data base supportPurpose – The practice uses electronic patient records. Our supplier of the electronic patient record system is: INSERT
Our supplier does not access identifiable records without permission of the practice and this is only given where it is necessary to investigate issues on a particular record
Legal Basis
Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘management of health and care services’.
Medicines optimisationPurpose – We use software packages linked to our patient record system to aid when prescribing drugs. These ensure that prescribing is effective. We do not share your identifiable data with the companies that provide these packages
Legal Basis
Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’.
Clinical AuditPurpose – Information will be used by the CCG for clinical audit to monitor the quality of the service provided to patients with long term conditions. When required, information will be held centrally and used for statistical purposes (e.g. the National Diabetes Audit). When this happens, strict measures are taken to ensure that individual patients cannot be identified from the data.
Legal Basis
Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘management of health and care services’.
Controller – Somerset Clinical Commissioning Group
National Fraud Initiative – Cabinet OfficePurpose – The use of data by the Cabinet Office for data matching is carried out with statutory authority. It does not require the consent of the individuals concerned under Data Protection legislation. Data matching by the Cabinet Office is subject to a Code of Practice. For further information see:
NFI activities vary each year, so data would only be disclosed if required by the focus of their activities
Legal Basis – Part 6 of the Local Audit and Accountability Act 2014
Controller – Cabinet Office
National RegistriesPurpose – National Registries (such as the Learning Disabilities Register) have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user.
Legal Basis – Section 251 of the NHS Act 2006
PolicePurpose – The police may request information in relation to on-going enquiries, all requests are reviewed and only appropriate information will be shared under legislation.
Legal Basis –
Article 6(1)e – task carried out in the public interest
Article 9(2)c – Vital Interests
Article 9(2)f – Legal claims or judicial acts
Article 9(2)g – Reasons of substantial public
Controller disclosed to – Police