Practice Policies & Patient Information
Chaperones
If you feel you would like a chaperone present at your consultation please inform your doctor/nurse who will be happy to arrange this for you.
The practice prides itself in maintaining professional standards. For certain examinations during consultations an impartial observer (a ‘chaperone’) will be required.
This impartial observer will be a member of the practice team who will be available to reassure and raise any concerns on your behalf. If a chaperone is unavailable at the time of your consultation then your examination may be re-scheduled for another time.
You are free to decline any examination or chose an alternative examiner or chaperone. You may also request a chaperone for any examination or consultation if one is not offered to you. The GP may not undertake an examination if a chaperone is declined.
The role of a Chaperone
A chaperone is there to:
- Maintain professional boundaries during intimate examinations
- Acknowledge a patient’s vulnerability
- Provide emotional comfort and reassurance
- Assist in the examination
- Assist with undressing patients, if required
COVID-19 and Your Information
The ICO recognises the unprecedented challenges the NHS and other health professionals are facing during the Coronavirus (COVID-19) pandemic.
The ICO also recognise that ‘Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health’.
The government have also taken action in respect of this and on 20th March 2020 the Secretary of State for Health and Social Care issued a notice under Regulation 3(4) of The Health Service (Control of Patient Information) Regulations 2002 requiring organisations such as GP Practices to use your information to help GP Practices and other healthcare organisations to respond to and deal with the COVID-19 pandemic.
In order to look after your healthcare needs during this difficult time, we may urgently need to share your personal information, including medical records, with clinical and non clinical staff who belong to organisations that are permitted to use your information and need to use it to help deal with the COVID-19 pandemic. This could (amongst other measures) consist of either treating you or a member of your family and enable us and other healthcare organisations to monitor the disease, assess risk and manage the spread of the disease.
Please be assured that we will only share information and health data that is necessary to meet yours and public healthcare needs.
The Secretary of State for Health and Social Care has also stated that these measures are temporary and will expire on 30 September 2020 unless a further extension is required. Any further extension will be will be provided in writing and we will communicate the same to you.
Please also note that the data protection and electronic communication laws do not stop us from sending public health messages to you, either by phone, text or email as these messages are not direct marketing.
It may also be necessary, where the latest technology allows us to do so, to use your information and health data to facilitate digital consultations and diagnoses and we will always do this with your security in mind.
Freedom of Information
The Freedom of Information Act creates a right of access to recorded information and obliges a public authority to:
- Have a publication scheme in place
- Allow public access to information held by public authorities.
The Act covers any recorded organisational information such as reports, policies or strategies, that is held by a public authority in England, Wales and Northern Ireland, and by UK-wide public authorities based in Scotland. However, it does not cover personal information such as patient records, which are covered by the Data Protection Act.
Public authorities include government departments, local authorities, the NHS, state schools and police forces.
The Act is enforced by the Information Commissioner who regulates both the Freedom of Information Act and the Data Protection Act.
For more information, please visit the “ICO What is Freedom of Information Act?” page.
The surgery publication scheme
A publication scheme requires an authority to make information available to the public as part of its normal business activities. The scheme lists information under seven broad classes, which are:
- who we are and what we do
- what we spend and how we spend it
- what our priorities are and how we are doing it
- how we make decisions
- our policies and procedures
- lists and registers
- the services we offer
You can request our publication scheme leaflet at the surgery.
Who can request information?
Under the Act, any individual, anywhere in the world, is able to make a request to a practice for information. An applicant is entitled to be informed in writing, by the practice, whether the practice holds information of the description specified in the request and if that is the case, have the information communicated to him/her. An individual can request information, regardless of whether he/she is the subject of the information or affected by its use.
How should requests be made?
Requests must:
- be made in writing (this can be electronically e.g. email)
- state the name of the applicant and an address for correspondence
- describe the information requested.
What cannot be requested?
Personal data about staff and patients covered under Data Protection Act.
For more information see these websites:
GP Earnings
Infection Control Statement
We aim to keep our surgery clean and tidy and offer a safe environment to our patients and staff. We are proud of our modern, purpose built practice and endeavour to keep it clean and well maintained at all times.
If you have any concerns about cleanliness or infection control, please report these to our reception staff.
Our GPs and nursing staff follow our Infection Control Policy to ensure the care we deliver and the equipment we use is safe.
We take additional measures to ensure we maintain the highest standards, these are:
- Encouraging staff and patients to raise any issues or report any incidents relating to cleanliness and infection control. We can discuss these and identify improvements we can make to avoid any future problems
- Carrying out an annual infection control audit to make sure our infection control procedures are working
- Providing annual staff updates and training on cleanliness and infection control
- Reviewing our policies and procedures to make sure they are adequate and meet national guidance
- Maintaining the premises and equipment to a high standard within the available financial resources and ensuring that all reasonable steps are taken to reduce or remove all infection risk
- Using washable or disposable materials for items such as couch rolls, modesty curtains, floor coverings, towels etc., and ensuring that these are laundered, cleaned or changed frequently to minimise the risk of infection
- Making alcohol hand rub gel available throughout the building
Named GP
All patients have been assigned a named GP who is responsible for coordinating their care. If you would like to know who your registered GP is, please ask at reception.
Regardless of who you are registered with, you can still see any GP.
Practice Privacy Notice
Policy created | Policy reviewed | Policy reviewed by | Date of next review |
---|---|---|---|
01.05.18 | 03.05.19 | Debbie Johnson | 03.05.20 |
08.06.20 | Debbie Johnson | 08.06.21 | |
04.06.21 | Debbie Johnson | 04.06.22 | |
04.05.22 | Debbie Johnson | 04.05.23 | |
21.08.23 | Debbie Johnson | 21.08.24 |
Introduction
This privacy notice explains in detail why we use your personal data which we, the GP practice, (Data Controller), collects and processes about you. A Data Controller determines how the data will be processed and used with the GP practice and with others who we share this data with. We are legally responsible for ensuring that all personal data that we hold and use is done so in a way that meets the data protection principles under the General Data Protection Regulation (GDPR) and Data Protection Act 2018. This notice also explains how we handle that data and keep it safe.
The GP Practice also has a Caldicott Guardian. A Caldicott Guardian is a senior person within a health or social care organisation, preferably a health professional, who makes sure that the personal information about those who use its services is used legally, ethically and appropriately, and that confidentiality is maintained. The Caldicott Guardian for The Gill Medical Centre is:
Dr Eleanor Mole – General Practitioner
We will continually review and update this privacy notice to reflect changes in our services and to comply with changes in the Law. When such changes occur, we will revise the last updated date as documented in the version status in the title of this document.
What we do?
We are here to provide care and treatment to you as our patients. In order to do this, the GP practice keeps personal demographic data about you such as your name, address, date of birth, telephone numbers, email address, NHS Number etc. and your health and care information.
Information is needed so we can provide you with the best possible health and care. We also use your data to:
- Confirm your identity to provide these services and those of your family / carers
- Understand your needs to provide the services that you request
- Obtain your opinion on our services (with consent)
- Prevent and detect fraud and corruption in the use of public funds
- Make sure we meet our statutory obligations, including those related to diversity and equalities
- Adhere to a legal requirement that will allow us to use or provide information (e.g. a formal Court Order or legislation)
Definition of Data Types
We use the following types of information / data:
Personal Data
This contains details that identify individuals even from one data item or a combination of data items. The following are demographic data items that are considered identifiable such as name, address, NHS Number, full postcode, date of birth. Under GDPR, this now includes location data and online identifiers.
Special categories of data (previously known as sensitive data)
This is personal data consisting of information as to: race, ethnic origin, political opinions, health, religious beliefs, trade union membership, sexual life and previous criminal convictions. Under GDPR, this now includes biometric data and genetic data.
Personal Confidential Data (PCD)
This term came from the Caldicott review undertaken in 2013 and describes personal information about identified or identifiable individuals, which should be kept private or secret. It includes personal data and special categories of data but it is adapted to include dead as well as living people and ‘confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’.
Pseudonymised Data or Coded Data
Individual-level information where individuals can be distinguished by using a coded reference, which does not reveal their ‘real world’ identity. When data has been pseudonymised it still retains a level of detail in the replaced data by use of a key / code or pseudonym that should allow tracking back of the data to its original state.
Anonymised Data
This is data about individuals but with all identifying details removed. Data can be considered anonymised when it does not allow identification of the individuals to whom it relates, and it is not possible that any individual could be identified from the data by any further processing of that data or by processing it together with other information which is available or likely to be available.
Aggregated Data
This is statistical information about multiple individuals that has been combined to show general trends or values without identifying individuals within the data.
Our data processing activities
The law on data protection under the GDPR sets out a number of different reasons for which personal data can be processed for. The law states that we have to inform you what the legal basis is for processing personal data and also if we process special category of data such as health data what the condition is for processing.
The types of processing we carry out in the GP practice and the legal basis and conditions we use to do this are outlined below:
Provision of Direct Care and administrative purposes within the GP practice
Type of Data | Personal Data – demographics Special category of data – Health data |
---|---|
Source of Data | Patient and other health and care providers |
Legal basis for processing personal data and Condition for processing special category of data |
Article 6 (1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority
Article 9(2)(h) – Processing is necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health and social care or treatment or the management of health and social care systems |
Common Law Duty of Confidentiality basis | Implied Consent |
Direct care means a clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation of suffering of individuals. This is carried out by one or more registered and regulated health or social care professionals and their team with whom the individual has a legitimate relationship with. In addition, this also covers administrative purposes which are in the patient’s reasonable expectations.
To explain this, a patient has a legitimate relationship with a GP in order for them to be treated and the GP practice staff process the data in order to keep up to date records and to send referral letters etc.
Other local administrative purposes include waiting list management, performance against national targets, activity monitoring, local clinical audit and production of datasets to submit for national collections.
This processing covers the majority of our tasks to deliver health and care services to you. When we use the above legal basis and condition to process your data for direct care, consent under GDPR is not needed. However, we must still satisfy the common law duty of confidentiality and we rely on implied consent. For example, where a patient agrees to a referral from one healthcare professional to another and where the patient agrees this implies their consent.
Medicines Management and Optimisation
Type of Data | Personal Data – demographics Special category of data – Health data |
---|---|
Source of Data | GP Practice |
Legal Basis and Condition for processing special category of data under GDPR | Article 6 (1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority
Article 9 (2)(h) – Processing is necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health and social care or treatment or the management of health and social care systems |
Common Law Duty of Confidentiality basis | Implied Consent |
Salford ICB pharmacists work with GP practices to provide advice on medicines and prescribing queries, process repeat prescription requests and review prescribing of medicines to ensure that it is safe and cost-effective. This may require the use of identifiable information.
In cases where identifiable data is required, this is done with practice agreement and in the case of repeat prescription processing with patient consent. No data is removed from the practice’s clinical system and no changes are made to patient’s records without permission from the GP. Patient records are viewed in the GP practice.
Where specialist support is required (e.g. to order a drug that comes in solid form in gas or liquid form) Salford ICB medicines optimisation pharmacists will order this on behalf of a GP to support your care. Identifiable data is used for this purpose.
Identifiable data is also used by our pharmacists in order to review and authorise (if appropriate) requests for high cost drugs which are not routinely funded. In cases where identifiable data is used, this is done with the consent of the patients.
Purposes other than direct care (secondary use)
This is information which is used for non-healthcare purposes. Generally this could be for research purposes, audits, service management, safeguarding, commissioning, complaints and patient and public involvement.
When your personal information is used for secondary use this should, where appropriate, be limited and de-identified so that the secondary uses process is confidential.
Safeguarding
Type of Data | Personal Data – demographics Special category of data – Health data |
---|---|
Source of Data | Patient and other health and care providers |
Legal Basis and Condition for processing special category of data under GDPR | Article 6 (1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority
Article 9 (2)(b) – Processing is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or the data subject in the field of social protection law |
Common Law Duty of Confidentiality basis | Overriding Public Interest / children and adult safeguarding legislation |
Information is provided to care providers to ensure that adult and children’s safeguarding matters are managed appropriately. Access to personal data and health information will be shared in some limited circumstances where it’s legally required for the safety of the individuals concerned. For the purposes of safeguarding children and vulnerable adults, personal and healthcare data is disclosed under the provisions of the Children Acts 1989 and 2006 and Care Act 2014.
Risk Stratification
Type of Data | Personal Data – demographics Special category of data – Health data |
---|---|
Source of Data | GP Practice and other care providers |
Legal Basis and Condition for processing special category of data under GDPR | Article 6 (1)(c) – Processing is necessary for compliance with a legal obligation
Article 9(2)(h) – Processing is necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health and social care or treatment or the management of health and social care systems Section 251 NHS Act 2006 |
Risk stratification entails applying computer based algorithms, or calculations to identify those patients who are most at risk from certain medical conditions and who will benefit from clinical care to help prevent or better treat their condition.
To identify those patients individually from the patient community would be a lengthy and time-consuming process which would by its nature potentially not identify individuals quickly and increase the time to improve care. A GP / health professional review this information before a decision is made.
The use of personal and health data for risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority (known as Section 251 approval). This approval allows your GP or staff within your GP Practice who are responsible for providing your care, to see information that identifies you, but CCG staff will only be able to see information in a format that does not reveal your identity.
NHS England encourages GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help and prevent avoidable admissions.
Knowledge of the risk profile of our population helps to commission appropriate preventative services and to promote quality improvement.
Risk stratification tools use various combinations of historic information about patients, for example, age, gender, diagnoses and patterns of hospital attendance and admission and primary care data collected in GP practice systems.
If you do not wish information about you to be included in our risk stratification programme, please contact the GP Practice. We can add a code to your records that will stop your information from being used for this purpose. Please see the section below regarding objections for using data for secondary uses.
National Clinical Audits
Type of Data | Personal Data – demographics Special category of data – Health data Pseudonymised Anonymised |
---|---|
Source of Data | GP Practice and other care providers |
Legal Basis and Condition for processing special category of data under GDPR | Article 6 (1)(c) – Processing is necessary for compliance with a legal obligation
Article 9(2)(h) – Processing is necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health and social care or treatment or the management of health and social care systems Section 251 NHS Act 2006, NHS Constitution (Health and Social Care Act 2012) |
The GP practice contributes to national clinical audits and will send the data which are required by NHS Digital when the law allows. This may include demographic data such as date of birth and information about your health which is recorded in coded form, for example, the clinical code for diabetes or high blood pressure.
Purposes requiring consent
There are also other areas of processing undertaken where consent is required from you. Under GDPR, consent must be freely given, specific, you must be informed and a record must be made that you have given your consent, to confirm you have understood.
Patient and Public Involvement
Type of Data | Personal Data – demographics |
---|---|
Source of Data | GP Practice |
Legal Basis and Condition for processing special category of data under GDPR | Article 6 (1)(a) – Explicit Consent
Article 9 (2)(a) – Explicit Consent |
If you have asked us to keep you regularly informed and up to date about the work of the GP Practice or if you are actively involved in our patient participation group, we will collect and process personal confidential data which you share with us.
We obtain your consent for this purpose. Where you submit your details to us for involvement purposes, we will only use your information for this purpose. You can opt out at any time by contacting us using our contact details at the end of this document.
Medical Research
Type of Data | Personal Data – demographics Special category of data – health data |
---|---|
Source of Data | GP Practice |
Legal Basis and Condition for processing special category of data under GDPR | Article 6 (1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority
Article 9 (2)(j) – Processing is necessary for scientific or historical research purposes Common law duty of confidentiality – explicit consent or if there is a legal statute for this which you will be informed of |
If you wish to take part in a research study, we obtain your consent for this purpose. Where you submit your details to us for research purposes, we will only use your information for this purpose. You can opt out at any time by contacting us using our contact details at the end of this document.
All NHS organisations (including Health & Social Care in Northern Ireland) are expected to participate and support health and care research. The Health Research Authority and government departments in Northern Ireland, Scotland and Wales set standards for NHS organisations to make sure they protect your privacy and comply with the law when they are involved in research. Our research ethics committees review research studies to make sure that the research uses of data about you are in the public interest, and meet ethical standards.
Health and care research may be exploring prevention, diagnosis or treatment of disease, which includes health and social factors in any disease area. Research may be sponsored by companies developing new medicines or medical devices, NHS organisations, universities or medical research charities. The research sponsor decides what information will be collected for the study and how it will be used.
Health and care research should serve the public interest, which means that research sponsors have to demonstrate that their research serves the interests of society as a whole. They do this by following the UK Policy Framework for Health and Social Care Research. They also have to have a legal basis for any use of personal-identifiable information.
How patient information may be used for research
When you agree to take part in a research study, the sponsor will collect the minimum personally-identifiable information needed for the purposes of the research project. Information about you will be used in the ways needed to conduct and analyse the research study. NHS organisations may keep a copy of the information collected about you. Depending on the needs of the study, the information that is passed to the research sponsor may include personal data that could identify you. You can find out more about the use of patient information for the study you are taking part in from the research team or the study sponsor. You can find out who the study sponsor is from the information you were given when you agreed to take part in the study.
For some research studies, you may be asked to provide information about your health to the research team, for example in a questionnaire. Sometimes information about you will be collected for research at the same time as for your clinical care, for example when a blood test is taken. In other cases, information may be copied from your health records. Information from your health records may be linked to information from other places such as central NHS records, or information about you collected by other organisations. You will be told about this when you agree to take part in the study.
Even though consent is not the legal basis for processing personal data for research, the common law duty of confidentiality is not changing, so consent is still needed for people outside the care team to access and use confidential patient information for research, unless you have support under the Health Service (Control of Patient Information Regulations) 2002 (‘section 251 support’) applying via the Confidentiality Advisory Group in England and Wales or similar arrangements elsewhere in the UK
Your choices about health and care research
If you are asked about taking part in research, usually someone in the care team looking after you will contact you. People in your care team may look at your health records to check whether you are suitable to take part in a research study, before asking you whether you are interested or sending you a letter on behalf of the researcher.
In some hospitals and GP practices, you may have the opportunity to sign up to a register to hear about suitable research studies that you could take part in. If you agree to this, then research nurses, researchers or administrative staff authorised by the organisation may look at your health records to see if you are suitable for any research studies.
It’s important for you to be aware that if you are taking part in research, or information about you is used for research, your rights to access, change or move information about you are limited. This is because researchers need to manage your information in specific ways in order for the research to be reliable and accurate. If you withdraw from a study, the sponsor will keep the information about you that it has already obtained. They may also keep information from research indefinitely.
If you would like to find out more about why and how patient data is used in research, please visit the Understanding Patient Data website: www.understandingpatientdata.org.uk/what-you-need-know
In England you can register your choice to opt out via the “Your Data Matters” webpage on the following link: www.nhs.uk/your-nhs-data-matters
If you do choose to opt out you can still agree to take part in any research study you want to, without affecting your ability to opt out of other research. You can also change your choice about opting out at any time.
To find out more about GDPR and using personal data for research, please visit the Health Research Authority website on the following link: www.hra.nhs.uk/hra-guidance-general-data-protection-regulation
Complaints
Type of Data | Personal Data – demographics Special category of data – health data |
---|---|
Source of Data | Data Subject, Primary Care, Secondary Care and Community Care |
Legal Basis and Condition for processing special category of data under GDPR | Article 6 (1)(a) – Explicit Consent
Article 9 (2)(h) – Processing is necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health and social care or treatment or the management of health and social care systems Common law duty of confidentiality – explicit consent |
If you contact the GP Practice about a complaint, we require your explicit consent to process this complaint for you. You will be informed of how and with whom your data will be shared by us, including if you have or you are a representative you wish the GP practice to deal with on your behalf.
Text Messaging/e-mails
Type of Data | Personal Data – demographics Special category of data – health data |
---|---|
Source of Data | GP Practice |
Legal Basis and Condition for processing special category of data under GDPR | Article 6 (1)(a) – Explicit Consent
Article 9 (2)(h) – Processing is necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health and social care or treatment or the management of health and social care systems Common law duty of confidentiality – explicit consent |
With your consent the surgery can send you text messages/e-mails. We need your signed explicit consent beforehand to send any text messages or e-mails that are not directly related to your healthcare. This does not apply to appointment reminders or messages directly relating to your healthcare. After 25th May 2018 all newly registered patients will be asked whether they consent to receiving text messages or e-mails at the point of registration.
You can opt out of receiving text messages and e-mails by informing the reception staff and they will amend this accordingly.
If you change your mobile telephone number, please tell us as soon as possible so we can continue the reminder service to your mobile phone.
Using anonymous or coded information
This type of data may be used to help assess the needs of the general population and make informed decisions about the provision of future services. Information can also be used to conduct health research and development and monitor NHS performance where the law allows this. Where information is used for statistical purposes, stringent measures are taken to ensure individual patients cannot be identified. Anonymous statistical information may also be passed to organisations with a legitimate interest, including universities, community safety units and research institutions.
National Data Opt Out
Whenever you use a health or care service, such as attending the practice, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
- improving the quality and standards of care provided
- research into the development of new treatments
- preventing illness and diseases
- monitoring safety
- planning services
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.
Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt-out your confidential patient information will still be used to support your individual care.
To find out more or to register your choice to opt out, please visit: www.nhs.uk/your-nhs-data-matters
On this web page you will:
- See what is meant by confidential patient information
- Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
- Find out more about the benefits of sharing data
- Understand more about who uses the data
- Find out how your data is protected
- Be able to access the system to view, set or change your opt-out setting
- Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
- See the situations where the opt-out will not apply
You can also find out more about how patient information is used at: www.hra.nhs.uk/information-about-patients (which covers health and care research); and, www.understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made).
You can change your mind about your choice at any time.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.
Health and care organisations have until 2020 to put systems and processes in place so they can apply your national data opt-out choice. Our organisation is able to apply your national data opt-out choice to any confidential patient information we may use or share with other organisations for purposes beyond your individual care.
Purposes for which we may process your data
The health and social care system is taking action to manage and mitigate the spread and impact of the current outbreak of coronavirus (COVID-19).
Action to be taken requires the collection, analysis and sharing of information, including confidential patient information where necessary and lawful, amongst health organisations and other appropriate bodies. This is due to the urgent need to protect public health and respond to the COVID-19 outbreak. This notice describes how we may use your information to protect you and others during the COVID-19 outbreak.
To support the healthcare response to COVID-19, NHS Digital has been directed by the Secretary of State for Health and Social Care (the Secretary of State) and NHS England under the COVID-19 Directions to: establish information systems to collect and analyse data in connection with COVID-19; and develop and operate IT systems to deliver services in connection with COVID-19
How we protect your personal data
We will use the information in a manner that conforms to the General Data Protection Regulations (GDPR) and Data Protection Act 2018. The information you provide will be subject to rigorous measures and procedures to make sure it can’t be seen, accessed or disclosed to any inappropriate persons. We have an Information Governance Policy that explains the approach within the GP practice, our commitments and responsibilities to your privacy.
Access to your personal confidential data is password protected on secure systems and securely locked in filing rooms when in paper form.
Our IT Services provider, Greater Manchester Shared Service regularly monitor our system for potential vulnerabilities and attacks and look to always ensure security is strengthened.
All our staff are receiving up to date data security and protection training. They are obliged in their employment contracts to uphold confidentiality, and may face disciplinary procedures if they do not do so. We have incident reporting and management processes in place for reporting any data breaches or incidents. We learn from such events to help prevent further issues and inform patients of breaches when required.
How long do we keep your personal data?
Whenever we collect or process your data, we will only keep it for as long as is necessary for the purpose it was collected. For a GP practice, we comply with the Records Management NHS Code of Practice. Following death and/or de-registration, the complete set of the patients paper records (if any) are returned to central registrations via a secure Capita internal courier. Where possible the electronic records are transferred via GP2GP which allows patients’ electronic health records to be transferred directly, securely, and quickly between their old and new practices, when they change GPs. This improves patient care by making full and detailed medical records available to practices, for a new patient’s first and later consultations. The de-registered patient’s record is then deactivated and access is highly restricted. A complete audit trail is available. Emis Web does not have the capacity to destroy the electronic record.
Destruction
This will only happen following a review of the information at the end of its retention period. Where data has been identified for disposal we have the following responsibilities:
- to ensure that information held in manual form is destroyed using a cross cut shredder that complies with European DIN Standard 66399.
- to ensure that electronic storage media used to hold or process information are destroyed or overwritten to national standards.
Who we share your data with?
As stated above, where your data is being processed for direct care this will be shared with other care providers who are providing direct care to you such as:
- NHS Trusts / Foundation Trusts
- GP’s
- Independent Contractors such as dentists, opticians, pharmacists
- Private Sector Providers
- Voluntary Sector Providers
- Ambulance Trusts
- Social Care Services
- Out of hours providers
- Walk in centres
- Clinics
We work with third parties and suppliers (data processors) to be able for us to provide a service to you. These include:
- EMIS Web – to provide our electronic clinical system
- NHS Greater Manchester Shared service – to provide our IT services
- NHS Digital
- DocMan – document management system
- Informatica
- Health Intelligence – Diabetic Retinopathy Recall
- iPlato – SMS text messaging service
- GP Connect
There may be occasions whereby these organisations have potential access to your personal data, for example, if they are fixing an IT fault on the system. To protect your data, we have contracts and / or Information Sharing Agreements in place stipulating the data protection compliance they must have and re-enforce their responsibilities as a data processor to ensure your data is securely protected at all times.
We will not disclose your information to any 3rd party without your consent unless:
- there are exceptional circumstances (life or death situations)
- where the law requires information to be passed on as stated above
- required for fraud management – we may share information about fraudulent activity in our premises or systems. This may include sharing data about individuals with law enforcement bodies.
- It is required to be disclosed to the police or other enforcement, regulatory or government body for prevention and / or detection of crime
Where is your data processed?
Your data is processed with the GP surgery and by other third parties as stated above who are UK based. Your personal data is not sent outside of the UK for processing.
Where information sharing is required with a country outside of the EU you will be informed of this and we will have a relevant Information Sharing Agreement in place. We will not disclose any health information without an appropriate lawful principle, unless there are exceptional circumstances such as when the health or safety of others is at risk, where the law requires it, or to carry out a statutory functions i.e. reporting to external bodies to meet legal obligations
What are your rights over your personal data?
You have the following rights over your data we hold:
- Subject Access Rights – you can request access to and or copies of personal data we hold about you free of charge (subject to exemptions) and provided to you within 1 calendar month. We request that you provide us with adequate information in writing to process your request such as full name, address, date of birth, NHS number and details of your request and documents to verify your identity so we can process the request efficiently. On processing a request, there may be occasions when information may be withheld if the organisation believes that releasing the information to you could cause serious harm to your physical or mental health.
Information may also be withheld if another person (i.e. third party) is identified in the record, and they do not want their information disclosed to you. However, if the other person was acting in their professional capacity in caring for you, in normal circumstances they could not prevent you from having access to that information.
To request a copy or request access to information we hold about you and / or to request information to be corrected if it is inaccurate, please contact:
Email: [email protected]
Postal Address: 5 Harriet Street, Walkden, Manchester M28 3DR
- Right to rectification – The correction of personal data when incorrect, out of date or incomplete must be acted upon within 1 calendar month of receipt of such request. Please ensure the GP practice has the correct contact details for you.
- Right to withdraw consent – If we have your explicit consent for any processing we do, you have the right to withdraw that consent at any time
- Right to Erasure (‘be forgotten’) – If we obtain consent for any processing we do, you have the right to have that data deleted / erased. Please note this does not apply to health records.
- Right to Data Portability – If we obtain consent for any processing we do, you have the right to have data provided to you in a commonly used and machine readable format such as excel spreadsheet, csv file.
- Right to object to processing – you have the right to object to processing however please note if we can demonstrate compelling or legitimate grounds which outweighs the interest of you then processing can continue. If we didn’t process any information about you and your health care it would be very difficult for us to care and treat you.
- Right to restriction of processing – This right enables individuals to suspend the processing of personal information, for example, if you want to establish its accuracy or the reason for processing it.
Objections to processing for secondary purposes (other than direct care)
The NHS Constitution states “You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered”. The possible consequences (i.e. lack of joined up care, delay in treatment if information has to be sourced from elsewhere, medication complications which all lead to the possibility of difficulties in providing the best level of care and treatment) will be fully explained to you to allow you to make an informed decision.
If you wish to opt out of your data being processed and / or shared onwards with other organisations for purposes not related to your direct care, please contact the surgery at: [email protected]
National Data Opt-out Programme
The national data opt-out is introduced on 25 May 2018, providing a facility for individuals to opt-out from the use of their data for research or planning purposes. This is provided in line with the recommendations of the National Data Guardian in her Review of Data Security, Consent and Opt-Outs. The service will initially be in beta, while the service design is reviewed.
Individual preferences will be collected from 25 May and by 2020 all health and care organisations are required to have applied these preferences in all research and planning situations in which confidential patient information is used. NHS Digital will apply these preferences with immediate effect.
The national data opt-out will replace the previous ‘type 2’ opt-out, which required NHS Digital to refrain from sharing a patient’s confidential patient information for purposes beyond their direct care. Any person with an existing type 2 opt-out will have it automatically converted to a national data opt-out from 25 May 2018 and will receive a letter giving them more information and a leaflet explaining the new national data opt-out.
The national data opt-out choice can be viewed or changed at any time by using the online service at www.nhs.uk/your-nhs-data-matters.
Use of CCTV
Please note that we have installed a CCTV system both inside and outside the premises for the safety of our patients/staff and in particular to record and evidence any serious incidents involving patients. We operate this system in accordance with the Law and the codes of practice issued by the Information Commissioners Office as well as other regulatory bodies. Our CCTV is monitored when appropriate and only authorised staff will have access to it.
We will not keep images captured on CCTV for longer than is necessary.
- CCTV recordings are kept for 30 days maximum
- They are kept on the equipment hard drive
- New recordings overplay old recordings after 30 days
If you believe your image has been captured on our CCTV you have a right to request to see it. Please contact our Data Protection Officer, who will be able to assist with your enquiry.
Call Recording
We will always inform you if we record or monitor any telephone call you make to us.
- Telephone recordings are kept for 3 years
- Recordings are kept on surgery connect secure servers
- The practice manager and the reception manager listen to recordings when necessary.
- The reception manager may use the recording for training purposes
- After 3 years call recordings are automatically deleted
Complaints / Contacting the Regulator
If you feel that your data has not been handled correctly or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, please contact our Data Protection Officer / Practice Manager at the following contact details:
Email us at: [email protected]
Or write to us at: 5 Harriet Street, Walkden, Manchester M28 3DR
If you are not happy with our responses and wish to take your complaint to an independent body, you have the right to lodge a complaint with the Information Commissioner’s Office.
You can contact them by calling 0303 123 1133
Or you can go online to www.ico.org.uk/concerns (please note we can’t be responsible for the content of external websites).
Further Information / Contact Us
We hope that the Privacy Notice has been helpful in setting out the way we handle your personal data and your rights to control it. Should you have any questions / or would like further information, please visit the websites below and / or contact either our Caldicott Guardian / Data Protection Officer / Practice Manager at the following contact details:
Email us at: [email protected]
Or write to us at: 5 Harriet Street, Walkden, Manchester M28 3DR
Summary Care Record
Information about all NHS users and the care they receive is shared, in a secure system, by healthcare staff to support your treatment and care. Having access to this information means that healthcare staff can make an informed decision about your treatment when you need unplanned care or when the surgery is closed. The aim is to improve patient safety, efficiency and effectiveness of care, and to improve the patient experience.
For more information please visit www.digital.nhs.uk/services/summary-care-records-scr.
Please inform a member of staff if you would like more information.
Your Rights and Responsibilities
Help us to help you
We aim to provide the best possible service to our patients and hope you will feel that we achieve that aim.
The care of your health is a partnership between yourself and the primary health care team. The success of that partnership depends on an understanding of each other’s needs and co-operation between us.
Doctor’s Responsibilities
- You will be greeted courteously
- You have a right to confidentiality
- You have the right to see your medical records subject to the limitations of the law
- You will be seen the same day, if your problem is urgent
- You will be seen by your doctor whenever possible
- You will be informed if there will be a delay of more than 20 minutes for your appointment
- You will be referred to a consultant when your GP thinks it necessary
- You will be given the result of any test or investigation on request or at your next appointment
- Your repeat prescription will be ready for collection 3 days after your request. More information can be found on the Prescriptions page
- Your suggestions and comments about the services offered will be considered sympathetically and any complaint dealt with quickly. More information can be found on the Suggestions, Comments and Complaints page
Patient’s Responsibilities
- Please treat all surgery staff with the same respect – we are all just doing our job
- Do not ask for information about anyone other than yourself
- Tell us of any change of name or address, so that our records are accurate. You can let us know of any changes to your details by completing the Change Personal Details form
- Only request an urgent appointment if appropriate. Home visits should only be requested if you are housebound. More information can be found on the Appointments page
- Please cancel your appointment if you are unable to attend. More information can be found on the Appointments page
- Please be punctual but be prepared to wait if your own consultation is delayed by an unexpected emergency
- Please allow sufficient time for your consultant’s letter of the results of any tests to reach us. If you would like to request your test results, you can do so online
- You will be advised of the usual length of time to wait
- Use the tear-off slip to request your repeat prescription whenever possible. Please attend for review when asked, before your next prescription is due
- Do let us know whenever you feel we have not met our responsibility to you
- We would, of course, be pleased to hear when you feel praise is due. You can provide feedback online by completing the Feedback form
Zero Tolerance
The practice fully supports the NHS Zero Tolerance Policy. The aim of this policy is to tackle the increasing problem of violence against staff working in the NHS and ensures that doctors and their staff have a right to care for others without fear of being attacked or abused.
We understand that ill patients do not always act in a reasonable manner and will take this into consideration when trying to deal with a misunderstanding or complaint. We ask you to treat your doctors and their staff courteously and act reasonably.
All incidents will be followed up and you will be sent a formal warning letter. After a second incident you may be removed from the practice list if your behaviour has been unreasonable.
However, aggressive behaviour, be it violent or verbal abuse, will not be tolerated and may result in you being removed from the Practice list and, in extreme cases, the Police will be contacted if an incident is taking place and the patient is posing a threat to staff or other patients.