Data Protection – GDPR
Recently the Data Protection act 1998 was revised and updated to the Data Protection Act 2018 (DPA). This Act was also joined by new regulations on data protection and fair processing called the General Data Protection Regulation (GDPR) which came into effect on 25th May 2018.
THE FAMILY SURGERY
Dr Juwairia Hashmi
7 High Street, Green St Green, Orpington, BR6 6BG
Inclusive of Patient Data Sharing and ‘Summary Care Record’ information sheet
The Family Surgery is a GP Surgery, licenced to practice within the Bromley borough of the United Kingdom. All GP Surgeries in England are DATA CONTROLLERS (A controller determines the purposes and means of processing personal data) and DATA PROCESSORS (A processor is responsible for processing personal data on behalf of a controller)
We invite you to visit the reception desk and ask one of our receptionists/Administrators to give you a full copy of The Family Surgery Privacy Notice leaflet, which includes information about:
- What is a Privacy Notice
- How your personal information is used
- Mobile phone communications
- Practice website
- How we maintain the confidentiality of your records
- Who are our partner organisations?
- How to Access the personal information we hold about you (including what rights you have to access this information)
- What to do if you want to make a complaint
- Your rights to have information amended, changed or removed from your records
- Detailed information about what a Summary Care record (SCR) is and how to opt-in and opt-out of it.
What is a Privacy Notice?
A Privacy Notice (or ‘Fair Processing Notice’) is an explanation of what information the Practice collects on patients, and how it is used. Being transparent and providing clear information to patients about how a Practice uses their personal data is an essential requirement of the Data Protection Act (DPA) (Initially published in 1998, revised and updated to the Data Protection Act 2018.
Under the DPA, the first principle is to process personal data in a fair and lawful manner, and applies to everything that is done with patient’s personal information. In practice, this means that the Practice must;
- Have legitimate reasons for the use or collection of personal data.
- Not use the data in a way that may cause adverse effects on the individuals (e.g. improper sharing of their information with 3rd parties)
- Be transparent about how you the data will be used, and give appropriate privacy notices when collecting their personal data.
- Handle personal data only as reasonably expected to do so.
- Make no unlawful use of the collected data.
How your personal information is used
The healthcare professionals who provide you with care, maintain records about your health. Sharing this information helps to improve the treatment you receive, such as a hospital consultant writing to your GP.
The Family Surgery manages patient information in accordance with existing laws and with guidance from organisations that govern the provision of healthcare in England such as the Department of Health and the General Medical Council. We follow strict data sharing guidelines to keep your information safe and secure.
As data controllers, GPs have fair processing responsibilities under the Data Protection Act 1998/2018. In practice, this means ensuring that your personal confidential data (PCD) is handled clearly and transparently, and in a reasonably expected way.
The Health and Social Care Act 2012 changed the way that personal confidential data is processed, therefore it is important that our patients are aware of and understand these changes, and that you have an opportunity to object and know how to do so.
The health care professionals who provide you with care maintain records about your health and any NHS treatment or care you have received (e.g. NHS Hospital Trust, GP Surgery, Walk-in clinic, etc.). These records help to provide you with the best possible healthcare.
GP Records are stored electronically and on paper and may include the following information:
- Details about you, such as your address, carers, legal representatives, emergency contact details, etc.
- Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments, telephone calls, etc.
- Notes and reports about your health
- Details about your treatment and care
- Results of investigations such as laboratory tests, x-rays, etc.
- Relevant information from other health professionals, relatives or those who care for you
Your records are used to ensure you receive the best possible care. Information held about you may be used to help protect the health of the public and to help us manage the NHS. Information may be used within the GP practice for clinical audits to monitor the quality of the service provided.
The Practice can disclose personal information if:
- It is required by law
- You provide consent – either implicitly or for the sake of their own care, or explicitly for other purposes
- It is justified to be in the public interest
Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified. Sometimes your information may be requested to be used for research purposes – the surgery will always endeavour to gain your consent before releasing the information for this purpose.
Improvements in information technology are also making it possible for us to share data with other healthcare providers with the objective of providing you with better care.
Patients can choose to withdraw their consent to their data being used in this way. When the practice is about to participate in any new data-sharing scheme we will make patients aware by displaying prominent notices in the surgery.
A patient can object to their personal information being shared with other health care providers but if this limits the treatment that you can receive then the doctor will explain this to you at the time.
If you would like to know more about how your information is shared within the NHS or how to ‘opt-out of any data sharing scheme, please contact reception.
If you provide us with your mobile phone number we may use this to send you reminders about any appointments, test results or other health screening information being carried out. If you wish to ‘opt-out’ of this service, please contact reception.
Please note, if you wish to ‘opt-out’ of this service, the surgery can still retain your mobile telephone number on your medical records (If that is your wish). This requires us to modify the settings on your account in the following way:
Appointment reminders and test result texts are sent when the clinical system we use (Emis Web) lists your mobile telephone number in the ‘Mobile telephone’ section of your contact details. To ‘Turn off’ mobile text messaging, we would place your mobile telephone number under the category of ‘Home’ or ‘Work’.
Personal data must be processed in a fair manner – the Data Protection Act says that information should be treated as being obtained fairly if it is provided by a person who is legally authorised or required to provide it. Fair Processing means that the Practice has to be clear and open with people about how their information is used.
Providing a ‘Privacy Notice’ is a way of stating The Family Surgery’s commitment to being transparent and is a part of fair processing, however you also need to consider the effects of processing on the individuals and patients concerned;
- What information are we collecting?
- Who collects the data?
- How is it collected?
- Why do we collect it?
- How will we use the data?
- Who will we share it with?
- What is the effect on the individuals?
- If we use it as intended, will it cause individuals to object or complain?
Risk stratification data tools are increasingly being used in the NHS to help determine a person’s risk of suffering a particular condition, preventing an unplanned or (re)admission and identifying a need for preventive intervention. Information about you is collected from a number of sources including NHS Trusts and from this GP Practice. A risk score is then arrived at through an analysis of your de-identified information using software, and is only provided back to your GP as data controller in an identifiable form. Risk stratification enables your GP to focus on preventing ill health and not just the treatment of sickness. If necessary your GP may be able to offer you additional services. This is an acceptable way of assessing patients’ needs and prevent ill health, however it is also regarded as a disclosure of personal information, and patients have the option to opt out of any data collection at the Practice. If you do ‘opt-in’ to this type of data sharing you can change your mind at any time, and inform the practice you wish to ‘opt-out’.
If a patient has had NHS treatment, their personal information may be shared within a secure and confidential environment to determine which CCG should pay for the treatment received. This means sharing identifiable information such as name, address, date of treatment etc. to enable the billing process.
The Practice may conduct Medicines Management Reviews of medications prescribed to its patients. This service performs a review of prescribed medications to ensure patients receive the most appropriate, up to date and cost effective treatments. This service is provided to practices within Bromley Clinical Commissioning Group (CCG).
How do we maintain the confidentiality of your records?
We are committed to protecting your privacy and will only use information collected lawfully in accordance with:
- The General Data Protection Regulation (GDPR)
- Data Protection Act 2018 (revised from the Data Protection Act 1998)
- Human Rights Act 1998
- Common Law Duty of Confidentiality
- Health and Social Care Act 2012
- NHS Codes of Confidentiality, Information Security and Records Management
- Information: To Share or Not to Share Review
Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential.
All of our staff receive appropriate and regular training to ensure they are aware of their personal responsibilities and have legal and contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.
We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), where the law requires information to be passed on and / or in accordance with the new information sharing principle following Dame Fiona Caldicott’s information sharing review (Information to share or not to share) where “The duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles. They should be supported by the policies of their employers, regulators and professional bodies.
Who are our partner organisations?
Partner organisations will usually include NHS organisations (hospitals, CCGs, NHS England etc.) other public sectors (Education, Police, Fire etc.) and any other Data Processors that may be carrying out specific project work with the Practice (e.g. Diabetes UK).
We may also have to share your information, subject to strict agreements on how it will be used, with the following contractors and organisations;
- NHS Trusts / Foundation Trusts
- GP Walk-in Units
- Accident and Emergency (A+E)
- Specialist Trusts
- Urgent Care Centres
- NHS Commissioning Support Units
- Independent Contractors such as dentists, opticians, pharmacists
- Private Sector Providers
- Voluntary Sector Providers
- Ambulance Trusts
- Clinical Commissioning Groups
- NHS Digital (formerly HSCIC)
- Social Care Service
- Bexley Healthcare Limited (Referral triage and management)
- Local Authorities
- Education Services
- Fire and Rescue Services
- Police & Judicial Services
- Voluntary Sector Providers
- Private Sector Providers
- Other ‘data processors’ which you will be informed of
You will be informed who your data will be shared with and in some cases asked for explicit consent for this happen when this is required.
We may also use external companies to process personal information, such as for archiving purposes. These companies are bound by contractual agreements to ensure information is kept confidential and secure.
Access to your personal information (Subject Access Requests)
You have a right under the DPA and General Data Protection Regulation (GDPR) to request access to view or to obtain copies of what information the surgery holds about you, and to have it amended should it be inaccurate.
In order to request this, you need to do the following:
- Your request must be made in writing to the GP – for information from the hospital you should write direct to them.
- You will not be charged for this service and we are required to respond to you within 30 days.
- The Practice has the right enquire as to what (the amount, date range or specific details) information you are requesting, and to act accordingly to transfer the data to you. The Practice has the right to reject your request if it is seen to be excessive. An example of where we may reject a request is that you request full copies of your records and the following month, you request the same information to be transferred into your care.
- You have the right to sign up for an online ‘Patient services’ account, and request that the Practice change the default settings on its clinical system, to enable you to view the information we hold about you in an electronic format. If you don’t have an online / Patient services account, or want more information on what a Patient services account is, please visit reception.
- You will need to give adequate information (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified and your records located.
You can find The Family Surgery registration details by entering this Practice’s details into the following Information Commissioner’s Office (ICO) search:
Registration Number: Z5355445
Name: The Family Surgery
Address: 7 High Street, Green St Green, Orpington
Postcode: BR6 6BG
Objections / Complaints
Should you have any concerns about how your information is managed at The Family Surgery, please contact Debbie Parker, Quality & Assurance Manager and our Practice Manager, Fahad Mahmood our Information Governance specialist adviser to the Practice. If you are still unhappy following a review by the GP practice, you can contact the Information Commissioners Office (ICO) with your complaint, via their website (www.ico.gov.uk). Or contact them by telephone on : 0303 123 1113
If you are happy for your data to be extracted and used for the purposes described in this privacy notice then you do not need to do anything. If you have any concerns about how your data is shared then please contact the practice.
Change of Details and your rights to have information amended, changed or removed from your records
It is important that you tell the person treating you if any of your details, such as your name or address have changed or if any of your details such as date of birth is incorrect in order for this to be amended. You have a responsibility to inform us of any changes so our records are accurate and up to date for you.
If The Family Surgery is holding incorrect information about you, please inform reception. If it detains to a change of name or address, you may be asked to provide proof that such details have changed.
If you wish to remove data from your records, i.e. a telephone number or contact details of next of kin, please inform reception, who will remove the data from your records. If you wish to remove medical data from your medical records, it is most likely that you will have to discuss the matter with one of our doctors, so please inform the reception desk, who will inform the doctor of your request. This may result in your requiring an appointment with the doctor.
The Data Protection Act 1998, updated and revised to the GDPR and Data Protection Act 2018 requires organisations to register a notification with the Information Commissioner to describe the purposes for which they process personal and sensitive information.
This information is publicly available on the Information Commissioners Office website www.ico.org.uk
The practice is registered with the Information Commissioners Office (ICO).
Who is the Data Controller?
The Data Controller, responsible for keeping your information secure and confidential is The Family Surgery. Any changes to this notice will be displayed in prominent notices in the surgery.
The Partnership is registered as a data controller under the Data Protection Act 1998 Registration number : Z5355445. Our registration can be viewed on-line in the public register at www.ico.gov.uk
Further information about the way in which the NHS uses personal information and your rights in that respect can be found in:
- The NHS Care Record Guarantee : http://www.nigb.nhs.uk/pubs/nhscrg.pdf
- The NHS Constitution : https://www.gov.uk/government/publications/the-nhs-constitution-for-england
- NHS Digital’s Guide to Confidentiality in Health & Social Care gives more information on the rules around information sharing : http://content.digital.nhs.uk/article/4979/Assuring-information
An independent review of information about patients is shared across the health and care system led by Dame Fiona Caldicott was conducted in 2012. The report, Information: To share or not to share? The Information Governance Review, be found at: https://www.gov.uk/government/publications/the-information-governance-review
NHS England – Better Data, Informed Commissioning, Driving Improved Outcomes: Clinical Data Sets provides further information about the data flowing within the NHS to support commissioning.
Please visit the NHS Digital website for further information about their work. Information about their responsibility for collecting data from across the health and social care system can be found.
The Information Commissioner’s Office is the Regulator for the Data Protection Act 1998 and offer independent advice and guidance on the law and personal data, including your rights and how to access your personal information. For further information please visit the www.ico.gov.uk
Summary Care Record (SCR)
The Summary Care Record is a secure, electronic patient record that contains key information from your detailed GP records that can be accessed by emergency services to ensure safe treatment. The core information held on your SCR is current medication, allergies and any previous adverse reactions to medicines. Significant medical history, care plans, or patient wishes can also be shared with your consent.
When you registered a basic SCR will have been created for you. You may choose to opt out of sharing any information at any time. Please contact reception who will send you a form to record your choice.
You may opt to share a detailed SCR which includes significant medical history, care plans, or any care preferences you may have. To give your express consent for this, please contact Reception.
If you are registered with a GP practice in England, you will already have a Summary
Care Record (SCR), unless you have previously chosen not to have one. It will
contain key information about the medicines you are taking, allergies you suffer from
and any adverse reactions to medicines you have had in the past.
Information about your healthcare may not be routinely shared across different
healthcare organisations and systems. You may need to be treated by health and
care professionals who do not know your medical history. Essential details about
your healthcare can be difficult to remember, particularly when you are unwell or
have complex care needs.
Having a Summary Care Record can help by providing healthcare staff treating you
with vital information from your health record. This will help the staff involved in your
care make better and safer decisions about how best to treat you.