GDPR and Privacy

Patient Privacy Notice

Patient Privacy Notice- How we use your personal information.

 We are required to provide you with this privacy notice by law. It provides information about how we use the personal and healthcare information we collect, store and hold about you. 

What is a privacy notice?

 A privacy notice explains the information we collect about our patients and how it is used. Being open and providing clear accessible information to patients about how we use their personal data is an essential requirement of the new UK General Data Protection Regulations (UK GDPR).

 We must process personal data in a fair and lawful manner. This applies to everything that is done with patient’s personal information. This means that the organisation must:

 Have lawful and appropriate reasons for the use or collection of personal data

 

  • Not use the data in a way that may cause harm to the individuals (e.g., improper sharing of their information with third parties)

 

  • Be open about how the data will be used and provide appropriate privacy notices when collecting personal data

 

  • Handle personal data in line with the appropriate legislation and guidance

 

  • Not use the collected data inappropriately or unlawfully

 What is fair processing?

 Personal data must be processed in a fair manner – the UK GDPR says that information should be treated as being obtained fairly if it is provided by a person who is legally authorised or required to provide it. Fair processing means that the organisation has to be clear and open with people about how their information is used.

 

Moordown Medical Centre is committed to protecting your privacy and will only use information collected lawfully in accordance with:

 

  • UK General Data Protection Regulations 2016
  • Data Protection Act 2018
  • Human Rights Act 1998
  • Common Law Duty of Confidentiality
  • Health and Social Care Act 2012
  • NHS Codes of Confidentiality and Information Security
  • Information: To Share or Not to Share Review

 

This means ensuring that your personal confidential data (PCD) is handled clearly and transparently and in a reasonably expected way.

 

The healthcare professionals who provide you with care maintain records about your health and any NHS treatment or care you have received (e.g., NHS Hospital Trust, GP surgery, walk-in clinic, etc.). These records help to provide you with the best possible healthcare. These records may be processed electronically, on paper or a mixture of both and we use a combination of working practices and technology to ensure that your information is kept confidential and secure.

 

Who is the data controller?

 

Moordown Medical Centre is registered as a data controller under the Data Protection Act 2018. Our registration number is Z586041X and our registration can be viewed online in the public register at http://www.ico.gov.uk.

 

We may also process your information for a particular purpose and therefore we may also be data processors.

 

What type of information do we collect about you?

 

Information held by this organisation may include the following:

 

  • Your contact details (such as your name, address and email address)
  • Details and contact numbers of your next of kin
  • Your age range, gender, ethnicity
  • Details in relation to your medical history
  • The reason for your visit to the organisation
  • Any contact the organisation and/or your practice has had with you including appointments (emergency or scheduled), clinic visits, etc.
  • Notes and reports about your health, details of diagnosis and consultations with our GPs and other health professionals involved in your care
  • Details about the treatment and care received
  • Results of investigations such as laboratory tests, x-rays, etc.
  • Relevant information from other health professionals, relatives or those who care for you
  • Recordings of telephone conversations between yourself and the organisation (Please note not all calls are recorded at MMC)

 

 

CCTV

Closed-circuit television (CCTV) operates outside of the Practice for the following purposes

  • To monitor the premises and car park for security purposes
  • To discourage anti-social behaviour and gatherings outside of the premises
  • To enable us to investigate allegations appropriately and respond to complaints

 

Recordings are only accessed where necessary by the Practice Management team and are stored securely for 1 month before being deleted.

 

Information collected about you from others

 

We collect and hold data for the purpose of providing healthcare services to our patients and we will ensure that the information is kept confidential. However, we can disclose personal information if:

 

  • It is required by law

 

  • You provide your consent – either implicitly for the sake of your own care or explicitly for other purposes

 

  • It is justified to be in the public interest

 

To ensure you receive the best possible care, your records are used to facilitate the care you receive. Information held about you may be used to help protect the health of the public and to help us to manage the NHS. Information may be used for clinical audit purposes to monitor the quality of services provided, may be held centrally to identify whether you are at risk of a future unplanned hospital admission and/or require support to effectively manage a long term condition. Where we do this, we ensure that patient records cannot be identified.

 

Sometimes your information may be requested to be used for clinical research purposes – the organisation will always endeavour to gain your consent before releasing the information.

 

Improvements in information technology are also making it possible for us to share data with other healthcare providers with the objective of providing you with better care. You can choose to withdraw your consent to your data being used in this way. The Practice will endeavour to inform patients about any new data-sharing scheme, by displaying notices and on our website. We will also inform you what you have to do to ‘opt-out’ of each new scheme.

 

A patient can object to their personal information being shared with other healthcare providers but if this limits the treatment that you can receive then the doctor will explain this to you at the time.

 

What is special category data?

 

The law states that personal information about your health falls into a special category of information because it is extremely sensitive. Reasons that may entitle us to use and process your information may be as follows:

 

Public interest

 

Where we may need to handle your personal information when it is considered to be in the public interest. For example, when there is an outbreak of a specific disease and we need to contact you for treatment or we need to pass your information to relevant organisations to ensure you receive advice and/or treatment

 

Consent

 

When you have given us consent

 

Vital interest

 

If you are incapable of giving consent and we have to use your information to protect your vital interests (e.g., if you have had an accident and you need emergency treatment)

 

Defending a claim

 

If we need your information to defend a legal claim against us by you or by another party

 

 

Providing you with medical care

 

 

Where we need your information to provide you with medical and healthcare services

 

The legal justification for collecting and using your information

 

The law says we need a legal basis to handle your personal and healthcare information.

 

Contract

 

We have a contract to deliver healthcare services to you. This contract provides that we are under a legal obligation to ensure that we deliver medical and healthcare services to the public.

 

Consent

 

Sometimes we also rely on the fact that you give us consent to use your personal and healthcare information so that we can take care of your healthcare needs.

 

Please note that you have the right to withdraw consent at any time if you no longer wish to receive services from us.

 

Necessary care

 

Providing you with the appropriate healthcare where necessary

 

 

The law refers to this as ‘protecting your vital interests’ where you may be in a position not to be able to consent.

 

 

Law

 

Sometimes the law obliges us to provide your information to an organisation

 

How do we use your information?

 

Your data is collected for the purpose of providing direct patient care; however, we are able to disclose this information if it is required by law, if you give consent or if it is justified in the public interest.

 

Under the General Data Protection Regulation, we will be lawfully using your information in accordance with:

 

  • Article 6, (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

 

  • Article 9, (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems

 

Who can we provide your personal information to and why?

 

Whenever you use a health or care service, such as attending the local hospital or using the district nursing service, clinical information about you is collected to help ensure you get the best possible care and treatment. This information may be passed to other approved organisations where there is a legal basis to do so, to help with planning services, improving care, researching to develop new treatments and preventing illness. All of this helps in providing better care to you and your family and future generations.

 

However, as explained in this privacy notice, confidential information about your health and care is only used in this way as allowed by law and would never be used for any other purpose without your clear and explicit consent.

 

In order to deliver and coordinate your health and social care, we may share your information with the following organisations who are involved in your direct healthcare needs:

  • Hospital professionals (such as doctors, consultants, nurses etc.)
  • Other GPs/doctors
  • Primary Care Networks
  • NHS Trusts/Foundation Trusts/Specialist Trusts
  • NHS Commissioning Support Units
  • NHS England (NHSE) and NHS Digital (NHSD)
  • Multi-agency Safeguarding Hub (MASH)
  • Independent contractors such as dentists, opticians, pharmacists
  • Any other person who is involved in providing services related to your general healthcare including mental health professionals
  • Private sector providers including pharmaceutical companies to allow for the provision of medical equipment, dressings, hosiery etc.
  • Voluntary sector providers
  • Ambulance Trusts
  • Integrated Care Systems
  • Clinical Commissioning Groups
  • Local authority
  • Social care services
  • Education services

 

 

Who may we provide your information to:

 

  • For the purposes of complying with the law, e.g., the police

 

  • Anyone you have given your consent to, to view or receive your record, or part of your record. If you give another person or organisation consent to access your record, we will need to contact you to verify your consent before we release that record. It is important that you are clear and understand how much and what aspects of your record you give consent to be disclosed

 

  • Computer systems – we operate a clinical computer system on which NHS staff record information securely. This information can then be shared with other clinicians so that everyone caring for you is fully informed about your medical history including allergies and medication. We will make information available to our partner organisations (above) unless you have declined data sharing to ensure you receive appropriate and safe care. Wherever possible, staff will ask your consent before your information is viewed.

 

  • Data extraction by the Clinical Commissioning Group – the Clinical Commissioning Group at times extracts medical information about you but the information we pass to them via our computer systems cannot identify you to them as it is pseudo-anonymised.

 

Your rights of Access to your records

The law gives you certain rights to your personal and healthcare information that we hold about you as set out below:

Access and Subject Access Requests

 

You have a right under the Data Protection legislation to request access to view or to obtain copies of what information the organisation holds about you and to have it amended should it be inaccurate. To request this, you need to do the following:

 

o  Your request should be made to The Practice Manager, Moordown Medical Centre giving your full name, address, DOB and NHS number.  (For information from a hospital or other Trust/NHS organisation you should write directly to them)

 

o  There is no charge to have a copy of the information held about you. However, we may, in some limited and exceptional circumstances, have to make an administrative charge for any extra copies if the information requested is excessive, complex or repetitive

 

o  We are required to provide you with information within one month. We would ask therefore that any requests you make are in writing and it is made clear to us what and how much information you require

 

o  If you are signed up to online services, you can make a request electronically for FULL CLINICAL ACCESS.  We are required to provide you with information within one month

Correction

 

 

You may ask us to correct any information you think is inaccurate. It is especially important that you make sure you tell us if your contact details including your mobile phone number have changed.

 

 

Removal

 

You have the right to ask for your information to be removed. However, if we require this factual information to assist us in providing you with appropriate medical services and diagnosis for your healthcare, then removal may not be possible.

 

Objection

 

We cannot share your information with anyone else for a purpose that is not directly related to your health, e.g., medical research, educational purposes etc.

 

Transfer

 

You have the right to request that your personal and/or healthcare information is transferred, in an electronic form (or other form), to another organisation but we will require your clear consent to be able to do this.

 

 

How long do we keep your personal information?

 

We are required under UK law to keep your information and data for the full retention periods as specified by the NHS Records Management Code of Practice for health and social care.

 

Where do we store your information electronically?

 

All the personal data we process is processed by our staff in the UK.

 

Moordown Medical Centre uses a clinical system provided by a data processor called SystmOnline.

 

 

Maintaining your confidentiality and accessing your records

 

We are committed to protecting your privacy and will only use information collected lawfully in accordance with the UK General Data Protection. Every staff member who works for an NHS organisation has a legal obligation to maintain the confidentiality of patient information.  All staff receive appropriate and regular training to ensure they are aware of their personal responsibilities.

 

We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e., life or death situations) This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles.

 

 

Sharing your information without consent

 

We will normally ask you for your consent but there are times when we may be required by law to share your information without your consent, for example:

 

  • Where there is a serious risk of harm or abuse to you or other people

 

  • Safeguarding matters and investigations

 

  • Where a serious crime, such as assault, is being investigated or where it could be prevented

 

  • Notification of new births

 

  • Where we encounter infectious diseases that may endanger the safety of others, such as meningitis or measles (but not HIV/AIDS)

 

  • Where a formal court order has been issued

 

  • Where there is a legal requirement.

 

 

Third party processors

 

To enable us to deliver the best possible services, we will share data (where required) with other NHS bodies such as hospitals. When we use a third-party service provider to process data on our behalf then we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately. Examples of functions that may be carried out by third parties include:

 

  • Companies that provide IT services and support, including our core clinical systems, systems that manage patient facing services (such as our website and service accessible through the same), data hosting service providers, systems that facilitate appointment bookings or electronic prescription services and document management services etc.

 

Third parties mentioned on your medical record

 

Sometimes we record information about third parties mentioned by you to us during any consultation. We are under an obligation to make sure we also protect that third party’s rights as an individual and to ensure that references to them that may breach their rights to confidentiality are removed before we send any information to any other party including yourself. Third parties can include spouses, partners and other family members.

 

Anonymised information

 

Sometimes we may provide information about you in an anonymised form. If we do so, then none of the information we provide to any other party will identify you as an individual and cannot be traced back to you.

 

Audit

 

Auditing of clinical notes is done by the Practice Manager on an adhoc basis, as part of their commitment to the effective management of healthcare whilst acting as a data processor.

 

 

GP connect service-

 

The GP connect service allows authorised clinical staff at NHS 111 to seamlessly access our clinical system and book directly on behalf of a patient. This means that, should you call NHS 111 and the clinician believes you need an appointment, the clinician will access available appointment slots only (through GP Connect) and book you in. This will save you time as you will not need to contact the organisation directly for an appointment.

 

We will not be sharing any of your data and we will only allow NHS 111 to see available appointment slots. They will not even have access to your record. However, NHS 111 will share any relevant data with us but you will be made aware of this. This will help in knowing what treatment/service/help you may require.

 

Invoice validation

 

Your information may be shared if you have received treatment to determine which Clinical Commissioning Group (CCG) is responsible for paying for your treatment. This information may include your name, address and treatment date. These details are held securely and confidentially and only for the use of validating invoices. It will not be used for any other purpose or shared with any third parties.

 

Patient communication

 

As we are obliged to protect any confidential information we hold about you, it is imperative that you let us know immediately if you change any of your contact details. You have a responsibility to inform us of any changes so our records are accurate and up to date.

 

We may contact you using SMS texting to your mobile phone should we need to notify you about appointments, information and other services that we provide to you involving your direct care. This is to ensure we are sure we are contacting you and not another person. As this is operated on an ‘opt out’ basis we will assume that you have given us permission to contact you via SMS if you have provided your mobile telephone number. Please let the organisation know if you wish to opt out of this SMS service. We may also contact you using the email address you have provided to us.

 

Primary care networks

 

The objective of primary care networks (PCNs) is for group practices together to create more collaborative workforces. All areas within England are covered by a PCN.

 

This means that Moordown Medical Centre may share your information with other practices within the Primary Care Network to provide you with your care and treatment such as the roll out of Covid Vaccinations.

 

The practices in the Central Bournemouth Primary Care Network with Moordown Medical Centre are:

 

James Fisher Medical Centre

St Alban’s Medical Centre and

Panton Practice

 

Risk stratification

 

Risk stratification is a mechanism used to identify and subsequently manage those patients deemed as being at high risk of requiring urgent or emergency care. Usually this includes patients with long-term conditions, e.g., cancer.  Computer based algorithms or calculations may be used to identify registered patients who are at most risk and relayed to your GP who can then decide on any necessary actions to ensure that you receive the most appropriate care.

 

Safeguarding

 

Safeguarding information such as referrals to safeguarding teams is retained by Moordown Medical Centre when handling a safeguarding concern or incident. We may share information accordingly to ensure a duty of care and investigation as required with other partners such as local authorities, the police or healthcare professionals (i.e., the mental health team).

 

Telephone system

Our telephone system records telephone calls.  Recordings are retained for 1 month and are used periodically for the purposes of seeking clarification where there is a dispute as to what was said and for staff training. Access to these recordings is restricted to The Practice Manager and Assistant Practice Manager. 

 

Opt-outs

 

National opt-out facility

 

This is used by the NHS, local authorities, university and hospital researchers, medical colleges and pharmaceutical companies researching new treatments.

 

You can choose to opt out of sharing your confidential patient information for research and planning. There may still be times when your confidential patient information is used; for example, during an epidemic where there might be a risk to you or to other people’s health. You can also still consent to take part in a specific research project.

 

Your confidential patient information will still be used for your individual care. Choosing to opt out will not affect your care and treatment. You will still be invited for screening services such as screening for bowel cancer.

 

You do not need to do anything if you are happy about how your confidential patient information is used.

 

If you do not want your confidential patient information to be used for research and planning, you can choose to opt out by using one of the following:

 

  • Online service – patients registering need to know their NHS number or their postcode as registered at their GP practice

 

  • Telephone service 0300 303 5678 which is open Monday to Friday between 0900 and 1700

 

  • NHS App – for use by patients aged 13 and over (95% of surgeries are now connected to the NHS App). The app can be downloaded from the App Store or Google play

 

 

Photocopies of proof of applicant’s name (e.g., passport, UK driving licence etc.) and address (e.g., utility bill, payslip etc.) need to be sent with the application.  It can take up to 14 days to process the form once it arrives at NHS, PO Box 884, Leeds, LS1 9TZ.

 

Note: Unfortunately, the national data opt-out cannot be applied by this organisation.

 

General Practice Data for Planning and Research opt out (GPDPR)

 

The General Practice Data for Planning and Research data collection will help the NHS to improve health and care services for everyone by collecting patient data that can be used to do this. For example, patient data can help the NHS to:

 

  • Monitor the long-term safety and effectiveness of care

 

  • Plan how to deliver better health and care services

 

  • Prevent the spread of infectious diseases

 

  • Identify new treatments and medicines through health research

 

GP practices already share patient data for these purpose,s but this new data collection will be more efficient and effective. This means that GPs can get on with looking after their patients and NHS Digital can provide controlled access to patient data to the NHS and other organisations who need to use it, to improve health and care for everyone.

 

Contributing to research projects will benefit us all as better and safer treatments are introduced more quickly and effectively without compromising your privacy and confidentiality.

 

NHS Digital has engaged with the British Medical Association (BMA), Royal College of GPs (RCGP) and the National Data Guardian (NDG) to ensure relevant safeguards are in place for patients and GP practices.

 

What patient data is shared about you with NHS Digital?

 

The collection date is still to be confirmed, although when it has been, patient data will be collected from GP medical records about:

 

  • Any living patient registered at a GP practice in England when the collection started – this includes children and adults

 

  • Any patient who died after the data collection started and was previously registered at a GP practice in England when the data collection started

 

They will not collect your name or where you live. Any other data that could directly identify you, for example NHS number, General Practice Local Patient Number, postcode and date of birth, is replaced with unique codes that are produced by de-identification software before the data is shared with NHS Digital.

 

This process is called pseudonymisation and means that no one will be able to directly identify you from the data.

 

The data collected by NHS Digital

 

We will share structured and coded data from GP medical records that is needed for specific health and social care purposes as explained above.

 

Data that directly identifies you as an individual patient, including your NHS number, General Practice Local Patient Number, postcode, date of birth and if relevant date of death, is replaced with unique codes produced by de-identification software before it is sent to NHS Digital. This means that no one will be able to directly identify you in the data.

 

NHS Digital will collect:

 

  • Data on your sex, ethnicity, and sexual orientation

 

  • Clinical codes and data about diagnoses, symptoms, observations, test results, medications, allergies, immunisations, referrals and recalls and appointments including information about your physical, mental, and sexual health

 

  • Data about the staff who have treated you

 

More detailed information about the patient data collected is contained within the Data Provision Noticed issued to GP practices.

 

NHS Digital will not collect:

 

  • Your name and address (except for your postcode in unique coded form)

 

  • Written notes (free text) such as the details of conversations with doctors and nurses

 

  • Images, letters and documents

 

  • Coded data that is not needed due to its age – for example medication, referral and appointment data that is over 10 years old

 

  • Coded data that GPs are not permitted to share by law – for example certain codes about IVF treatment and certain information about gender re-assignment

 

NHS Digital legal basis for collecting, analysing and sharing patient data

 

When NHS Digital collects, analyses, publishes and shares patient data, there are strict laws in place that it must follow. Under the UK General Data Protection Regulation (UK GDPR), this includes explaining to patients what legal provisions apply under UK GDPR that allows it to process patient data. The UK GDPR protects everyone's data.

 

NHS Digital has been directed by the Secretary of State for Health and Social Care under the General Practice Data for Planning and Research Directions 2021 to collect and analyse data from GP practices for health and social care purposes including policy, planning, commissioning, public health and research purposes. NHS Digital is the controller of the patient data collected and analysed under the GDPR jointly with the Secretary of State for Health and Social Care.

 

All GP practices in England are legally required to share data with NHS Digital for this purpose under the Health and Social Care Act 2012 (2012 Act). More information about this requirement is contained in the Data Provision Notice issued by NHS Digital to GP practices.

 

NHS Digital has various powers to publish anonymous statistical data and to share patient data under sections 260 and 261 of the 2012 Act. It also has powers to share data under other Acts, for example the Statistics and Registration Service Act 2007.

 

Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002 (COPI) also allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency. The Secretary of State has issued legal notices under COPI (COPI Notices) requiring NHS Digital, NHS England and Improvement, arm's-length bodies (such as Public Health England), local authorities, NHS trusts, clinical commissioning groups and GP practices to share confidential patient information to respond to the COVID-19 outbreak. Any information used or shared during the COVID-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use confidential patient information.

 

How NHS Digital uses patient data

 

NHS Digital will analyse and link the patient data we collect with other patient data we hold to create national data sets and for data quality purposes. NHS Digital will be able to use the de-identification software to convert the unique codes back to data that could directly identify patients in certain circumstances for these purposes, where this is necessary and where there is a valid legal reason. There are strict internal approvals which need to be in place before NHS Digital can do this and this will be subject to independent scrutiny and oversight by the Independent Group Advising on the Release of Data (IGARD).

 

These national data sets are analysed and used by NHS Digital to produce national statistics and management information including public dashboards about health and social care which are published. NHS Digital never publish any patient data that could identify any individual. All data they publish is anonymous statistical data.

 

For more information about data NHS Digital publish see Data and Information and Data Dashboards.

 

Who does NHS Digital share patient data with?

 

All data that is shared by NHS Digital is subject to robust rules relating to privacy, security and confidentiality and only the minimum amount of data necessary to achieve the relevant health and social care purpose will be shared.

 

All requests to access patient data from this collection, other than anonymous aggregate statistical data, will be assessed by NHS Digital’s Data Access Request Service to make sure that organisations have a legal basis to use the data and that it will be used safely, securely and appropriately.

 

These requests for access to patient data will also be subject to independent scrutiny and oversight by the Independent Group Advising on the Release of Data (IGARD). Organisations approved to use this data will be required to enter into a data sharing agreement with NHS Digital regulating the use of the data.

 

There are several organisations that are likely to need access to different elements of patient data from the General Practice Data for Planning and Research collection. These include but may not be limited to:

 

  • The Department of Health and Social Care and its executive agencies including Public Health England and other government departments

 

  • NHS England and NHS Improvement

 

  • Primary care networks (PCNs), clinical commissioning groups (CCGs) and integrated care organisations (ICOs)

 

  • Local authorities

 

  • Research organisations including universities, charities, clinical research organisations that run clinical trials and pharmaceutical companies

 

If the request is approved, the data will either be made available within a secure data access environment within the NHS Digital infrastructure or, where the needs of the recipient cannot be met this way, as a direct dissemination of data. NHS Digital plan to reduce the amount of data being processed outside central, secure data environments and increase the data it makes available to be accessed via its secure data access environment.

 

Data will always be shared in the uniquely coded form (de-personalised data in the diagram above) unless in the circumstances of any specific request it is necessary for it to be provided in an identifiable form (personally identifiable data in the diagram above), for example, when express patient consent has been given to a researcher to link patient data from the General Practice for Planning and Research collection to data the researcher has already obtained from the patient. It is therefore possible for NHS Digital to convert the unique codes back to data that could directly identify patients in certain circumstances, and where there is a valid legal reason which permits this without breaching the common law duty of confidentiality. This would include:

 

  • Where the data is needed by a health professional for the patient’s own care and treatment

 

  • Where the patient has expressly consented to this, for example to participate in a clinical trial

 

  • Where there is a legal obligation, for example where there are COPI Notices

 

  • Where approval has been provided by the Health Research Authority or the Secretary of State with support from the Confidentiality Advisory Group (CAG) under Regulation 5 of the Health Service (Control of Patient Information) Regulations 2002 (COPI) - this is sometimes known as a ‘section 251 approval’

 

Re-identification of the data would only take place following approval of the specific request through the Data Access Request Service and subject to independent assurance by IGARD and consultation with the Professional Advisory Group which is made up of representatives from the BMA and the RCGP. If patients have registered a national data opt-out this would be applied in accordance with the national data opt-out policy before any identifiable patient data (personally identifiable data in the diagram above) about the patient was shared.

 

Details of who NHS Digital have shared data with, in what form and for what purposes are published on their data release register.

 

Where does NHS digital store patient data?

 

NHS Digital only stores and processes patient data for this data collection within the United Kingdom (UK). Fully anonymous data (that does not allow patients to be directly or indirectly identified), for example statistical data that is published, may be stored and processed outside of the UK.

 

Some of the NHS Digital processors may process patient data outside of the UK. If they do, they will always ensure that the transfer outside of the UK complies with data protection laws.

 

Objections or Complaints

 

In the unlikely event that you feel your GP Practice has not complied with the current data protection legislation, either in responding to your request or in our general processing of your personal information, you should raise your concerns in the first instance in writing to the practice manager Richard Holden or their deputy Fiona.  If you feel that we have not addressed your concern appropriately, you have the right to lodge a complaint with the ICO. For further details, visit ico.gov.uk and select “Raising a concern” or telephone: 0303 123 1113.

 

The Information Commissioner’s Office is the regulator for the General Data Processing Regulations and offers independent advice and guidance on the law and personal data including your rights and how to access your personal information.

 

 

 

Annex B – Social media/website information

 

Using your health data for planning and research

 

 

The new General Practice Data for Planning and Research Data Collection (GPDPR) is coming. This data collection will help the NHS to improve health and care services for everyone by collecting patient data that can be used to do this.

 

The GPDPR is designed to help the NHS to:

 

  • Monitor the long-term safety and effectiveness of care

 

  • Plan how to deliver better health and care services

 

  • Prevent the spread of infectious diseases

 

  • Identify new treatments and medicines through health research

 

You can decide whether you wish to have your information extracted and there are two main options available to you.

 

Option 1:

 

Type 1 Opt Out applies at organisational level and means that your medical record is not extracted from the organisation for any purpose other than for direct patient care. You can opt out at any time, however you should opt out before the beginning of September to ensure your data is not extracted for this purpose. Opting out after this date will mean that no further extractions will be taken from your medical record.

 

Further information is available here.

 

Option 2:

 

Type 2 Opt Out allows data to be extracted by NHS Digital for their lawful purposes but they cannot share this information with anyone else for research and planning purposes. You can opt out at any time.

 

Further information is available here.

 

How do you opt out?

 

Type 1 – You need to contact the practice by phone, email or post to let us know that you wish to opt out.  

 

Type 2 – you need to inform NHS Digital. Unfortunately, this cannot be done by the practice for you. You can do this by any of the following methods:

 

 

  • Telephone service 0300 303 5678 which is open Monday to Friday between 0900 and 1700

 

  • NHS App – For use by patients aged 13 and over (95% of surgeries are now connected to the NHS App). The app can be downloaded from the App Store or Google play

 

 

  • Photocopies of proof of the applicant’s name (e.g., passport, UK driving licence etc.) and address (e.g., utility bill, payslip etc.) need to be sent with the application.

 

It can take up to 14 days to process the form once it arrives at National Data Opt Out, Contact Centre, NHS Digital, HM Government, 7 and 8 Wellington Place, Leeds, LS1 4AP.


 

Annex C – Patient text messaging and telephone message templates

 

Text message content template

 

You can opt out of your health information being shared with NHS Digital for planning and research before the commencement date. For more information, please visit https://www.nhs.uk/your-nhs-data-matters/manage-your-choice/ to find out more.

 

 

Patient information for website template

 

The way in which patient data gathering is done by NHS Digital is changing. There is currently a lot of information online and in the news about your choices and opting out of these collections. You can opt out of your GP record being shared with NHS Digital for planning and research and this should be done before the commencement date.

 

For more information, please visit our privacy notice at [insert link to practice privacy notice] to find out more.

 

 

Email response template

 

Thank you for your email regarding the sharing of patient data and being able to opt out of these collections.  The NHS Digital GP Data extraction is a legally required activity for this practice; however, you do have a right to opt out of the sharing of your data for research and planning purposes. 

 

NHS Digital provides a detailed guide for patients on how the information it extracts is used and how you can opt out. This can be found at https://digital.nhs.uk/data-and-information/data-collections-and-data-sets/data-collections/general-practice-data-for-planning-and-research

 

Please be aware that there are two types of opt out:

 

Type 1 - applies at organisational level and means that the patient’s medical record is not extracted from the organisation for any purpose other than for direct patient care.

 

Type 2 - allows data to be extracted by NHS Digital for its lawful purposes but it cannot share this information with anyone else for research and planning purposes.

 

If you wish to apply Type 1 Opt Out, please let us know and we will apply this locally to your clinical record. This will mean you data is not extracted on or after the commencement date.

 

If you wish to apply Type 2 National Data Opt Out you must do this directly with NHS Digital. You can do this in any of the following ways:

 

 

  • Telephone service 0300 303 5678 which is open Monday to Friday between 0900 and 1700.

 

  • NHS App – For use by patients aged 13 and over (95% of surgeries are now connected to the NHS App). The app can be downloaded from the App Store or Google play.

 

 

  • Photocopies of proof of applicant’s name (e.g., passport, UK driving licence etc.) and address (e.g., utility bill, payslip etc.) need to be sent with the application. It can take up to 14 days to process the form once it arrives at National Data Opt Out, Contact Centre, NHS Digital, HM Government, 7 and 8 Wellington Place, Leeds, LS1 4AP.

 

 

Telephone message template

 

We have received numerous enquiries about patient data being extracted by NHS Digital to be used for research and planning. You, as a patient, have the right to opt out of your information being used in this way.

 

Extensive information about this process can be found by visiting our website [give website address] or, if you do not have internet access, please speak with a member of our reception team who will be very happy to explain this to you.

 

Annex D – Organisational staff opt out guidance

 

This guidance is provided to all staff who may be required to respond to queries about the current data opt-outs available.

 

Who is NHS Digital?

 

  • NHS Digital is the national information and technology partner for the health and care system

 

  • It provides information and data to the health service so that it can plan effectively and monitor progress, create and maintain the technological infrastructure that keeps the health service running and links systems together to provide seamless care and develops information standards that improve the way different parts of the system communicate

 

  • NHS Digital is the national custodian for health and care data in England and has responsibility for standardising, collecting, analysing, publishing and sharing data and information from across the health and social care system, including general practice

 

What does it do with the data it collects?

 

  • Patient data collected from general practice is needed to support a wide variety of research and analysis to help run and improve health and care services. Whilst the data collected in other care settings such as hospitals is valuable in understanding and improving specific services, it is the patient data in general practice that helps NHS Digital to understand whether the health and care system as a whole is working for patients.

 

  • Research the long term impact of coronavirus on the population

 

  • Analyse healthcare inequalities

 

  • Research and develop cures for serious illnesses

 

What type of data does NHS Digital extract from the organisation?

 

  • Diagnoses and symptoms
  • Observations
  • Test results
  • Medications
  • Allergies and immunisations
  • Referrals, recalls and appointments
  • The patient’s sex, ethnicity and sexual orientation
  • Data about staff who have treated the patient

 

 

If a patient wishes to opt out of data sharing, there are two types of opt-out:

  • Type 1 applies at organisational level and means that the patient’s medical record is not extracted from the organisation for any purpose other than for direct patient care.

 

  • Type 2 allows data to be extracted by NHS Digital for its lawful purposes but it cannot share this information with anyone else for research and planning purposes.

 

How does a patient opt out?

 

  • Type 1 – the patient must inform the practice of their decision and this is coded at the practice locally to their clinical record.

 

  • Type 2 – the patient must do this themselves with NHS Digital. Unfortunately, this cannot be done by the organisation. The patient can do this by:

 

 

  • Telephone service 0300 303 5678 which is open Monday to Friday between 0900 and 1700.

 

  • NHS App – For use by patients aged 13 and over (95% of surgeries are now connected to the NHS App). The app can be downloaded from the App Store or Google play

 

 

  • Photocopies of proof of applicant’s name (e.g., passport, UK driving licence etc.) and address (e.g., utility bill, payslip etc.) need to be sent with the application. It can take up to 14 days to process the form once it arrives at National Data Opt Out, Contact Centre, NHS Digital, HM Government, 7 and 8 Wellington Place, Leeds, LS1 4AP.

 

  • Getting a healthcare professional to assist patients in prison or other secure settings to register an opt-out choice. For patients detained in such settings, guidance is available on NHS Digital and a proxy form is available to assist in registration.

 

Coding the patient record

 

If the patient wishes to opt out – use code 827241000000103 Dissent from secondary use of general practitioner patient identifiable data (finding)

 

If the patient wishes to opt in – use code 827261000000102 Dissent withdrawn for secondary use of general practitioner

Website Privacy Statement

  1. Welcome to Moordown Medical Centre's privacy notice. We respect your privacy and are committed to protecting your personal data. This privacy notice will inform you as to how we look after your personal data when you visit our website (regardless of where you visit it from) and tell you about your privacy rights and how the law protects you. 
  1. Our website, www.moordownmedicalcentre.co.uk is hosted by My Surgery Website, and updated by our practice staff. 

Purpose of this privacy notice

  1. This privacy notice aims to give you information on how we collect and processes your personal data through your use of this website. This website is not intended for children and we do not knowingly collect data relating to children. 
  1. It is important that you read this privacy notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy notice supplements the other notices and is not intended to override them. 

Controller

  1. The Practice,Moordown Medical Centre, is the controller and is responsible for your personal data (collectively referred to as "the Practice", "we", "us" or "our" in this privacy notice). 
  1. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the Practice Manager. 
  1. You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance. 

Changes to the privacy notice and your duty to inform us of changes

  1. It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us. 

Third-party links

  1. This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit. 

The data we collect about you

  1. Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). 
  1. We may collect, use, store and transfer different kinds of personal data about you which we have grouped together follows: 
  • Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
  • Contact Data includes email address and telephone numbers.
  • Usage Data includes information about how you use our website, products and services. 
  1. We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice. 
  1. We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences. 

How is your personal data collected?

  1. We use different methods to collect data from and about you including through direct interactions. For example, you may give us your identity, Contact and Financial Data by filling in forms or by corresponding with us by post, phone, email or otherwise. 

How we use your personal data

  1. We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances: -
  • Where we need to perform the contract we are about to enter into or have entered into with you.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  • Where we need to comply with a legal or regulatory obligation. 
  1. Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data. 

Opting out

  1. We do not send marketing messages. We may send appointment reminders and health promotion reminders, such as reminders for flu clinics, via SMS message. You may opt out of these reminders at any time. 

Change of purpose

  1. We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us. 
  1. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. 
  1. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law. 

Disclosures of your personal data

  1. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions. 

International transfers

  1. We do not transfer any information outside of the European Economic Area. 

Data security

  1. We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. 
  1. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. 

Data retention

  1. We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. 
  1. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. 
  1. In some circumstances you can ask us to delete your data. In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you. 

Your legal rights

  1. Under certain circumstances, you have rights under data protection laws in relation to your personal data. Your rights are to: - 
  • Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it
  • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
  • Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
  • Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
  • Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
  • Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent. 
  1. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances. 
  1. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response. 
  1. We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.