Patient Privacy Notice

Concept House Surgery

This privacy notice explains why Concept House and Sefton Road Surgery, hereafter known as ‘the Practice’, collects information about you, how it is kept secure and how that information is used.

This notice will explain:

Introduction

The General Data Protection Regulation (GDPR) became law on 25 May 2018.  This regulation protects the personal and sensitive data of a living individual.  It is currently known as the UK GDPR 2021 after the United Kingdom withdrew from the European Union on 31 January 2020.

As your registered GP practice, we are the data controller for any personal and sensitive data we hold about you.  We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

Why do we collect your information?

Healthcare professionals within the NHS and who provide you with care are required by law to maintain your medical records with details of any care or treatment you received.  This information will be used to aide clinicians to make decisions, either individually or jointly, about your health and to make sure it is safe and effective.  Other reasons include:

What information do we collect?

The healthcare professionals who provide you with care maintain records about your health and any treatment or care you have received previously or elsewhere (eg NHS hospital Trust, another GP surgery, Out of Hours service, Accident & Emergency Department, etc).  These records help to provide you with the best possible healthcare.

Information we hold about you may include the following:

How do we keep your information safe and secure?

Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential.  We maintain our duty of confidentiality by conducting annual training and awareness, ensuring access to personal data is limited to the appropriate staff and information is only shared with organisations and individuals that have a legitimate and legal basis for access.

 

We will only ever use or pass on information about you if others involved in your care have a genuine need for it.

 

We will not disclose your information to any third party without your permission unless there are exceptional circumstances, or where the law requires information to be passed on, for example:

Our practice policy is to respect the privacy of our patients, their families and our staff, and to maintain compliance with the UK GDPR and all UK specific Data Protection Requirements. Our policy is to ensure all personal data related to our patients will be protected.

 

All employees must sign a confidentiality agreement as part of their condition of employment.  We also ensure that data processors who support us are legally and contractually bound to operate and prove security arrangements are in place where data which could or does identify a person are processed.

 

Third party processors include:

 

We will email or text you regarding matters of medical care, such as appointment reminders and, if appropriate, test results, unless you have separately given the practice your explicit consent to do so.  We maintain our duty of confidentiality to you and will only use or share information with others if they have a genuine need for it.  We will not share your information to a third party without your permission, unless there are exceptional circumstances, ie life and death, or where the law requires us to share your information.

Why do we share your information, and who do we share it with?

Confidential patient data will be shared within the healthcare team at the practice, including nursing staff, administration staff (prescription, secretaries, reception, finance) and with other healthcare professionals to whom a patient is referred.

 

Data processors

The practice uses data processors to perform certain administrative tasks for us, particularly where these involve large numbers of patients.  Details of the data processors are listed below:

 

 

 

 

 

 

 

 

 

This information will be used to:

 

Data sharing schemes

Several data sharing schemes are active locally, enabling healthcare professionals working outside of the surgery to view information from your GP record.  These schemes are as follows:

 

The shared record means patients do not have to repeat their medical history at every care setting.

 

Your record will be automatically setup to be shared with the organisations listed above, however you have the right to ask your GP to stop your record from being shared or only allow access to parts of your record.

 

Your electronic health record contains lots of information about you.  In most cases, particularly for patients with complex conditions and care arrangements, this means that you get the best care and means that the person involved in your care has all the information about you. The shared record means patients do not have to repeat their medical history at every care setting.

 

Mandatory disclosure of information

We are sometimes legally obliged to disclose information about patients to relevant authorities.  In these circumstances the minimum identifiable information that is essential to serve that legal purpose will be disclosed.

The organisation will also have a professional and contractual duty of confidentiality.  Data will be anonymised if possible before disclosure if this would service the purpose for which the data is required.

Organisations which we are legally obliged to release patient data to include:

Permissive disclosure of information

The practice can release information from your medical records to relevant organisations, only with your explicit consent.  These include:

 

Don’t want to share your information?

You have the right to withdraw your consent at any time for any instance of processing, provided consent is the legal basis for the processing.  Please contact your GP Practice for further information and to raise your objection.

 

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out, your confidential patient information will still be used to support your individual care.

Your practice has systems and processes in place to comply with the National Data Opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care.

To find out more or to register your choice to opt out, please visit https://www.nhs.uk/your-nhs-data-matters/ or telephone 0300 3035678.  On the webpage you will:

 

You can also find out more about how patient information is used at:

https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research).

https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)

 

You can change your mind about your choice at any time.

 

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Legal basis for processing your personal data

We need to know your personal, sensitive, and confidential data so that we can provide you with healthcare services as a General Practice.  Under the new rules called General Data Protection Regulation (GDPR) there are different reason why we may process your data, however we mostly rely upon:

Article 6(1)(e): Official Authority; and

Article 9(2)(h): Provision of health

 

For much of our processing, in particular:

 

We also rely upon:

 

 

Your data rights

The UK GDPR allows you to ask for any information the practice holds about you, including your medical records.  It also allows you to ask the practice to rectify any factually inaccurate information and object to how your information is shared with other organisations (opt-out).

 

Data being used or shared for purposes beyond individual direct care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

 

Right of access

The practice holds both personal and sensitive data (health records) about you.  If you need to review a copy of your historical medical records, you can contact the surgery to make a ‘Subject Access Request’.  Please note, if you receive a copy, there may be information that has been hidden. Under UK GDPR the practice is legally permitted to apply specific restrictions to the released information.  The most common restrictions include:

 

Right to rectification

You have the right to have any factual inaccuracies about you in your medical record corrected.  Please contact the surgery with your request.

 

Right to object

If you do not wish to share your information with organisations who are not responsible for your direct care, you can opt-out of the sharing schemes.  For further information about opting out, please visit Your NHS Matters.

 

Right to withdraw consent

Where the practice has obtained your consent to process your personal data for certain activities, (eg preparation for a subject access request for a third party), you have the right to withdraw your consent at any time.

 

Your access to your future health records

From 1 November 2022, if you have online access to your medical records, you will be given access to your full records (from 1 November 2022).  This means you will have access to free texts, letters, and documents once they have been reviewed and filed by the GP.  Please note that this will not affect proxy access. 

If you move practice, access to your full medical records will commence from the date you register with the new practice.

There will be limited legitimate reasons why access to prospective medical records will not be given or will be reduced and they are based on safeguarding.  If the release of information is likely to cause serious harm to the physical or mental health to you or another individual, the GP could refuse or reduce access to prospective records; third party information may also not be disclosed if deemed necessary.  On occasion, it may be necessary for a patient to be reviewed before access is granted, if access can be given without a risk of serious harm.

What should you do if your personal information changes?

It is important that you tell the person treating you if any of your details such as your name or address have changed or if any of your details such as date of birth is incorrect for this to be amended. You have a responsibility to inform us as soon as possible of any changes so our records are accurate and up to date for you.

How long will we store your data?

The NHS Records Management Code of Practice 2021 identifies will replace the 2016 version. specific retention periods which are listed in Appendix II: Retention Schedule.

Please see https://www.nhsx.nhs.uk/information-governance/guidance/records-management-code/records-management-code-of-practice-2021/ for a copy of the 2021 NHS retention period policy.

How can you complain?

If you have any concerns about how your data is managed, please contact the Practice Manager in the first instance. 

For independent advice about data protection, privacy and data sharing issues, you can contact:

The Information Commissioner

Wycliffe House

Water Lane

Wilmslow

Cheshire, SK9 5AF

Tel: 0303 123 1113

Web: www.ico.org.uk

 

Further information

If you have any concerns about how your data is shared or would like to know more about your rights in respect of your personal data held by the practice, please contact the Data Protection Officer.

Data Protection Officer

Any queries about data protection issues should be addressed to:

 

Sharon Forrester-Wild

Emal: DPO.healthcare@nhs.net

Tel: 07946 593082