How Queens Park Medical Centre uses your information to provide you with healthcare
This practice keeps medical records confidential and complies with the General Data Protection Regulation. This privacy notice explains why we collect information about you, how that information may be used and how we keep it safe and confidential.
Why we collect information about you
We hold your medical record so that we can provide you with safe care and treatment. Health Care Professionals who provide you with care are required by law to maintain records about your health and any treatment or care you have received within any NHS Organisation.
We will also use your information so that the practice can check and review the quality of the care we provide. This helps us to improve our services to you.
Details we collect about you
We hold both electronic and paper records. Records we may hold about you may include:
- Details about you such as your name, date of birth, address, carer and next of kin
- Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments, etc.
- Notes and reports about your health
- Details about your treatment and care
- Results of investigations such as laboratory tests, x-rays, etc.
- Relevant information from other health professionals, relatives or those who care for you.
All patients who receive NHS care are registered on a national database. This database holds your name, address, date of birth and NHS Number but it does not hold information about the care you receive. The database is held by NHS Digital, a national organisation which has legal responsibilities to collect NHS data. More information can be found at: https://digital.nhs.uk or the phone number for general enquiries at NHS Digital is 0300 303 5678.
How we keep your information confidential and safe
Everyone working for the NHS is subject to the Common Law Duty of Confidence. Information provided in confidence will only be used for the purposes advised with consent given by the patient, unless there are other circumstances covered by the law. The NHS Digital Code of Practice on Confidential Information applies to all our staff and they are required to protect your information. All our staff are expected to make sure information is kept confidential and receive annual training on how to do this.
NHS health care records may be electronic, on paper or a mixture of both. We use a combination of working practices and technology to ensure that your information is kept confidential and secure. Your records are backed up securely in line with NHS standard procedures. We ensure that the information we hold is kept in secure locations, is protected by appropriate security and access is restricted to authorised personnel. We also make sure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.
We are committed to protecting your privacy and will only use information collected lawfully in accordance with:
- Data Protection Act 1998
- General Data Protection Regulation 2018
- Human Rights Act
- Common Law Duty of Confidentiality
- NHS Codes of Confidentiality and Information Security
- Health and Social Care Act 2015
We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), or where the law requires information to be passed on.
How we use your information
- This practice handles medical records in line with laws on data protection and confidentiality.
- We share medical records with those who are involved in providing you with care and treatment
- In some circumstances we may also share medical records for medical research for example, to prevent infectious diseases from spreading or to check the care being provided to you is safe.
- You have the right to be given a copy of your medical record (practice guidance and policy are in place).
- You have the right to object to your medical records being shared with those who provide you with care.
- You have the right to object to your information being used for medical research and to plan health services.
- You have the right to have any mistakes (for example typing error, this does not relate to removal of information) corrected and to complain to the Information Commissioner's Office.
- Please see the practice privacy notice on the website or speak to a member of staff for more information about your rights.
For more information ask at reception for a leaflet.
We will also when necessary share relevant information from your medical record with other health or social care staff or organisations when they provide you with care. For example, your GP will share information when they refer you to a specialist in a hospital. Or your GP will send details about your prescription to your chosen pharmacy.
Healthcare staff working in A&E and out of hours care will also have access to your information. For example, it is important that staff who are treating you in an emergency know if you have any allergies. This will involve the use of your Summary Care Record.
Under the powers of the Health and Social Care Act 2015, NHS Digital can request personal confidential data from GP Practices without seeking patient consent. Improvements in information technology are also making it possible for us to share data with other healthcare providers with the objective of providing you with better care.
The law requires Queens Park Medical Centre to share information from your medical records in certain circumstances. Information is shared so that the NHS or Public Health England can, for example:
- plan and manage services;
- check that the care being provided is safe;
- Prevent infectious diseases from spreading.
We will share information with NHS Digital, the Care Quality Commission and local health protection team (or Public Health England) when the law requires us to do so.
You have the right to object to information being shared for your own care. Please speak to the practice if you wish to object. You also have the right to have any mistakes or errors corrected.
To ensure you receive the best possible care, you records are used to facilitate the care you receive. Information held about you may be used to help protect the health of the public and help us to manage the NHS.
Care Quality Commission (CQC)
The CQC regulates health and social care services to ensure that safe care is provided. The law says that we must report certain serious events to the CQC for example, when patient safety has been put at risk.
For more information about the CQC see: http://www.cqc.org.uk/
The law requires us to share data for public health reasons for example, to prevent the spread of infectious diseases or other diseases which threaten the health of the population. We will report the relevant information to the local health protection team or Public Health England.
Checking the quality of care (National Clinical Audits)
Westbourne Medical Centre contributes to national clinical audits so that healthcare can be checked and reviewed. Information from medical records can help doctors and other healthcare workers measure and check the quality of care which is provided to you. The results of the checks or audits can show where hospitals/practices are doing well and where they need to improve. The results of the checks or audits are used to recommend improvements to patient care. Data is sent to NHS Digital a national body with legal responsibilities to collect data. The data will include information about you, such as your NHS Number and date of birth and information about your health which is recorded in coded form for example, the code for diabetes or high blood pressure. We will only share your information for national clinical audits or checking purposes when the law allows.
For more information about national clinical audits see the Healthcare Quality Improvements Partnership website: https://www.hqip.org.uk/ or phone 020 7997 7370.
You have the right to object to your identifiable information being shared for national clinical audits. Please contact the practice if you wish to object. Information may be used for clinical audits to monitor the quality of service provided. Some of this information may be held centrally and used for statistical purposes. Where we do this we take strict measures to ensure that individual patients cannot be identified e.g. The National Diabetes Audit.
National Registries (such as Learning Disabilities Register) have statutory permission under section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user.
Risk Stratification is a process for identifying and managing patients who are most likely to need hospital or other healthcare services. Risk Stratification tools used in the NHS help determine a person's risk of suffering a particular condition and enable us to focus on preventing ill health and not just the treatment of sickness. Information about you is collected from a number of sources including NHS Trusts and from GP Practice. Section 251 of the NHS Act 2006 provided a statutory legal basis to process data for risk stratification purposes. If you do not wish information about you to be included in the risk stratification programme, please let us know. We can add a code to your records that will stop your information from being used for this purpose.
Identifying patients who might be at risk of certain diseases
Your medical records will be searched by a computer programme so that we can identify patients who might be at high risk from certain diseases such as heart disease or unplanned admissions to hospital. This means we can offer patients additional care or support as early as possible. This process will involve linking information from your GP record with information from other health or social care services you have used. Information which identifies you will only be seen by this practice.
National screening programmes
The NHS provides national screening programmes so that certain diseases can be detected at an early stage. These screening programmes include bowel cancer, breast cancer, cervical cancer, aortic aneurysms and a diabetic eye screening service. The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme.
Supporting Medicines Management
CCG's support local GP Practices with prescribing queries which generally don't require identifiable information. CCG Pharmacists work with us to provide advice on medicines and prescribing queries and review prescribing of medicines to ensure that it is safe and cost-effective. Where specialist support is required e.g. to order a drug that comes in a solid form, in gas or liquid, the CCG medicines management team will order this on behalf of the practice to support your care.
To ensure that adult and children's safeguarding matters are managed appropriately access to identifiable information will be shared in some limited circumstances where it's legally required for the safety of the individual concerned.
Summary Care Record (SCR)
NHS England uses a national electronic record called the Summary Care Record (SCR) to support patient care. IT contains key information from your GP record. Your SCR provides authorised healthcare staff with faster, secure access to essential information about you in an emergency or when you need unplanned care, where such information would otherwise be unavailable. Summary Care Records are there to improve the safety and quality of your care. SCR core information comprises you allergies, adverse reactions and medications. An SCR with additional information can also include reason for medication, vaccinations, significant diagnoses/problems, significant procedures, anticipatory care information and end of life care information. Additional information can only be added to your SCR with your agreement.
Please be aware that if you choose to opt-out of SCR, NHS healthcare staff caring for you outside of this surgery may not be aware of your current medications, allergies your suffer from and any bad reactions to medicines you have had, in order to treat you safely in an emergency.
Your records will stay as they are now with information being shared by letter, email, fax or phone. If you wish to opt-out of having an SCR please return a completed opt-out form to the practice.
We will approach the management of patient records in line with Records Management NHS Code of Practice for Health and Social Care which sets the required standards of practice in the management of records for those who work within or under contract to NHS organisations in England, based on current legal requirements and professional best practice.
Who are our partner organisations?
We may also have to share your information, subject to strict arrangements on how it will be used, with the following organisations:
- NHS Trusts/Specialist Trusts
- Independent Contractors such as Dentists, Opticians, Pharmacists etc.
- Private Sector Providers
- Ambulance Trusts
- Clinical Commissioning Groups
- Social Care Services
- Local Authorities
- Education Services
- Fire and Rescue Services
- Other 'Data Processors'
We will never share your information outside of health partner organisations without your explicit consent unless there are exceptional circumstances such as when the health or safety of others at risk, where the law requires it or to carry out a statutory function. Within the health partner organisations (NHS and Specialist Trust) and in relation to the above mentioned themes: Risk Stratification, Supporting Medicines Management and Summary Care Record, we will assume you are happy for your information to be shared unless you choose to opt-out.
If you do not want your information to be used for any purpose beyond providing your care you can choose to opt-out. If you wish to do so, please let us know so we can code your record appropriately. We will respect your decision if you do not wish your information to be used for any purpose other than your care but in some circumstances we may still legally be required to disclose your data.
This means your will need to express an explicit wish not to have your information shared with the other NHS organisations; otherwise they will be automatically shared. We are required by law to report certain information to the appropriate authorities. This is only provided after formal permission has been given by a qualified health professional. There are occasions when we must pass on information, such as notification of new births, where we encounter infectious diseases which may endanger the safety of others, such as meningitis or measles (but not HIV/AIDS) and where a formal court order has been issued. Our guiding principle is that we are holding your records in strictest confidence.
For independent advice about data protection, privacy and data-sharing issues, you can contact: The Information Commissioners Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or telephone 0303 123 1113 or use the website: www.ico.gov.uk
Access to your information
Under the new General Data Protection Regulation (GDPR) 2018 everybody has the right to see or have a copy of data we hold that can identify you, with some exceptions. You do not need to give a reason to see your data. If you want to access your data you must make the request in writing. Under special circumstances, some information may be withheld.
Change of Details
It is important that you tell the person treating you if any of your details such as your name or address have changed or if any of your details are incorrect in order for this to be amended. Please inform us of any changes so our records for you are accurate and up to date.
If you provide us with your mobile phone number, we may use this to send you reminders about your appointments or other health screening information. Please let us know if you do not wish to receive reminders on your mobile.
Queens Park Medical Centre is registered with the Information Commissioners Office (ICO) to describe the purposes for which they process personal and sensitive information.
If you have concerns or are unhappy about any of our services, please contact the practice.
The NHS Care Record Guarantee
The NHS Care Record Guarantee for England sets out the rules that govern how patient information is used in the NHS, what control the patient can have over this, the rights individuals have to request copies of their data and how data is protected under the Data Protection Act 1998. More information can be found on the website: https://systems.digital.nhs.uk/infogov/links/nhscrg.pdg
The NHS Constitution
The NHS Constitution establishes the principles and values of the NHS in England. It sets out the rights patients, the public and staff are entitled to. These rights cover how patient information is used in the NHS, what control the patient can have over this, the rights individuals have.
NHS Digital is a national body which has legal responsibilities to collect information about health and social care services. It collects information from across the NHS in England and provides reports on how the NHS is performing. These reports help to plan and improve services to patients. This practice must comply with the law and will send data to NHS Digital for example, when it is told to do so by the Secretary of State for Health or NHS England under the Health and Social Care Act 2012.
More information about NHS Digital and how it uses information can be found at: https://digital.nhs.uk/home
NHS Digital sometimes shares names and addresses of patients suspected of committing immigration offences with the Home Office.
We are required by law to provide you with the following information about how we handle your information.
Data Protection Officer contact details
Liane Cotterill, Senior Governance Manager & Data Protection Officer, North of England Commissioning Support, Teesdale House, Westpoint Road, Thornaby, Stockton-On-Tees, TS17 6BL.
Telephone: 01642 745042
Purpose of the processing
- To give direct health or social care to individual patients for example, when a patient agrees to a referral for direct care, such as to a hospital, relevant information about the patient will be shared with the other healthcare staff to enable them to give appropriate advice, investigations, treatments and/or care.
- To check and review the quality of care. (This is called audit and clinical governance)
- Compliance with legal obligations or court order
- The NHS provides several national health screening programmes to detect diseases or conditions early such as cervical and breast cancer, aortic aneurysm and diabetes.
- The information is shared so that the correct people are invited for screening. This means those who are most at risk can be offered treatment.
Lawful basis for processing
These purposes are supported under the following sections of the GDPR:
Article 6 (1)(c) - 'processing is necessary for compliance with a legal obligation to which the controller is subject...'
Article 6 (1)(e) - '... necessary for the performance of a task carried out in the public interest or in the exercise of official authority...'; and
Article 9 (2)(h) 'necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...'
Healthcare staff will also respect and comply with their obligations under the common law duty of confidence.
Recipient or categories of recipients of the processed data
The data will be shared with:
- healthcare professionals and staff in this surgery;
- local hospitals;
- out of hours services;
- Diagnostic and treatment centres; or other organisations involved in the provision of direct care to individual patients.
For national clinical audits which check the quality of care the data will be shared with NHS Digital and the following:
- The Care Quality Commission
- Our local health protection team or Public Health England.
- The court if ordered
Rights to object and the national data opt-out
You have the right to object to information being shared between those who are providing you with direct care.
- This may affect the care you receive, please speak to the practice.
- You are not able to object to your name, address and other demographic information being sent to NHS Digital.
- This is necessary if you wish to be registered to receive NHS care.
- You are not able to object when information is legitimately shared for safeguarding reasons.
- In appropriate circumstances it is a legal and professional requirement to share information for safeguarding reasons. This is to protect people from harm.
- The information will be shared with the local safeguarding service.
You have a right to object under the GDPR and the right to 'opt-out' under the national data opt-out model to information that identifies you being used or shared for medical research purposes and quality checking or audit purposes. For national screening programmes you can opt so that you no longer receive an invitation to a screening programme, for more information please visit https://www.gov.uk/government/publications/opting-out-of-the-nhs-population-screening-programmes
There are very limited rights to object when the law requires information to be shared but government policy allows some rights of objection as set out below.
- NHS Digital, you have the right to object to information being shared with NHS Digital for reasons other than your own direct care. This is called a 'Type 1' objection you can ask the surgery to apply this code to your record. Please note 'Type 1' objection will no longer be available after 2020. This means you will not be able to object to your data being shared with NHS Digital when it is legally required under the Health and Social Care Act 2012.
- NHS Digital sharing with the Home Office, there is no right of objection to NHS Digital sharing names and addresses of patients who are suspected of having committed and immigration offence.
- Public Health, legally information must be shared under public health legislation. This means that you are unable to object.
- Care Quality Commission; legally information must be shared when the Care Quality Commission needs it for their regulatory functions. This means that you are unable to object.
- Court order, your information must be shared if it is ordered by a court. This means that you are unable to object.
Right to access and correct
You have the right to access your medical record and have any errors or mistakes corrected. Please speak to a member of staff.
We are not aware of any circumstances in which you will have the right to delete correct information from your medical record; although you are free to obtain your own legal advice if you believe there is no lawful purpose for which we hold the information and contact us if you hold a different view.
GP medical records will be kept in line with the law and national guidance. Information on how long records are kept can be found at: https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016
Or speak to the practice.
Right to complain
You have the right to complain to the Information Commissioner's Office. If you wish to complain follow this link https://ico.org.uk/global/contact-us/ or call the helpline on 0303 123 1113.
Data we get from other organisations
We receive information about your health from other organisations who are involved in providing you with health and social care. For example, if you go to hospital for treatment or an operation the hospital will send us a letter to let us know what happens. This means your GP medical record is kept up-to date when you receive care from other parts of the health service.
GDPR (Data Protection)
What is GDPR?
GDPR stands for General Data Protection Regulations and is a new piece of legislation that will supersede the Data Protection Act. It will not only apply to the UK and EU; it covers anywhere in the world in which data about EU citizens is processed.
The GDPR is similar to the Data Protection Act (DPA) 1998 (which the practice already complies with), but strengthens many of the DPA's principles. The main changes are:
- Practices must comply with subject access requests
- Where we need your consent to process data, this consent must be freely given, specific, informed and unambiguous
- There are new, special protections for patient data
- The Information Commissioner's Office must be notified within 72 hours of a data breach
- Higher fines for data breaches are up to €20million.
What is 'patient data'?
Patient data is information that relates to a single person, such as his/her diagnosis, name, age, earlier medical history etc.
What is consent?
Consent is permission from a patient. An individual's consent is defined as 'any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.'