This website uses cookies to function correctly.
You may delete cookies at any time but doing so may result in some parts of the site not working correctly.

Patient Privacy Notice

How we use your personal information

 

1. Being transparent and providing accessible information to patients about how we will use your personal information is a key element of the GDPR Regulations.

2. The following notice reminds you of your rights in respect of the above legislation and how your GP Practice will use your information for lawful purposes in order to deliver your care and the effective management of the local NHS system.

3. This notice reflects how we use information for:

  • The management of patient records;
  • Communication concerning your clinical, social and supported care;
  • Ensuring the quality of your care and the best clinical outcomes are achieved through clinical audit and retrospective review;
  • Participation in health and social care research; and
  • The management and clinical planning of services to ensure that appropriate care is in place.

Data Controller

4. As your registered GP practice, we are the data controller for any personal data that we hold about you.

What information do we collect and use?

5. We are committed to protecting your privacy and will only use information collected lawfully in accordance with: -

  • The General Data Protection Regulations Legislation (GDPR)
  • Human Rights Act 1998
  • Common Law Duty of Confidentiality
  • Health and Social Care Act 2012
  • NHS Codes of Confidentiality and Information Security

6. Personal data must be processed fairly and lawfully, whether is it received directly from you or from a third party in relation to your care. ‘Personal data’ means any information relating to an identifiable person who can be directly or indirectly identified from the data. This includes, but is not limited to name, date of birth, full postcode, address, next of kin and NHS Number; and ‘Special category / sensitive personal data’ includes such as medical history including details of appointments and contact with you, medication, emergency appointments and admissions, clinical notes, treatments, results of investigations, supportive care arrangements, social care status, race, ethnic origin, genetics and sexual orientation.

7. We will collect the following types of information from you or about you from a third party (provider organisation) engaged in the delivery of your care:

  • Details about you, such as your address, legal representative, emergency contact details
  • Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments, etc.
  • Notes and reports about your health
  • Details about your treatment and care
  • Results of investigations such as laboratory tests, x-rays etc
  • Relevant information from other health professionals, relatives or those who care for you
  • Your records will be retained in accordance with the NHS Code of Practice for Records Management

8. Your healthcare records contain information about your health and any treatment or care you have received previously (e.g. from an acute hospital, GP surgery, community care provider, mental health care provider, walk-in centre, social services). These records maybe electronic, a paper record or a mixture of both. We use a combination of technologies and working practices to ensure that we keep your information secure and confidential.

Why do we collect this information?

9. The NHS Act 2006 and the Health and Social Care Act 2012 invests statutory functions on GP Practices to promote and provide the health service in England, improve quality of services, reduce inequalities, conduct research, review performance of services and deliver education and training. To do this we will need to process your information in accordance with current data protection legislation to: 

  • Protect your vital interests;
  • Pursue our legitimate interests as a provider of medical care, particularly where the individual is a child or a vulnerable adult;
  • Perform tasks in the public’s interest;
  • Deliver preventative medicine, medical diagnosis, medical research; and
  • Manage the health and social care system and services.  

How do we use this information?

10. To ensure that you receive the best possible care, your records will be used to facilitate the care you receive. Information held about you may be used to protect the health of the public and to help us manage the NHS. Information may also be used for clinical audit to monitor the quality of the service provided. In addition, your information will be used to identify whether you are at risk of a future unplanned hospital admission and/or require support to effectively manage a long term condition.

 

How is the information collected?

11.Your information will be collected either electronically using secure NHS Mail or a secure electronic transferred over an NHS encrypted network connection. In addition physical information will be sent to your practice. This information will be retained within your GP’s electronic patient record or within your physical medical records.

 

Who will we share your information with?

12. In order to deliver and coordinate your health and social care, we may share information with the following organisations:

  • NHS Trusts / Foundation Trusts
  • GP’s
  • NHS Commissioning Support Units
  • Independent Contractors such as dentists, opticians, pharmacists
  • Private Sector Providers
  • Voluntary Sector Providers
  • Ambulance Trusts
  • Clinical Commissioning Groups
  • Social Care Services
  • NHS Digital
  • Local Authorities
  • Education Services
  • Fire and Rescue Services
  • Police & Judicial Services
  • Other ‘data processors’ which you will be informed of.

13. Your information will only be shared if it is appropriate for the provision of your care or required to satisfy our statutory function and legal obligations

Do you transfer my data outside of the UK?

14. Generally the information that the practice holds is all held within the UK. However, some information may be held on computer servers which are held outside of the UK. We will take all reasonable steps to ensure your data is not processed in a country that is not seen as ‘safe’ by the UK or EU government. If the practice does need to send your data out of the EU it will ensure it has extra protection from loss or unauthorised access.  

Who do we receive information from?

15. Whilst we might share your information with the above organisations, we may also receive information from them to ensure that your medical records are kept up to date and so that your GP can provide the appropriate care. 16. In addition we received data from NHS Digital (as directed by the Department of Health) such as the uptake of flu vaccinations and disease prevalence in order to assist us to improve “out of hospital care”.

How do we maintain the confidentiality of your records?

17. We are committed to protecting your privacy and will only use information that has been collected lawfully. Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential. We maintain our duty of confidentiality by conducting annual training and awareness, ensuring access to personal data is limited to the appropriate staff and information is only shared with organisations and individuals that have a legitimate and legal basis for access.

18. Information is not held for longer than is necessary.   We will hold your information in accordance with the Records Management Code of Practice for Health and Social Care 2016.

 

Do I need to give my consent?

19. The GDPR sets a high standard for consent. Consent means offering people genuine choice and control over how their data is used. When consent is used properly, it helps you build trust and enhance your reputation. 20. However, consent is only one potential lawful basis for processing information. Therefore, your GP practice may not need to seek your explicit consent for every instance of processing and sharing your information, on the condition that the processing is carried out in accordance with this notice. Your GP Practice will contact you if they are required to share your information for any other purpose which is not mentioned within this notice. Your consent will be documented within your electronic patient record.

What will happen if I withhold my consent or raise an objection?

21. You have the right to write to withdraw your consent to any time for any particular instance of processing, provided consent is the legal basis for the processing. Please contact your GP Practice for further information and to raise your objection.

 

Health Risk Screening / Risk Stratification

22. Health Risk Screening or Risk Stratification is a process that helps your GP to determine whether you are at risk of an unplanned admission or deterioration in health. By using selected information such as age, gender, NHS number, diagnosis, existing long term condition(s), medication history, patterns of hospital attendances, admissions and periods of access to community care your GP will be able to judge if you are likely to need more support and care from time to time, or if the right services are in place to support the local population’s needs.

 23. To summarise Risk Stratification is used in the NHS to:

  • Help decide if a patient is at a greater risk of suffering from a particular condition;
  • Prevent an emergency admission;
  • Identify if a patient needs medical help to prevent a health condition from getting worse; and/or
  • Review and amend provision of current health and social care services.

24. Your GP may use computer based algorithms or calculations to identify their registered patients who are at most risk, with support from the local Commissioning Support Unit and/or a third party accredited Risk Stratification provider.

 25. Your GP will routinely conduct the risk stratification process outside of your GP appointment. This process is conducted electronically and without human intervention. The resulting report is then reviewed by a multidisciplinary team of staff within the Practice. This may result in contact being made with you if alterations to the provision of your care are identified.

26. A Section 251 Agreement is where the Secretary of State for Health and Social Care has granted permission for personal data to be used for the purposes of risk stratification, in acknowledgement that it would overburden the NHS to conduct manual reviews of all patient registers held by individual providers. You have the right to object to your information being used in this way. However, you should be aware that your objection may have a negative impact on the timely and proactive provision of your direct care. Please contact the Practice Manager to discuss how disclosure of your personal data can be limited. 

27. The National Data opt-out service is available from May 25th 2018. Patients can decide if they want to share their personally identifiable data to be used for planning and research purposes. Please see information in the Practice for more details or refer to www.digital.nhs.uk.

 

Medicines Management

28. Brighton and Hove CCG provides support to audit and review patients’ medicines and prescriptions and in order to do this they will require access to patient records. This is in place to enhance effective and safe prescribing of medication and to ensure we are operating in a cost effective way. We have a confidentiality agreement in place to govern this process. Please tell us if you would like to object to your information being used for these purposes.

GP Practice Variation

29. Brighton and Hove CCG provides support to promote understanding of the variation between GP practices. This work requires access to patient records and is governed by a confidentiality agreement. Please tell us if you would like to object to your information being used for these purposes.

 

Sharing of Electronic Patient Records within the NHS

30. Electronic patient records are kept in most places where you receive healthcare. Our local electronic systems (SystmOne and EMIS) enables your record to be shared with organisations involved in your direct care, such as:

  • GP practices
  • Community services such as district nurses, rehabilitation services, telehealth and out of hospital services.
  • Child health services that undertake routine treatment or health screening
  • Urgent care organisations, minor injury units or out of hours services
  • Community hospitals
  • Palliative care hospitals
  • Care Homes
  • Mental Health Trusts
  • Hospitals
  • Social Care organisations
  • Pharmacies

31. In addition, NHS England have implemented the Summary Care Record which contains information about medication you are taking, allergies you suffer from and any bad reactions to medication that you have had in the past.

32. Your electronic health record contains lots of information about you. In most cases, particularly for patients with complex conditions and care arrangements, the shared record plays a vital role in delivering the best care and a coordinated response, taking into account all aspects of a person’s physical and mental health. Many patients are understandably not able to provide a full account of their care, or may not be in a position to do so. The shared record means patients do not have to repeat their medical history at every care setting.

33. Your record will be automatically setup to be shared with the organisations listed above, however you have the right to ask your GP to disable this function or restrict access to specific elements of your record. This will mean that the information recorded by your GP will not be visible at any other care setting.

34. You can also reinstate your consent at any time by giving your permission to override your previous dissent.

Invoice Validation

35. If you have received treatment within the NHS, the local Commissioning Support Unit (CSU) may require access to your personal information to determine which Clinical Commissioning Group is responsible for payment for the treatment or procedures you have received. Information such as your name, address, date of treatment and associated treatment code may be passed onto the CSU to enable them to process the bill. These details are held in a secure environment and kept confidential. This information is only used to validate invoices in accordance with the current Section 251 Agreement, and will not be shared for any further commissioning purposes.

Change of Details

36. It is important that you tell the person treating you if any of your details such as your name or address have changed or if any of your details such as date of birth is incorrect in order for this to be amended. You have a responsibility to inform us of any changes so our records are accurate and up to date for you. 

Your Right of Access to Your Records

37. The General Data Protection Regulations allows you to find out what information is held about you including information held within your medical records, either in electronic or physical format. This is known as the “right of subject access”. If you would like to have access to all or part of your records, you can make a request in writing to the organisation that you believe holds your information. This can be your GP, or a provider that is or has delivered your treatment and care. You should however be aware that some details within your health records may be exempt from disclosure, however this will in the interests of your wellbeing or to protect the identity of a third party.   If you would like access to your GP record please submit your request in writing to:

The Practice Manager

Wellsbourne Healthcare CIC

179 Whitehawk Road

Brighton

BN2 5FL

Complaints

38. In the event that you feel your GP Practice has not complied with the current data protection legislation, either in responding to your request or in our general processing of your personal information, you should raise your concerns in the first instance in writing to the Practice Manager at the address above.

39. If you remain dissatisfied with our response you can contact the Information Commissioner’s Office at Wycliffe House, Water Lane, Wimslow, Cheshire SK9 5AF – Enquiry Line: 01625 545700 or online at www.ico.gov.uk

The NHS Care Record Guarantee

The NHS Care Record Guarantee for England sets out the rules that govern how patient information is used in the NHS, what control the patient can have over this, the rights individuals have to request copies of their data and how data is protected under Data Protection Legislation.

http://systems.digital.nhs.uk/infogov/links/nhscrg.pdf

The NHS Constitution

The NHS Constitution establishes the principles and values of the NHS in England. It sets out the rights patients, the public and staff are entitled to.  These rights cover how patients access health services, the quality of care you’ll receive, the treatments and programs available to you, confidentiality, information and your right to complain if things go wrong.

https://www.gov.uk/government/publications/the-nhs-constitution-for-england

Appendix A – The Practice will share your information with these organisations where there is a legal basis to do so.

Activity

Rationale

CCG

Purpose – Anonymous data is used by the CCG for planning and performance as directed in the practices contract.

 

Legal Basis – Contractual

 

Processor – Brighton and Hove CCG

Summary Care Record

Purpose – The NHS in England uses a national electronic record called the Summary Care Record (SCR) to support patient care. It contains key information from your GP record. Your SCR provides authorised healthcare staff with faster, secure access to essential information about you in an emergency or when you need unplanned care, where such information would otherwise be unavailable.

 

Legal Basis – Direct Care

 

Please be aware that if you choose to opt-out of SCR, NHS healthcare staff caring for you outside of this surgery may not be aware of your current medications, allergies you suffer from and any bad reactions to medicines you have had, in order to treat you safely in an emergency. Your records will stay as they are now with information being shared by letter, email, phone. If you wish to opt-out of having an SCR please return a completed opt-out form to the practice.

 

Processor – NHS England and NHS Digital

Research

Purpose – We many share personal confidential or anonymous information with research companies. Where you have opted out of having your identifiable information shared for this purpose your information will be removed.

 

Legal Basis – consent is required to share confidential patient information for research, unless there is have support under the Health Service (Control of Patient Information Regulations) 2002 (‘section 251 support’) applying via the Confidentiality Advisory Group in England and Wales

 

Processor – Primary Care Research Network/Royal College of General Practitioners

Individual Funding Requests

Purpose – We may need to process your personal information where we are required to fund specific treatment for you for a particular condition that is not already covered in our contracts.

 

Legal Basis – The clinical professional who first identifies that you may need the treatment will explain to you the information that is needed to be collected and processed in order to assess your needs and commission your care; they will gain your explicit consent to share this. You have the right to withdraw your consent at any time

 

Data processor – Brighton and Hove CCG

Safeguarding Adults

Purpose – We will share personal confidential information with the safeguarding team where there is a need to assess and evaluate any safeguarding concerns.

 

Legal Basis – Because of public Interest issues, e.g. to protect the safety and welfare of vulnerable adults, we will rely on a statutory basis rather than consent to process information for this use.

 

Data Processor – Adult Social Services

Safeguarding Children

Purpose – We will share childrens personal information where there is a need to assess and evaluate any safeguarding concerns.

 

Legal Basis – Because of public Interest issues, e.g. to protect the safety and welfare of Safeguarding we will rely on a statutory basis rather than consent to share information for this use.

 

Data Processor – Front Door For Families

Risk Stratification – Preventative Care

Purpose – ‘Risk stratification for case finding’ is a process for identifying and managing patients who have or may be at-risk of health conditions (such as diabetes) or who are most likely to need healthcare services (such as people with frailty). Risk stratification tools used in the NHS help determine a person’s risk of suffering a particular condition and enable us to focus on preventing ill health before it develops.

Information about you is collected from a number of sources including NHS Trusts, GP Federations and your GP Practice. A risk score is then arrived at through an analysis of your de-identified information.  This can help us identify and offer you additional services to improve your health.

 

If you do not wish information about you to be included in any risk stratification programmes, please let us know. We can add a code to your records that will stop your information from being used for this purpose. Please be aware that this may limit the ability of healthcare professionals to identify if you have or are at risk of developing certain serious health conditions.

 

Type of Data – Identifiable/Pseudonymised/Anonymised/Aggregate Data

 

Legal Basis

GDPR Art. 6(1) (e) and Art.9 (2) (h). The use of identifiable data by CCGs and GPs for risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority (approval reference (CAG 7-04)(a)/2013)) and this approval has been extended to the end of September 2020 NHS England Risk Stratification  which gives us a statutory legal basis under Section 251 of the NHS Act 2006 to process data for risk stratification purposes which sets aside the duty of confidentiality. We are committed to conducting risk stratification effectively, in ways that are consistent with the laws that protect your confidentiality.

 

 Processors – Appointed data processor and for subsequent healthcare with the CCG/ PCO/ frailty service etc

Public Health

Screening programmes (identifiable)

Notifiable disease information (identifiable)

Smoking cessation (anonymous)

Sexual health (anonymous)

 

 

Purpose – Personal identifiable and anonymous data is shared.

The NHS provides national screening programmes so that certain diseases can be detected at an early stage. These currently apply to bowel cancer, breast cancer, aortic aneurysms and diabetic retinal screening service. The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme.

More information can be found at: https://www.gov.uk/topic/population-screeningprogrammes [Or insert relevant link] or speak to the practice

Legal Basis – Article 6(1)(e); “necessary… in the exercise of official authority vested in the controller’ And Article 9(2)(h) as stated below

 

Data Processors – Public Health England https://www.gov.uk/government/organisations/public-health-england and equivalents in the devolved nations.

 

NHS Trusts – Direct Care

Purpose – Personal information is shared with other secondary care trusts in order to provide you with direct care services. This could be hospitals or community providers for a range of services, including treatment, operations, physio, and community nursing, ambulance service.

 

Legal Basis – The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions as stated below:

 

Processors – Brighton Sussex and University Hospitals, SPFT and SCFT

Care Quality Commission

Purpose – The CQC is the regulator for the English Health and Social Care services to ensure that safe care is provided. They will inspect and produce reports back to the GP practice on a regular basis. The Law allows the CQC to access identifiable data.

 

Legal Basis – Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.” And Article 9(2) (h) as stated below

 

Processors – Care Quality Commission

Payments, Invoice validation

Purpose –  Contract holding GPs in the UK receive payments from their respective governments on a tiered basis. Most of the income is derived from baseline capitation payments made according to the number of patients registered with the practice on quarterly payment days. These amount paid per patient per quarter varies according to the age, sex and other demographic details for each patient. There are also graduated payments made according to the practice’s achievement of certain agreed national quality targets known as the Quality and Outcomes Framework (QUOF), for instance the proportion of diabetic patients who have had an annual review. Practices can also receive payments for participating in agreed national or local enhanced services, for instance opening early in the morning or late at night or at the weekends. Practices can also receive payments for certain national initiatives such as immunisation programs and practices may also receive incomes relating to a variety of non patient related elements such as premises. Finally there are short term initiatives and projects that practices can take part in. Practices or GPs may also receive income for participating in the education of medical students, junior doctors and GPs themselves as well as research. In order to make patient based payments basic and relevant necessary data about you needs to be sent to the various payment services. The release of this data is required by English laws.

 

Legal Basis – Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.” And Article 9(2)(h) ‘as stated below

 

Data Processors – NHS England, CCG, Public Health

 

Patient Record data base

Purpose – Your medical record will be shared, in order that a data base can be maintained and managed in a secure way

 

Legal Basis – Article 6(1)(e); “necessary… in the exercise of official authority vested in the controller’ And Article 9(2)(h) as stated below

 

Processor – TPP

Subject Access Requests - processor

Purpose – Your medical record will be shared in order that a report can be provided to agencies such as insurance companies or solicitors

 

Legal Basis – Your consent will be required to share your record for this purpose

 

Processor – iGPR

OptimizeRX

Purpose – Your anonymous information will be shared in order to optimise your medication within your record. This will enable your GP to provide a more efficient medication regime.

 

Legal Basis – Article 6(1)(e); “necessary… in the exercise of official authority vested in the controller’ And Article 9(2)(h) as stated below

 

Processor – FDB

Medicines Management Team

Purpose – your medical record is shared with the medicines management team, in order that your medication can be kept up to date and any changes can be implemented.

 

Legal Basis – Article 6(1)(e); “necessary… in the exercise of official authority vested in the controller’ And Article 9(2)(h) as stated below

 

Processor – Appointed data processors within the Medicines Management Team Brighton Hove CCG

GP Federation (name)

GP Extended Access

LIVI

Purpose – Your medical record will be shared with the (name) in order that they can provide direct care services to the patient population. This could be in the form of video consultations, Minor injuries clinics, GP extended access clinics

 

Legal Basis – Article 6(1)(e); “necessary… in the exercise of official authority vested in the controller’ And Article 9(2)(h) as stated below

 

Processor – Here www.hereweare.org.uk

PCN

Purpose – Your medical record will be shared with the PCN Pharmacist in order that they can provide direct care services to the patient population.

Legal Basis - Article 6(1)(e); “necessary… in the exercise of official authority vested in the controller’ And Article 9(2)(h) as stated below

Processor – Park Crescent Health Centre, St Peter’s Medical Centre

Smoking cessation

n/a

Emergency care

Purpose – There are occasions when intervention is necessary in order to save or protect a patient’s life or to prevent them from serious immediate harm. In many of these circumstances the patient may be unconscious or too ill to communicate. In these circumstances we have an overriding duty to try to protect and treat the patient.

 

Legal Basis – Article 6(1)(e); “necessary… in the exercise of official authority vested in the controller’ And Article 9(2)© “processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent”

 

Processors – Healthcare professionals and other workers in emergency and out of hours services

 

National Screening Programmes

Purpose – The NHS provides several national health screening programs to detect diseases or conditions earlier such as; cervical and breast cancer, aortic aneurysm and diabetes. More information can be found at https://www.gov.uk/topic/population-screening-programmes The information is shared so as to ensure only those who should be called for screening are called and or those at highest risk are prioritised.

 

Legal Basis – Article 6(1)(e); “necessary… in the exercise of official authority vested in the controller’ And Article 9(2)(h) as stated below

 

Processor – Public Health England

https://www.gov.uk/government/publications/patient-confidentiality-in-nhs-population-screening-programmes/nhs-population-screening-confidential-patient-data

Technical solutions for analytics

Purpose – delivers training and consultancy appertaining to QOF, Prevalence, enhanced services, read codes and medical terminology. They are also experts in all of the main clinical systems.

 

Legal Basis – Article 6(1)(e); “necessary… in the exercise of official authority vested in the controller’

 

Processor – Insight Solutions

Subject Access Requests Requestors

Purpose – Personal information will be shared with the person or their representative at their request

Legal Basis – Contractual agreement with the patient – and consented

Processor – Patients and or their representatives – e.g. family members, solicitors, insurance companies

Medical Reports

Purpose – Personal information will be shared with Insurance companies, or potential or active employers at the patients request

Legal Basis – Consented

Processor – Patients and or their representatives – e.g. Insurance companies, RAF, Navy

Police

Purpose – Medical reports may be requested by the police for criminals

Legal Basis – Consented or Section 29

Processor – Police Constabulary

Coroners

Purpose – Personal information may be shared with the coroner

Legal Basis – Legal Obligation

Processor – The Coroner

Private healthcare providers

Purpose – Personal information shared with private health care providers in order to deliver direct care to patients at the patients request

Legal Basis – Consented and under contract between the patient and the provider

Provider – Private Healthcare provider as detailed in contract

Texting Service

Purpose – Personal identifiable information shared with the texting service in order that text messages including appointment reminders, campaign messages related to specific patients health needs and direct messages to patients

Legal Basis – Consent from patients and direct care

Provider  - AccuRX, Mjog

Online Consultation

Purpose – To enable practice to provide a full service to patients during the Covid-19 crisis. Where the patient is not able to attend the surgery for GP consultations.

Legal Basis –Direct care

Provider – e-Consult

 

 

Reviews of and Changes to our Privacy Notice

We will keep our Privacy Notice under regular review. This notice was last reviewed in May 2020.

Lawful basis for processing:

The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:

  • Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and
  • Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”

 

 



Call 111 when you need medical help fast but it’s not a 999 emergencyNHS ChoicesThis site is brought to you by My Surgery Website