Privacy Notice – GDPR
Your Information, Your Rights
Being transparent and providing accessible information to patients about how we will use your personal information is a key element of the Data Protection Act 2018 and the EU General Data Protection Regulations (GDPR).
The following notice reminds you of your rights in respect of the above legislation and how your GP Practice will use your information for lawful purposes in order to deliver your care and the effective management of the local NHS system.
As your registered GP practice, we are the data controller for any personal data that we hold about you.
Why We Collect Data About You
The NHS Act 2006 and the Health and Social Care Act 2012 invests statutory functions on GP Practices to promote and provide the health service in England, improve quality of services, reduce inequalities, conduct research, review performance of services and deliver education and training. To do this we will need to process your information in accordance with current data protection legislation. Your information can be written down (manual records) or held on a computer.
The records may include:
- Basic details about you, such as address or next of kin
- Contacts we have had with you, such as clinic visits
- Notes and reports about your health and any treatment and care you may have received
- Details and records about the treatment and care you receive
- Results of investigations, such as x-rays and laboratory tests
- Relevant information from other health professionals, or those who care for you and know you well
How Is The Information Collected
Your information will be collected either electronically using secure NHS Mail or a secure electronic transferred over an NHS encrypted network connection. In addition physical information will be sent to your practice. This information will be retained within your GP’s electronic patient record or within your physical medical records.
How Your Records Are Used To Help You
Your records are used to guide professionals in the care you receive to ensure that:
- Your nurse, doctor or any other healthcare professionals involved in your care has accurate and up-to-date information to assess your health and decide what care you need
- Full information is available if you see another doctor, or are referred to a specialist or another part of the NHS
- There is a good basis for assessing the type and quality of care you have received
- Your concerns can be properly investigated if you need to complain
How Your Records Are Used To Help The NHS
Your records may also be used to help us:
- Assess the needs of the general population
- Make sure our services can meet patient needs in the future
- Review the care we provide to ensure it is of the highest standard
- Teach and train healthcare professionals
- Conduct research and development
- Pay your GP and hospital for the care they provide
- Audit NHS accounts and services
- Prepare statistics on NHS performance
- Investigate complaints, legal claims or untoward incident
How We Keep Your Records Confidential
Everyone working for the NHS has a legal duty to keep information about you confidential. You may be receiving care from other organisations (like social services) as well as the NHS. We may need to share some information about you so that we can all work together for your benefit. We will only ever use or pass on information about you if others involved in your care have a genuine need for it.
We will not disclose your information to third parties unless there are exceptional circumstances, such as when the health or safety of others is at risk or where the law requires information to be passed on.
Anyone who receives Information from us is also under a legal duty to keep it confidential. We are required by law to report certain information to the appropriate authorities. This is only provided after formal permission has been given by a qualified healthcare professional.
Occasions when we must pass on information include:
- Notification of new births
- Where we encounter infectious diseases which may endanger the health or safety of others such as meningitis or measles (but not HIV/AIDS)
Information is not held for longer than is necessary. We will hold your information in accordance with the Records Management Code of Practice for Health and Social Care 2016.
Our guiding principle is that we are holding your records in strict confidence.
Consent And Objections – Do I Need To Give My Consent
The GDPR sets a high standard for consent. Consent means offering people genuine choice and control over how their data is used. When consent is used properly, it helps you build trust and enhance your reputation. However consent is only one potential lawful basis for processing information. Therefore your GP practice may not need to seek your explicit consent for every instance of processing and sharing your information, on the condition that the processing is carried out in accordance with this notice. Your GP Practice will contact you if they are required to share your information for any other purpose which is not mentioned within this notice. Your consent will be documented within your electronic patient record.
What Will Happen If I Withhold My Consent Or Raise An Objection
You have the right to write to withdraw your consent to any time for any particular instance of processing, provided consent is the legal basis for the processing. Please contact the GP Practice for further information and to raise your objection.
Health Risk Screening / Risk Stratification
Health Risk Screening or Risk Stratification is a process that helps your GP to determine whether you are at risk of an unplanned admission or deterioration in health. By using selected information such as age, gender, NHS number, diagnosis, existing long term condition(s), medication history, patterns of hospital attendances, admissions and periods of access to community care your GP will be able to judge if you are likely to need more support and care from time to time, or if the right services are in place to support the local population’s needs.
To summarise Risk Stratification is used in the NHS to:
- Help decide if a patient is at a greater risk of suffering from a particular condition;
- Prevent an emergency admission;
- Identify if a patient needs medical help to prevent a health condition from getting worse; and/or
- Review and amend provision of current health and social care services.
Your GP will use computer based algorithms or calculations to identify their registered patients who are at most risk, with support from the local Commissioning Support Unit and/or a third party accredited Risk Stratification provider. They will only act on behalf of your GP to organise the risk stratification service with appropriate contractual technical and security measures in place.
Your GP will routinely conduct the risk stratification process outside of your GP appointment. This process is conducted electronically and without human intervention. The resulting report is then reviewed by a multidisciplinary team of staff within the Practice. This may result in contact being made with you if alterations to the provision of your care are identified.
A Section 251 Agreement is where the Secretary of State for Health and Social Care has granted permission for personal data to be used for the purposes of risk stratification, in acknowledgement that it would overburden the NHS to conduct manual reviews of all patient registers held by individual providers.
As mentioned above, you have the right to object to your information being used in this way. However you should be aware that your objection may have a negative impact on the timely and proactive provision of your direct care. Please contact the Practice Manager to discuss how disclosure of your personal data can be limited.
How You Can Get Access To Your Own Health Records
Under the Data Protection Act 2018 you have the right to request access to your medical files. Access to health records may also be given to those acting on behalf of a patient if they have been nominated by the patient. This can be relevant for those patients with learning difficulties or who lack the mental capacity to care adequately for themselves. A next of kin has no automatic right to access your medical records.
The Medical Reports Act 1988 also gives you the right to see any medical reports written about you for employment and insurance purposes.
If you would like access to your health record please request a form from reception. We are also obliged to go through your record first to remove any reference to other parties which might breach their confidentiality and also take out any information which might be harmful to you.
Who Else Can Access Your Medical Records
In the majority of situations, third parties such as the police, insurance companies or solicitors cannot be given access to your health records unless you give written consent to do so or it is required by law and directed by a judge or magistrate. However, situations can arise where information may be disclosed to the police without patient consent. This may be when police are investigating or prosecuting a serious crime or where the disclosure of this information could prevent serious injury to the patient or others.
We may pass your personal information on to the following people or organisations, because these organisations may require your information to assist them in the provision of your direct healthcare needs. It, therefore, may be important for them to be able to access your information in order to ensure they may properly deliver their services to you:
- Hospital professionals (such as doctors, consultants, nurses, etc)
- Other GPs/Doctors
- Nurses and other healthcare professionals
- Community Services
- Out of Hours Services
- Ambulance Services
- Any other person that is involved in providing services related to your general healthcare, including mental health professionals.
The people caring for you need to access about your health and care records in order to make the best decisions about your diagnosis, treatment and care
If Your Personal Details Change
It is important that you tell the person treating you if any of your details such as your name or address have changed or if any of your details such as date of birth are incorrect in order for this to be amended. You have a responsibility to inform us of any changes so our records are accurate and up to date for you.
The Data Protection Act 2018 requires organisations to register a notification with the Information Commissioner to describe the purposes for which they process personal and sensitive information.
Our data protection notification can be found on the Information Commissioner’s web site at www.ico.gov.uk
Should you have any concerns about how your information is managed by this GP Practice, please contact the GP Practice Manager.
If you are still unhappy following a review by the GP Practice, you can then complain to the Information Commissioners Office (ICO):
The Information Commissioner
Population health management and Risk Stratification carried out by the Clinical Commissioning Group Herts Valleys CCG (HVCCG)
HVCCG extracts medical information about you for population health management and risk stratification purposes, the information we pass to them via our computer systems cannot identify you to them. This information only refers to you by way of a code that only your practice can identify (it is pseudo-anonymised). This therefore protects you from anyone who may have access to this information at the Clinical Commissioning Group from ever identifying you as a result of seeing the medical information and we will never give them the information that would enable them to do this.
There are good reasons why the Clinical Commissioning Group may require this pseudo-anonymised information, these are as follows:
- To assist in analysing current health services and proposals for developing future services.
- To develop risk stratification models to help GP’s to identify and support patients with long term conditions and to help to prevent un-planned hospital admissions or reduce the risk of certain diseases developing, such as diabetes.
- Using risk stratification to help the CCG to understand the health needs of the local population in order to plan and commission the right services.
NHS Arden and Greater East Midlands Commissioning Support Unit (AGEM) are commissioned by the CCG to carry out this process. The risk stratification tool that AGEM use for this process is called Gemima.
What if I do not want information about me to be included (opt out)?
If you do not wish your data to be included in this process (even though it is in a format which does not directly identify you) you can choose to opt-out. In this case, please inform the Receptionist who will apply an opt-out code to your record to ensure that your information is not included.