GDPR & Privacy
Privacy Notice for Patients
How Sydenham House Medical Centre uses your information to provide you with healthcare
This practice keeps medical records confidential and complies with the General Data Protection Regulation
We hold your medical record so that we can provide you with safe care and treatment
We will also use your information so that this practice can check and review the quality of the care we provide. This helps us to improve our services to yo
We will share relevant information from your medical record with other health or social care staff or organisations when they provide you with care. For example, your GP will share information when they refer you to a specialist in a hospital. Or your GP will send details about your prescription to your chosen pharmacy
For more information on how we share your information with organisations who are directly involved in your care can be found later in the documen
Healthcare staff working in A&E and out of hours care will also have access to your information. For example, it is important that staff who are treating you in an emergency know if you have any allergic reactions. This will involve the use of your Summary Care Record.For more information see
https://digital.nhs.uk/summary-care-records or alternatively speak to your practic
You have the right to object to information being shared for your own care. Please speak to the practice if you wish to object. You also have the right to have any mistakes or errors corre
Other important information about how your information is used to provide you with healthcare
Registering for NHS Care
All patients who receive NHS care are registered on a national database
This database holds your name, address, date of birth and NHS Number but it does not hold information about the care you receive
The database is held by NHS Digital a national organisation which has legal responsibilities to collect NHS data. For further information call 0300 303 5678
Identifying Patients Who Might Be At Risk of Certain Diseases
Your medical records will be searched by a computer programme so that we can identify patients who might be at high risk from certain diseases such as heart disease or unplanned admissions to hospital
This means we can offer patients additional care or support as early as possible
This process will involve linking information from your GP record with information from other health or social care services you have used.
Information which identifies you wil only be seen by this practice
Safeguarding
Sometimes we need to share information so that other people, including healthcare staff, children or others with safeguarding needs, are protected from risk of harm. These circumstances are rare
We do not need your consent or agreement to do this.
How your information is used for medical research and to measure the quality of care
Medical Research
Sydenham House Medical Centre shares information from medical records
To support medical research when the law allows us to do so, for example to learn more about why people get ill and what treatments might work best
We will also use your medical records to carry out research within the practice
This is important because the use of information from GP medical records is very useful in developing new treatments and medicines
Medical researchers use information from medical records to help answer important questions about illnesses and disease so that improvements can be made to the care and treatment patients receive. You have the right to object to your identifiable information being used or shared for medical research purposes. Please speak to the practice if you wish to object.
Checking the Quality of Care - National Clinical Audit
The practice contributes to national clinical audits so that healthcare can be checked and reviewed.Information from medical records can help doctors and other healthcare workers measure and check the quality of care which is provided to you
The results of the checks or audits can show where hospitals are doing well and where they need to improve.The results of the checks or audits are used to recommend improvements to patient care
Data are sent to NHS Digital a national body with legal responsibilities to collect data. The data will include information about you, such as your NHS Number and date of birth and information about your health which is recorded in coded form - for example the code for diabetes or high blood pressure
We will only share your information for national clinical audits or checking purposes when the law allows
For more information about national clinical audits see the Healthcare Quality Improvements Partnership website: https://www.hqip.org.uk
You have the right to object to your identifiable information being shared for national clinical audits. Please contact the practice if you wish to object.
How Your Information Is Shared So That This Practice Can Meet Legal Requirements
The law requires the practice to share information from your medical records in certain circumstances. Information is shared so that the NHS or Public Health England can, for example:
- Plan and manage services;
- Check that the care being provided is safe;
- Prevent infectious diseases from spreadin
We will share information with NHS Digital, the Care Quality Commission and local health protection team (or Public Health England) when the law requires us to do so. Please see below for more information.We must also share your information if a court of law orders us to do so.
Care Quality Commission (CQC
The CQC regulates health and social care services to ensure that safe care is provided
The law says that we must report certain serious events to the CQC, for example, when patient safety has been put at risk
For more information about the CQC see: http://www.cqc.org.u
Public Health
The law requires us to share data for public health reasons, for example to prevent the spread of infectious diseases or other diseases which threaten the health of the population.
We will report the relevant information to local health protection team or Public Health England
For more information about Public Health England and disease reporting see: https://www.gov.uk/guidance/notifiable-diseases-and-causative-organisms-how-to-report
National Screening Programmes
The NHS provides national screening programmes so that certain diseases can be detected at an early stage.
These screening programmes include bowel cancer, breast cancer, cervical cancer, aortic aneurysms and a diabetic eye screening service.
The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme.
More information can be found at: https://www.gov.uk/topic/population-screening-programmesor speak to the practice,
We are required by law to provide you with the following information about how we handle your information.
|
Data Controller Contact Details
|
Sydenham House Medical Practice Mill Court Ashford Kent TN24 8DN 01233 645851 |
|
Data Protection Officer Contact Details |
Pam Mills Sydenham House Medical Practice 07972166312 |
|
Purpose of the processing
|
· To give direct health or social care to individual patients
· For example, when a patient agrees to a referral for direct care, such as to a hospital, relevant information about the patient will be shared with the other healthcare staff to enable them to give appropriate advice, investigations, treatments and/or care
· To check and review the quality of care. (This is called audit and clinical governance) |
|
Lawful Basis for Processing
|
These purposes are supported under the following sections of the GDPR:
Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and
Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”
Healthcare staff will also respect and comply with their obligations under the common law duty of confidence. |
|
Recipient or Categories of Recipients of the Processed Data
|
The data will be shared with:
· Healthcare professionals and staff in this Practice; · Local hospitals; · Out of hours services; · Diagnostic and treatment centres; · Or other organisations involved in the provision of direct care to individual patients. |
|
Rights to Object
|
· You have the right to object to information being shared between those who are providing you with direct care · This may affect the care you receive – please speak to the practice · You are not able to object to your name, address and other demographic information being sent to NHS Digital · This is necessary if you wish to be registered to receive NHS care · You are not able to object when information is legitimately shared for safeguarding reasons · In appropriate circumstances it is a legal and professional requirement to share information for safeguarding reasons. This is to protect people from harm · The information will be shared with the local safeguarding service |
|
Right to Access and Correct |
· You have the right to access your medical record and have any errors or mistakes corrected. Please speak to a member of staff or look at our ‘subject access request’ policy We are not aware of any circumstances in which you will have the right to delete correct information from your medical record; although you are free to obtain your own legal advice if you believe there is no lawful purpose for which we hold the information and contact us if you hold a different view |
|
|
GP medical records will be kept in line with the law and national guidance. Information on how long records are kept can be found at: https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016 or speak to the practice |
|
Right to Complain
|
You have the right to complain to the Information Commissioner’s Office. If you wish to complain follow this linkhttps://ico.org.uk/global/contact-us/ or call the helpline 0303 123 1113 |
|
Data We Get From Other Organisations |
We receive information about your health from other organisations who are involved in providing you with health and social care. For example, if you go to hospital for treatment or an operation the hospital will send us a letter to let us know what happens. This means your GP medical record is kept up-to date when you receive care from other parts of the health service. |
a. Direct Medical Care and Administration |
||||
|
Recipients or categories of recipients of thepersonal or special categories of personal data |
Purpose of the processing and data retention periods |
|
Lawful basis General Data Protection Regulation - Article 6 - - Article 9 -
Data Protection Act - Section 8 - - Section 10 - - Part 1 of Schedule 1 - |
Your Rights |
|
|
||||
|
NHS Trusts – Hospitals, Community or Mental Health Trusts. |
Personal data concerning your GP medical record may be shared with NHS Trusts in order to enable their healthcare professionals make the best informed decision about your health needs, and provide you with the best possible care if you visit the hospital for routine care and referrals. Your personal information may also be processed for local administrative purposes such as: · Waiting list management; · local clinical audit; · Performance against local targets; · activity monitoring; · production of datasets to submit for commissioning purposes and national collections.
The source of the information shared in this way is your electronic GP record.
In accordance with DPA Part 1, Schedule 1 (2) health or social care purposes means the purposes of preventive or occupational medicine; medical diagnosis; the provision of health care or treatment; the provision of social care, or the management of health care systems or services or social care systems or services.
Data Retention Period All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care. |
|
The processing of personal data is permitted under the following GDPR and DPA conditions: GDPR Article 6(1) (e) - public interest or in the exercise of official authority; DPA Section 8 (d) - processing is necessary for the exercise of statutory functions; The processing of special categories of personal data concerning healthis permitted under the following GDPR and DPA conditions: DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;
Related Legislation: Common Law of Duty of Confidentiality
|
You have the right to: · To access, view or request copies of your personal information; · request rectification of any inaccuracy in your personal information; · restrict the processing of your personal information where: ü accuracy of the data is contested, ü the processing is unlawful or, ü where we no longer need the data for the purposes of the processing.
Right to object: In line with the GDPR Article 21 and DPA Section 99, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.
If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.
|
|
Emergency Services (Ambulance trusts, police, A&E departments, out of hours services, 111) |
There are circumstances when intervention is necessary in order to save or protect a patient’s life or to prevent them from serious immediate harm, for example, during a collapse or diabetic coma or serious injury or accident. In many of these circumstances the patient may be unconscious or too ill to communicate. Medical professionals have a duty of care to share data in emergencies to protect their patients or other persons. In these circumstances, your GP medical recordwill be shared with emergency healthcare services, the police or fire service in order to enable you receive the best treatment or service.
The source of the information shared in this way is your electronic GP record.
Data Retention Period All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care. |
|
The processing of personal data is permitted under the following GDPR and DPA conditions: GDPR Article 6(1) (e) - public interest or in the exercise of official authority; DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;
The processing of special categories of personal data concerning healthis permitted under the following GDPR and DPA conditions: Article 9 (2) (C) – theprocessing is necessary to protect the vital interests of the data subject; DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;
|
You have the right to: · Make pre-determined decisions about the type and extent of care you will receive in an emergency, these are known as “Advance Directives”; · access, view or request copies of your personal information; · request rectification of any inaccuracy in your personal information; · restrict the processing of your personal information where: ü accuracy of the data is contested, ü the processing is unlawful or, ü where we no longer need the data for the purposes of the processing.
Right to object:You have the right to object to some or all of your personal information being shared with the recipients. You also have the right to have an “Advance Directive” placed in your records and brought to the attention of relevant healthcare workers or staff.
We will notify you at the earliest opportunity where we have shared your personal data in an emergency situation.
If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.
|
|
GP Federations &PCN’s (groups of GP practices working together)
|
GP Federations are groups of GPs (patient centered organisation), working collaboratively and developing closer integration with other partners across health, social and third sector partners to facilitate an enhanced delivery of health and care services. Through various hubs in the community the GP Federation provide direct health and care services such as continued extended access, home visits, universal offers, musculoskeletal service, GP at front door and other neighbourhood servicesacross Ashford. If you visit receive treatment/consultation on any of these services, personal data concerning your GP medical record may be shared with the GP Federation and their Multidisciplinary Team (MDT) in order to enable them make the best informed decision about your health/care needs, and provide you with the best possible care. The source of the information shared in this way is your electronic GP record. Data Retention Period All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care. |
|
The processing of personal data is permitted under the following GDPR and DPA conditions: GDPR Article 6(1) (e) - public interest or in the exercise of official authority; DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;
The processing of special categories of personal data concerning healthis permitted under the following GDPR and DPA conditions: DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;
Related Legislation: Section 251B Health and Social Care (Safety and Quality Act) 2015 (Duty to Share); |
You have the right to: · To access, view or request copies of your personal information; · request rectification of any inaccuracy in your personal information; · restrict the processing of your personal information where: ü accuracy of the data is contested, ü the processing is unlawful or, ü where we no longer need the data for the purposes of the processing.
Right to object: In line with the GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.
If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.
|
|
Pharmacists - Medicines Optimisation |
Medicines optimisation looks at the value which medicines deliver, making sure they are clinically-effective and cost-effective. It is about ensuring patients get the right choice of medicines, at the right time, and are engaged in the process by their clinical team. Medicines optimisationenables community pharmacies to request medication electronically from the Practice and view relevant information from your GP record in order to provide you with the best medicines.
The source of the information shared in this way is your electronic GP record.
Data Retention Period All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.
|
|
The processing of personal data is permitted under the following GDPR and DPA conditions: GDPR Article 6(1) (e) - public interest or in the exercise of official authority; DPA Section 8 (d) - processing is necessary for the exercise of statutory functions; The processing of special categories of personal data concerning healthis permitted under the following GDPR and DPA conditions: DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;
Related Legislation: |
You have the right to: · To access, view or request copies of your personal information; · request rectification of any inaccuracy in your personal information; · restrict the processing of your personal information where: ü accuracy of the data is contested, ü the processing is unlawful or, ü where we no longer need the data for the purposes of the processing.
Right to object: In line with the GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.
If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.
|
|
Local Authority – Social Services |
The Practiceworks closely with Local Authoritiesto support and care for people of all ages to deliver the best possible social care. Personal data concerning your GPmedical record may be shared with Local Authorities and Multidisciplinary Team (MDT) delivering social care in order to enable them make the best informed decision about your social care needs if required. The source of the information shared in this way is your electronic GP record. Data Retention Period All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care. |
|
The processing of personal data is permitted under the following GDPR and DPA conditions: GDPR Article 6(1) (e) - public interest or in the exercise of official authority; DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;
The processing of special categories of personal data concerning healthis permitted under the following GDPR and DPA conditions:
|
You have the right to: · To access, view or request copies of your personal information; · request rectification of any inaccuracy in your personal information; · restrict the processing of your personal information where: ü accuracy of the data is contested, ü the processing is unlawful or, ü where we no longer need the data for the purposes of the processing.
Right to object: In line with the GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.
If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.
|
|
Care Homes |
Personal data concerning your GP medical record may be shared with Care Homes and other Multidisciplinary Team (MDT) delivering care in order to enable their care professionals make the best informed decision about your care needs, and provide you with the best possible care if you visit a Care Home. The source of the information shared in this way is your electronic GP record. Data Retention Period All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.
|
|
The processing of personal data is permitted under the following GDPR and DPA conditions: GDPR Article 6(1) (e) - public interest or in the exercise of official authority; DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;
The processing of special categories of personal data concerning healthis permitted under the following GDPR and DPA conditions: DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;
|
You have the right to: · To access, view or request copies of your personal information; · request rectification of any inaccuracy in your personal information; · restrict the processing of your personal information where: ü accuracy of the data is contested, ü the processing is unlawful or, ü where we no longer need the data for the purposes of the processing.
Right to object: In line with the GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.
If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.
|
b. Other primary care services delivered for the purposes of direct care |
||||
|
Integrated Urgent Care Service (IUC) - covering Out of Hours and NHS 111 service |
Integrated Urgent Care Service (IUC)is an urgent care service delivered across Medway t for the provision of a functionally integrated 24/7 urgent care access, clinical advice and treatment service for patients. IUC incorporates NHS 111 and Out of Hours (OOH) services, which is often referred to as an IUC Clinical Assessment Service.
The purpose of IUC is to ensure that patients receive the best possible healthcare service in their community. If you visit the urgent care centre or call NHS 111 for health related needs, personal data in your GP record will be shared with healthcare professionals in order to enable them make the best the best informed decision about your health needs. The source of the information shared in this way is your electronic GP record. Data Retention Period All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care. |
|
The processing of personal data is permitted under the following GDPR and DPA conditions: GDPR Article 6(1) (e) - public interest or in the exercise of official authority; DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;
The processing of special categories of personal data concerning healthis permitted under the following GDPR and DPA conditions: DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;
Related Legislations: Section 251B Health and Social Care (Safety and Quality Act) 2015 (Duty to Share); |
You have the right to: · To access, view or request copies of your personal information; · request rectification of any inaccuracy in your personal information; · restrict the processing of your personal information where: ü accuracy of the data is contested, ü the processing is unlawful or, ü where we no longer need the data for the purposes of the processing.
Right to object: In line with the GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.
If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.
|
|
Continuing Health Care (CHC) |
NHS Continuing Health Care (CHC) is free care outside of hospital that is arranged and fundedby the NHS to support living with complex medical conditions and on-going healthcare needs which can be delivered in the patient’s home, at their care home or in non-acute hospitals. CHC is free, unlike support from socialservices for which a fee may be charged, depending on your income and savings. CHC is different from NHS Funded Nursing Care, which some people with less complex needs living in care homes receive. If you require CHC needs personal data concerning your GP medical record will be shared with the care home or in non-acute hospitals looking after you. The source of the information shared in this way is your electronic GP record. Data Retention Period All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.
|
|
The processing of personal data is permitted under the following GDPR and DPA conditions: GDPR Article 6(1) (e) - public interest or in the exercise of official authority; DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;
The processing of special categories of personal data concerning healthis permitted under the following GDPR and DPA conditions: DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;
Related Legislations: Common Law of Duty of Confidentiality; Section 251B Health and Social Care (Safety and Quality Act) 2015 (Duty to Share); |
You have the right to: · To access, view or request copies of your personal information; · request rectification of any inaccuracy in your personal information; · restrict the processing of your personal information where: ü accuracy of the data is contested, ü the processing is unlawful or, ü where we no longer need the data for the purposes of the processing.
Right to object: In line with the GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.
If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.
|
c. Statutory Disclosures of Information |
||||
|
Safeguarding Concerns – to prevent an individual, or to prevent a serious crime
|
Some members of public are recognised as needing safeguarding protection, for example children and vulnerable adults. If an individual is identified as being at risk from harm, we have a duty to do what we can to protect that individual, and we are bound ‘Safeguarding’ laws to do so. Where there is a suspected or actual safeguarding issue we will share information that we hold about you with other relevant agencies such as local Ambulance trusts, the police, A&E departments, out of hours services, 111 or Social Services) The source of the information shared in this way is your electronic GP record. Data Retention Period All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care. |
|
The processing of personal data is permitted under the following GDPR and DPA conditions: GDPR Article 6(1) (e) - public interest or in the exercise of official authority; DPA Section 8 (d) - processing is necessary for the exercise of statutory functions; The processing of special categories of personal data concerning health is permitted under the following conditions: Article 9 (2) (c) – theprocessing is necessary to protect the vital interests of the data subject;
Related Legislations: |
This sharing is a legal and professional requirement and therefore there is no right to object. The Children Act 1989 requires local authorities to investigate where a child is the subject of an emergency protection order, is in police protection or where there is a reasonable cause to suspect that a child is suffering or is likely to suffer harm. The Act requires the local authority to safeguard and promote the welfare of children who are in need, within their geographical area and to request help from specified authorities including General Practices, NHS Trusts, Clinical Commissioning Groups (CCGs) and NHS England.
|
|
The Care Quality Commission (CQC) is a regulatory body established under the Health and Social Care Act. The CQC regulates health and social care services in England to ensure that safe health and care are provided. The law allows CQC to access identifiable patient data/medical records in our clinical system for the purposes of their assessment and investigation of significant safety incident.
The data will be shared with the Care Quality Commission, its officers and staff and members of the inspection teams that visit us from time to time.
The source of the information shared in this way is your electronic GP record.
Data Retention Period All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care. |
|
The processing of personal data is permitted under the following conditions: Article 6(1)(c) - processing for legal obligation; DPA Section 8 (d) - Processing is necessary for the exercise of statutory functions.
The processing of special categories of personal data concerning health is permitted under the following conditions:
DPA Section 10 (1) (c) - health and social care purposes.
|
You have the right to: · To access, view or request copies of your personal information; · request rectification of any inaccuracy in your personal information; · restrict the processing of your personal information where: ü accuracy of the data is contested, ü the processing is unlawful or, ü where we no longer need the data for the purposes of the processing. Right to object: You have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.
If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.
|
|
|
Law Enforcement and Regulatory Bodies |
In some circumstances the Practice may be legally required to share personal information with law enforcements and regulatory bodies (without the consent of the data subject) such as: the Police; Courts of Justice; HMRC and DVLA for the purposes of prevention or detection of crime;apprehension or prosecution of offenders; the assessment or collection of any tax or duty or, of any imposition of a similar nature.
GPs are obliged to notify the DVLA when fitness to drive requires notification but an individual cannot or will not notify the DVLA themselves, and if there is concern for road safety, which would be for both the individual and the wider public. The Practicewill review each request based on its merits before deciding whether to release information to the ‘relevant authorities’.
The source of the information shared in this way is your electronic GP record.
Data Retention Period All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care. |
|
The processing of personal data is permitted under the following conditions: Article 6(1) (e) - public interest or in the exercise of official authority;
DPA Section 8 (d) - Processing is necessary for the exercise of statutory functions.
The processing of special categories of personal data concerning health is permitted under the following conditions: Article 9 (2) (G) – theprocessing is necessary for reasons of substantial public interest In accordance with DPA Schedule 1, Part 2, (10) (1c) –the condition is met where the processing is necessary for the prevention or detection of an unlawful act
|
This sharing is a legal and professional requirement and therefore there is no right to object. Personal data processed for these purposes are exempt for the first data protection principle (processed lawfully, fairly and in a transparent manner).
|
|
Medico-Legal |
Medico-Legal - Where a medical professional is holding personal data for the purpose of providing medical reports in connection with legal action.
The source of the information shared in this way is your electronic GP record.
|
.
|
The processing of personal data is permitted under the following conditions: GDPR Article 6(1)(c) - processing for legal obligation; The processing of special categories of personal data concerning health is permitted under the following conditions: In accordance with DPA Schedule 1, Part 3, (33) - the conditions for processing for legal claims is met where it is in connection with, any legal proceedings including prospective legal proceedings or; for the purpose of obtaining a legal advice or; establishing exercising or defending legal rights. |
This sharing is a legal and professional requirement and therefore there is no right to object.
|
|
General Medical Council (GMC) is a public body that maintains the official register of medical practitioners within the United Kingdom. Its primary responsibility is ‘to protect, promote and maintain the health and safety of the public’ by controlling entry to the register, and suspending or removing members when necessary.
Under the Medical Act 1983, the GMC has the power to request access to a patient’s medical records for the purposes of an investigation into a doctor’s fitness to practise.
The source of the information shared in this way is your electronic GP record. Data Retention Period All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care. |
|
The processing of personal data is permitted under the following conditions: Article 6(1)(c) - processing for legal obligation; GDPR Article 6(1) (e) - public interest or in the exercise of official authority; DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;
The processing of special categories of personal data concerning health is permitted under the following paragraph: DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;
Related Legislation: |
You have the right to: · To access, view or request copies of your personal information; · request rectification of any inaccuracy in your personal information; · restrict the processing of your personal information where: ü accuracy of the data is contested, ü the processing is unlawful or, ü where we no longer need the data for the purposes of the processing. Right to object: You have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.
|
|
|
The Health Service Ombudsman (HSO)
|
The Health Service Ombudsman (HSO) wasset up by Parliament to provide an independent complaint handling service for complaints that have not been resolved by the NHS in England and UK government departments.
The HSO has the power to request access to a patient’s medical records for the purpose of an investigation.
The source of the information shared in this way is your electronic GP record.
Data Retention Period All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.
|
|
The processing of personal data is permitted under the following paragraph: Article 6(1)(c) - processing for legal obligation; GDPR Article 6(1) (e) - public interest or in the exercise of official authority; The processing of special categories of personal data concerning healthis permitted under the following paragraph:
DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;
Related Legislation: |
You have the right to: · To access, view or request copies of your personal information; · request rectification of any inaccuracy in your personal information; · restrict the processing of your personal information where: ü accuracy of the data is contested, ü the processing is unlawful or, ü where we no longer need the data for the purposes of the processing. Right to object: You have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.
|
|
|
Under the NHS Act 2006, investigations into fraud in the NHS may require access to confidential patient information. This means that we are compelled by the law to share your data. The source of the information shared in this way is your electronic GP record. Data Retention Period All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.
|
|
The processing of personal data is permitted under the following paragraph: Article 6(1)(c) - processing for legal obligation; The processing of special categories of personal data concerning healthis permitted under the following paragraph:
Related Legislation: |
|
|
NHS Digital – Statutory Data Collection |
NHS Digital is anational information and technology partner to the health and social care system. NHS Digital use digital technology to transform the NHS and social care. NHS Digital carries out National Data collections/ extractionfrom the GP record. These include:
National Diabetes Audit (NDA) - A national monitoring system, auditing the care of patients with diabetes. The data extracted for the purpose of NDA includes NHS Number, date of birth and postcode, as well as clinical parameters related to diabetes. NDA is a mandatory data extraction under section 259 of the Health and Social Care Act 2012, this means that we are compelled by law to share your data
Individual GP Level Data (IGPLD) - A national monitoring system to enable NHS Digital to provide GPs with clinical information on the care provision for their patients. The data extracted includes the NHS number. IGPLD is a mandatory data extraction under 259 of the Health and Social Care Act 2012, this means that we are compelled by law to share your data
FGM-( Female Genital Mutilation) NHS Digital collects data on FGM within the NHS in England on behalf of the Department of Health (DH). Data collected is used to produce information that helps improve NHS and local authorities to improve on how they support women and girls who have had or, who are at risk of FGM.
FGM Enhanced Dataset is a mandatory data extraction under section 259 of the Health and Social Care Act 2012,this means that we are compelled by law to share your data when required.
The source of the information shared in this way is your electronic GP record. Data Retention Period All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care
|
|
The processing of personal data is permitted under the following condition: Article 6(1)(c) - processing for legal obligation; The processing of special categories of personal data concerning healthis permitted under the following GDPR and DPA conditions: DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;
Related Legislation: S259 of the Health and Social Care Act 2012
|
You have the right to: · To access, view or request copies of your personal information; · request rectification of any inaccuracy in your personal information; · restrict the processing of your personal information where: ü accuracy of the data is contested, ü the processing is unlawful or, ü where we no longer need the data for the purposes of the processing.
Right to object:You do not have the right to object as the sharing is a legal and professional requirement under the law.
Whilst there is no right to object when we are complying with a legal obligation, NHS Digital respects Type 1 objections (9Nu0 read codes) present in the GP record and no data will be extracted and uploaded if so.
|
|
NHS England is responsible for securing, planning, designing and paying for Primary Care & Specialised NHS services not otherwise funded By Ashford CCG.This includes planned and emergency hospital care, mental health, rehabilitation, community and primary medical care (GP) services. We may often share personal information with NHS England potentially for safeguarding concerns that need escalating beyond our borough.
Where required the Practice may also have to share staff personal information with NHS England for the purpose of allegations framework or performers list.
The source of the information that may be shared in this instance are in the staff record and patient’s electronic GP record. Data Retention Period All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.
|
|
The processing of personal data is permitted under the following conditions: Article 6(1)(c) - processing for legal obligation; DPA Section 8 (d) - processing is necessary for the exercise of statutory functions; The processing of special categories of personal data concerning healthis permitted under the following paragraph: |
You have the right to: · To access, view or request copies of your personal information; · request rectification of any inaccuracy in your personal information; · restrict the processing of your personal information where: ü accuracy of the data is contested, ü the processing is unlawful or, ü where we no longer need the data for the purposes of the processing.
Right to object: You do not have the right to object as the sharing is a legal and professional requirement under the law.
If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.
|
|
|
The National Cancer Diagnosis Audit (NCDA) looks at primary and secondary care data relating to patients diagnosed with cancer. It helps to understand pathways to cancer diagnosis, what works well and where improvements could be made. The audit looks specifically at clinical practice in order to understand: · interval length from patient presentation to diagnosis; · use of investigations prior to referral; · what the referral pathways for patients with cancer are and how they compare with those recorded by the cancer registry
|
|
The processing of personal data is permitted under the following conditions: Article 6(1)(c) - processing for legal obligation; DPA Section 8 (d) - processing is necessary for the exercise of statutory functions; The processing of special categories of personal data concerning healthis permitted under the following paragraph: |
You have the right to: · To access, view or request copies of your personal information; · request rectification of any inaccuracy in your personal information; · restrict the processing of your personal information where: ü accuracy of the data is contested, ü the processing is unlawful or, ü where we no longer need the data for the purposes of the processing.
Right to object: You do not have the right to object as the sharing is a legal and professional requirement under the law.
If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.
|
|
|
|
Public Health England is an executive agency of the Department of Health and Social Care, and a distinct organisation with operational autonomy. The main purpose of the organisationis to protect and improve the health and wellbeing of citizens. These include the management of smoking, alcohol and obesity; management of epidemics and infections such as flu, measles, tuberculosis or outbreaks of food poisoning. The source of the information shared in this way is your electronic GP record. Data Retention Period All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care. |
|
The processing of personal data is permitted under the following paragraph: Article 6(1)(c) - processing for legal obligation; The processing of special categories of personal data concerning healthis permitted under the following condition:
Related Legislations: The Health Protection (Notification) Regulations 2010 (SI 2010/659); |
You have the right to: · To access, view or request copies of your personal information; · request rectification of any inaccuracy in your personal information; · restrict the processing of your personal information where: ü accuracy of the data is contested, ü the processing is unlawful or, ü where we no longer need the data for the purposes of the processing.
Right to object: You have a general right to raise an objection to your personal data being shared with the recipient.
If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.
|
d. Processing for the Purposes of Commissioning, Planning, Research and Risk Stratification |
||||
|
Kent & Medway CCG |
Clinical Commissioning Group(CCGs) are responsible for securing, planning, designing and paying for your NHS services, including planned and emergency hospital care, mental health, rehabilitation, community and primary medical care (GP) services. This is known as ‘Commissioning’.
In order to enable Ashford CCGcarry out its statutory responsibilities effectively, efficiently and safely, we may share personal data about you with the CCG for the following purposes: · Individual Funding Requests; · Continuing Health Care; · Appeals, queries or compliments; safeguarding concerns; · Commissioning purposes such as payment for target achievement known as Quality and Outcomes Framework (QOF); and where the Practice is participating in agreed national or local enhanced services.
The source of the information shared in this way is your electronic GP record.
Data retention period: All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.
Data Retention Period All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care. |
|
The processing of personal data is permitted under the following condition: Article 6(1) (e) - public interest or in the exercise of official authority.
The processing of special categories of personal data concerning healthis permitted under the following paragraph: |
You have the right to: · To access, view or request copies of your personal information; · request rectification of any inaccuracy in your personal information; · restrict the processing of your personal information where: ü accuracy of the data is contested, ü the processing is unlawful or, ü where we no longer need the data for the purposes of the processing.
Right to object: You have a general right to raise an objection to your personal data being shared with the recipient.
If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.
|
|
“Risk Stratification" (Population Health Management and Case Finding)
|
The Practice performs computerised searches of some or all of our records to identify individuals who may be at increased risk of certain conditions or diagnoses i.e. Diabetes, heart disease, risk of falling). Your records may be amongst those searched. This is often called “risk stratification” or “case finding”. These searches are sometimes carried out by Data Processors who link our records to other records that they access, such as hospital attendance records. The results of these searches and assessment may then be shared with other healthcare workers, such as specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care. Risk stratification can be grouped into two purposes namely: Direct Care – ‘Case Finding’ where carried out by a health professional (e.g. GPs and Provider) involved in an individual’s care or by a data processor acting under contract with such a provider, it is treated as direct care. Indirect Care - understand the local population needs and plan for future requirement. The source of the information shared in this way is your electronic GP record. Data Retention Period All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care. |
|
The processing of personal data is permitted under the following GDPR and DPA conditions: GDPR Article 6(1) (e) - public interest or in the exercise of official authority; DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;
The processing of special categories of personal data concerning healthis permitted under the following GDPR and DPA conditions: DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;
Related Legislation: |
You have the right to: · To access, view or request copies of your personal information; · request rectification of any inaccuracy in your personal information; · restrict the processing of your personal information where: ü accuracy of the data is contested, ü the processing is unlawful or, ü where we no longer need the data for the purposes of the processing.
Right to object: You have a general right to raise an objection to your personal data being shared with the recipient for the purpose of Indirect Care.
If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.
|
|
Research Partners
|
The Practice participates in projects and will only agree to do so if there is an agreed clearly defined reason for the research that is likely to benefit healthcare and patients. Such proposals will normally have a consent process, ethics committee approval, and will be in line with the principles of Article 89(1) of GDPR.
Research organisations do not usually approach patients directly but will ask us to make contact with suitable patients to seek their consent. Occasionally research can be authorised under law without the need to obtain consent. This is known as the Section 251 arrangement.
We may also use your medical records to carry out research within the practice. We share information with the following medical research organisations with your explicit consent or when the law allows. The source of the information shared in this way is your electronic GP record. You have the right to object to the sharing of your personal health data concerning your GP medical for research purposes.
Data Retention Period All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care. |
|
The processing of personal data is permitted under the following GDPR and DPA conditions: GDPR Article 6(1) (e) - public interest or in the exercise of official authority; DPA Section 8 (d) - processing is necessary for the exercise of statutory functions; The processing of special categories of personal data is permitted under the following GDPR and DPA conditions:
|
You have the right to: · To access, view or request copies of your personal information; · request rectification of any inaccuracy in your personal information; · restrict the processing of your personal information where: ü accuracy of the data is contested, ü the processing is unlawful or, ü where we no longer need the data for the purposes of the processing.
Right to object: You have a general right to raise an objection to your personal data being shared with the recipient.
If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.
|
|
Employment Processing
|
The Practice ensures the protection of the rights and freedoms in respect of the processing of its employees’ personal data, in particular for the purposes of the recruitment, obligations performance contract of employment, rights and benefits management planning, health and safety, equality and diversity in the workplace, health and safety at work. The Practice ensures that personal data it collects from employees are used only for employment related purposes or where there is a statutory obligation to share the personal information with to regulatory bodies (e.g. courts, police or NHS England). Data Retention Period All records held by the Practice will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care.
|
|
The processing of personal data is permitted under the following GDPR and DPA conditions: GDPR Article 6(1) (e) - public interest or in the exercise of official authority; DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;
The processing of special categories of personal data is permitted under the following conditions:
|
Employees have the right to: · To access, view or request copies of their personal information held by the Practice; · request rectification of any inaccuracy to their personal information; · restrict the processing of their personal information where: ü accuracy of the data is contested, ü the processing is unlawful or, ü where we no longer need the data for the purposes of the processing. Right to object: Employees have a general right to raise an objection to the sharing personal data.
If an employee wishes to exercise his/her rights they can contact the Practice (data controller) or the DPO and their request will be carefully considered.
|
e. Data Sharing Databases |
||||
|
EMIS HealthSystems Local Record Sharing – Integrated Care:
|
EMIS Local Record Sharing enables yourGP medical record held on our secure EMIS Web clinical system to be shared with other healthcare Providers (e.g. acute hospitals, mental and community health and other GPs) who are commissioned to provide to provide health care services within your borough. This local sharing is used to provide direct patient care for services such as continued extended access, home visits, universal offers, musculoskeletal service The information is accessed in real time and on-demand, meaning that data from your GP record is neither extracted, nor uploaded, nor sent anywhere in real time and on-demand, meaning that data from your GP record is neither extracted, nor uploaded, nor sent anywhere. The source of the information shared in this way is your electronic GP record. Data Retention Period: All records held in the Practice EMIS system are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care |
|
The processing of personal data is permitted under the following GDPR and DPA conditions: GDPR Article 6(1) (e) - public interest or in the exercise of official authority; DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;
The processing of special categories of personal data concerning healthis permitted under the following GDPR and DPA conditions: DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;
Related Legislation: |
You have the right to: · To access, view or request copies of your personal information; · request rectification of any inaccuracy in your personal information; · restrict the processing of your personal information where: ü accuracy of the data is contested, ü the processing is unlawful or, ü where we no longer need the data for the purposes of the processing.
Right to object: You have a general right to raise an objection to your personal data being shared with the recipients.
If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.
|
|
|
Medical Interoperability Gateway (MIG) can save hours of clinician time each day by providing healthcare professionals with instant access to real-time information about a patient. The MIG is a secure middleware technology which enables the two-way exchange of patient information between local healthcare settings. This helps the clinicians to make informed treatment decisions faster and improve the efficiency of care by preventing unnecessary hospital admissions/appointments and duplicated tests.
|
|
The processing of personal data is permitted under the following GDPR and DPA conditions: GDPR Article 6(1) (e) - public interest or in the exercise of official authority; DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;
The processing of special categories of personal data concerning healthis permitted under the following GDPR and DPA conditions: DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;
Related Legislation: |
You have the right to: · To access, view or request copies of your personal information; · request rectification of any inaccuracy in your personal information; · restrict the processing of your personal information where: ü accuracy of the data is contested, ü the processing is unlawful or, ü where we no longer need the data for the purposes of the processing.
Right to object: You have a general right to raise an objection to your personal data being shared with the recipients.
If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.
|
|
National NHS Digital Services “Spine” including: Electronic Prescription Service
|
The Spine supports the IT infrastructure for health and social care in England, joining together over 23,000 healthcare IT systems in 20,500 organisations.
It hosts 5 key services to support the delivery of your care. They enable healthcare professionals, authorised with an NHS smartcard, to view relevant information about you as follows
Patient Demographics Service – The Personal Demographics Service (PDS) is the national electronic database of NHS patient details such as name, address, date of birth and NHS Number (known as demographic information). It helps healthcare professionals to identify patients and match them to their health records. It also allows them to contact and communicate with patients.
Summary Care Record (SCR) – is an electronic record of important patient information, created from GP medical records. It can be seen and used by authorised staff in other areas of the health and care system involved in the patient's direct care.
When your personal health records on your GP Record is uploaded to the spine, NHS Digital becomes the data controller for the uploaded information.
The source of the information shared in this way is your electronic GP record.
At a minimum, the SCR holds important information about; · current medication · allergies and details of any previous bad reactions to medicines · the name, address, date of birth and NHS number of the patient The patient can also choose to include additional information in the SCR, such as details of long-term conditions, significant medical history, or specific communications needs.
e-Referral Service - The NHS e-Referral Service (e-RS) combines electronic booking with a choice of place, date and time for first hospital or clinic appointments. Patients can choose their initial hospital or clinic appointment, book it in the GP surgery at the point of referral, or later at home on the phone or online.
Electronic Prescription Service - The Electronic Prescription Service (EPS) sends electronic prescriptions from GP surgeries to pharmacies. Eventually EPS will remove the need for most paper prescriptions.
GP2GP - GP2GP allows patients' electronic health records to be transferred directly, securely, and quickly between their old and new practices, when they change GPs. This improves patient care by making full and detailed medical records available to practices, for a new patient's first and later consultations.
The source of the information shared in all of the instances above in this way is your electronic GP record.
Data Retention Period: All records held in the Practice EMIS system are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care
|
|
The processing of personal data is permitted under the following GDPR and DPA conditions: GDPR Article 6(1) (e) - public interest or in the exercise of official authority; DPA Section 8 (d) - processing is necessary for the exercise of statutory functions; The processing of special categories of personal data concerning healthis permitted under the following GDPR and DPA conditions: DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;
|
You have the right to: · To access, view or request copies of your personal information; · request rectification of any inaccuracy in your personal information; · restrict the processing of your personal information where: ü accuracy of the data is contested, ü the processing is unlawful or, ü where we no longer need the data for the purposes of the processing. Right to object or opt-out: You have the right to raise an objection or opt-out of out of having an SCR by returning a completed opt-out form to their GP practice.Although we will first need to explain how this may affect the care you receive. If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.
|
|
The national data opt-out applies to the disclosure of confidential patient information for purposes beyond individual care (research and planning) across the health and adult social care system in England. In broad terms the national data opt-out applies unless there is a mandatory legal requirement or an overriding public interest for the data to be shared. The opt-out does not apply when the individual has consented to the sharing of their data or where the data is anonymised.
Any person registered on the Personal Demographic Services (PDS) and who consequently has an NHS number allocated to them is able to set a national data opt-out. The opt-out is stored in a central repository against their NHS number on the Spine.
The national opt-out applies to a number of datasets including: National Clinical Audit of Rheumatoid and Early Inflammatory - NHS Digital collects this data on behalf of the British Society for Rheumatology to improve the quality of care for patients with Rheumatoid and early.
National Adult Community Acquired Pneumonia (CAP) Audit - NHS Digital collects this data on behalf of the British Thoracic Society to assess variation in the care of patients hospitalised with pneumonia in the UK.
Trauma Audit & Research Network (TARN) -NHS Digital collects this Confidential Patient Information on behalf (CPI) on behalf TARN
Invoice Backing Data for Contracted Activity - NHS Digital collects this data to enable Commissioners to determine if they are the responsible commissioner. It is important to point out that the national opt-out applies to contracted activity data that has not been rendered anonymous.
Risk Stratification data for Indirect Care -NHS Digital collects this data for data processors working on behalf of GPs and CCGs. The GP data is linked to other records that they access, such as hospital attendance records in order to enable the CCGs (commissioners) understand the local population needs and plan for future requirement. The source of the information shared in this way is your electronic GP record. The source of the information shared in all of the instances above in this way is your electronic GP record.
Data Retention Period: All records held in the Practice EMIS system are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care
|
|
The processing of personal data is permitted under the following GDPR and DPA conditions: GDPR Article 6(1) (e) - public interest or in the exercise of official authority; DPA Section 8 (d) - processing is necessary for the exercise of statutory functions; The processing of special categories of personal data concerning healthis permitted under the following GDPR and DPA conditions: DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;
Related Legislation:
|
You have the right to: · To access, view or request copies of your personal information; · request rectification of any inaccuracy in your personal information; · restrict the processing of your personal information where: ü accuracy of the data is contested, ü the processing is unlawful or, ü where we no longer need the data for the purposes of the processing. Right to object or opt-out: You have the right to raise an objection or opt-out of having your data shared for the purposes of indirect care (research and planning). You can do so via the national opt-out website
|
|
|
Open Exeter is a web-enabled viewer which provides the facility for healthcare professionals to share/access patient data held on the National Health Application and Infrastructure Services (NHAIS) systems, including cervical screening, breast screening, organ donor, blood donor and home oxygen. Access to Open Exeter is only possible on the N3 network, and via authorised logons/passwords provided by NHS Digital.
The source of the information shared in this way is your electronic GP record. Data Retention Period: All records held in the Practice EMIS system are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care
|
|
The processing of personal data is permitted under the following GDPR and DPA conditions: GDPR Article 6(1) (e) - public interest or in the exercise of official authority; DPA Section 8 (d) - processing is necessary for the exercise of statutory functions; The processing of special categories of personal data concerning healthis permitted under the following GDPR and DPA conditions: DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;
|
You have the right to: · To access, view or request copies of your personal information; · request rectification of any inaccuracy in your personal information; · restrict the processing of your personal information where: ü accuracy of the data is contested, ü the processing is unlawful or, ü where we no longer need the data for the purposes of the processing.
Right to object: You have a general right to raise an objection to your personal data being shared in Open Exeter.
If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.
|
|
f. Data Processors |
||||
|
EMIS Health and Egton
|
EMIS Health and Egton are responsible for the provision of a clinical system, software and IT services used by the Practice to securely store and process your medical record. All information about your personal health records are stored in your GP electronic record. This information is then available to practice staff & external bodies as outlined in this document.
Data Retention Periods: All records held in the Practice EMIS system are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care “GP records should be retained until 10 years after the patient's death or after the patient has permanently left the country, unless they remain in the European Union.
Electronic patient records must not be destroyed or deleted for the foreseeable future.”
|
|
The processing of personal data is permitted under the following GDPR and DPA conditions: GDPR Article 6(1) (e) - public interest or in the exercise of official authority; DPA Section 8 (d) - processing is necessary for the exercise of statutory functions; The processing of special categories of personal data concerning healthis permitted under the following GDPR and DPA conditions: DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;
|
You have the right to: · To access, view or request copies of your personal information; · request rectification of any inaccuracy in your personal information; · restrict the processing of your personal information where: ü accuracy of the data is contested, ü the processing is unlawful or, ü where we no longer need the data for the purposes of the processing.
Right to object: In line with the GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.
If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.
|
|
Nelcsu |
Nelcsu responsible for the provision of IT clinical systems that enables safe, digitised patient care across the healthcare facilities.
Electronic Health Record (EHR) that links system and brings together patient data across the health and care system irrespective of traditional organisational or technological boundaries. This means health and care professionals in Medway can access subsets of their patients/service users’ medical or social recordsfrom a single system in order to provide the best possible care.
The source of the information shared in this way is your electronic GP record for the purposes of direct patient care and population health management. Data Retention Periods: All records held in the Practice EMIS system are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care “GP records should be retained until 10 years after the patient's death or after the patient has permanently left the country, unless they remain in the European Union.
Electronic patient records must not be destroyed or deleted for the foreseeable future.” |
|
The processing of personal data is permitted under the following GDPR and DPA conditions: GDPR Article 6(1) (e) - public interest or in the exercise of official authority; DPA Section 8 (d) - processing is necessary for the exercise of statutory functions; The processing of special categories of personal data concerning healthis permitted under the following GDPR and DPA conditions: DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;
|
You have the right to: · To access, view or request copies of your personal information; · request rectification of any inaccuracy in your personal information; · restrict the processing of your personal information where: ü accuracy of the data is contested, ü the processing is unlawful or, ü where we no longer need the data for the purposes of the processing.
Right to object: You have a general right to raise an objection If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.
|
|
|
Docman Limited act as a data processor and provides cloud-based storage software for electronic patient document. This includes letters that we receive, scan and upload to the patient record, as well as letters that we receive in an electronic format.
Generally, Docman enables primary health care organisations capture, file, workflow, view and manage primary care documents efficiently. Docmailenables primary health care organisationssend letters, invoices and documents directly from computers and other portable devices. The source of the information shared in this way is your electronic GP record for the purposes of direct administrative patient care. Data Retention Period: All records held in the Practice EMIS system are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care “GP records should be retained until 10 years after the patient's death or after the patient has permanently left the country, unless they remain in the European Union.
Electronic patient records must not be destroyed or deleted for the foreseeable future.” |
|
The processing of personal data is permitted under the following GDPR and DPA conditions: GDPR Article 6(1) (e) - public interest or in the exercise of official authority; DPA Section 8 (d) - processing is necessary for the exercise of statutory functions; The processing of special categories of personal data concerning healthis permitted under the following GDPR and DPA conditions: DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;
|
You have the right to: · To access, view or request copies of your personal information; · request rectification of any inaccuracy in your personal information; · restrict the processing of your personal information where: ü accuracy of the data is contested, ü the processing is unlawful or, ü where we no longer need the data for the purposes of the processing.
Right to object: In line with the GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.
If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.
|
|
MJOGiscloud-based text messaging service used by GPs to communicate with their patients. The source of the information shared in this way is your electronic GP record for the purposes of direct administrative patient care. Data Retention Period: All records held in the Practice EMIS system are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care “GP records should be retained until 10 years after the patient's death or after the patient has permanently left the country, unless they remain in the European Union.
Electronic patient records must not be destroyed or deleted for the foreseeable future.” |
|
The processing of personal data is permitted under the following GDPR and DPA conditions: GDPR Article 6(1) (e) - public interest or in the exercise of official authority; DPA Section 8 (d) - processing is necessary for the exercise of statutory functions; The processing of special categories of personal data concerning healthis permitted under the following GDPR and DPA conditions: DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;
|
You have the right to: · To access, view or request copies of your personal information; · request rectification of any inaccuracy in your personal information; · restrict the processing of your personal information where: ü accuracy of the data is contested, ü the processing is unlawful or, ü where we no longer need the data for the purposes of the processing.
Right to object: In line with the GDPR Article 21, you have a general right to raise an objection to the processing of your personal data in some particular circumstances. This right only applies where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.
If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.
|
|
|
QMS-UK are commissioned by NHS England to provide secure data processing solutions for two services: Child Health Information Service – information relating to children’s vaccinations is shared with the Immunisation Teamwho run one of 4 Child Health Information Services across Kent National Diabetic Retinal Screening Service – Diabetic eye screening is carried out in Ashford by Health Intelligence
Data Retention Period: All records held in the Practice EMIS system are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care “GP records should be retained until 10 years after the patient's death or after the patient has permanently left the country, unless they remain in the European Union. |
|
The processing of personal data is permitted under the following GDPR and DPA conditions: GDPR Article 6(1) (e) - public interest or in the exercise of official authority; DPA Section 8 (d) - processing is necessary for the exercise of statutory functions; The processing of special categories of personal data concerning health is permitted under the following GDPR and DPA conditions: DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;
|
You have the right to: · To access, view or request copies of your personal information; · request rectification of any inaccuracy in your personal information; · restrict the processing of your personal information where: ü accuracy of the data is contested, ü the processing is unlawful or, ü where we no longer need the data for the purposes of the processing.
Right to object: You have a general right to raise an objection to your personal data being shared in QMS.
If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.
|
|
|
Ardens / QOF masters
Emis |
The Practice performs computerised searches of some or all of our records to identify individuals who may be at increased risk of certain conditions or diagnoses i.e. Diabetes, heart disease, risk of falling). Your records may be amongst those searched. This is often called “risk stratification” or “case finding”. These searches are sometimes carried out by Data Processors who link our records to other records that they access, such as hospital attendance records. The results of these searches and assessment may then be shared with other healthcare workers, such as specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care. Risk stratification can be grouped into two purposes namely: Direct Care – ‘Case Finding’ where carried out by a health professional (e.g. GPs and Provider) involved in an individual’s care or by a data processor acting under contract with such a provider, it is treated as direct care. Indirect Care - understand the local population needs and plan for future requirement. The source of the information shared in this way is your electronic GP record. Data Retention Period: All records held in the Practice EMIS system are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care
|
|
The processing of personal data is permitted under the following GDPR and DPA conditions: GDPR Article 6(1) (e) - public interest or in the exercise of official authority; DPA Section 8 (d) - processing is necessary for the exercise of statutory functions; The processing of special categories of personal data concerning health is permitted under the following GDPR and DPA conditions: DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;
Related Legislation:
|
You have the right to: · To access, view or request copies of your personal information; · request rectification of any inaccuracy in your personal information; · restrict the processing of your personal information where: ü accuracy of the data is contested, ü the processing is unlawful or, ü where we no longer need the data for the purposes of the processing.
Right to object: You have a general right to raise an objection to your personal data being shared for the purpose of risk stratification.
If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.
|
|
No research taking place at this time |
To enable healthcare professionals working for the Practiceto provide information, derived from GP records, about individuals to accredited research organisations. This covers research situations where the data controller (Practice) is approached by research organisations, directly, to recruit patients for studies. The source of the information shared in this way is your electronic GP record.
Data Retention Period: All records held in the Practice EMIS system are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care |
|
The processing of special categories of personal data concerning healthis permitted under the following GDPR and DPA conditions: DPA Section 10 (1) (c) – processing is necessary for health and social care purposes;
The processing of special categories of personal data concerning healthis permitted under the following GDPR and DPA conditions:
Related Legislation:
|
You have the right to: · To access, view or request copies of your personal information; · request rectification of any inaccuracy in your personal information; · restrict the processing of your personal information where: ü accuracy of the data is contested, ü the processing is unlawful or, ü where we no longer need the data for the purposes of the processing.
Right to object: You have a general right to raise an objection to your personal data being shared for the purpose of risk stratification.
If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.
|
|
|
The source of the information shared in this way is your electronic GP record.
Data Retention Period: All records held in the Practice EMIS system are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care
|
|
The processing of personal data is permitted under the following GDPR and DPA conditions: GDPR Article 6(1) (e) - public interest or in the exercise of official authority; DPA Section 8 (d) - processing is necessary for the exercise of statutory functions; The processing of special categories of personal data concerning healthis permitted under the following GDPR and DPA conditions:
|
You have the right to: · To access, view or request copies of your personal information; · request rectification of any inaccuracy in your personal information; · restrict the processing of your personal information where: ü accuracy of the data is contested, ü the processing is unlawful or, ü where we no longer need the data for the purposes of the processing.
Right to object: You have a general right to raise an objection to your personal data being shared for the purpose of risk stratification.
If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.
|
|
|
Sydenham House Medical Group use an accounting serviceoffer a wide range of business assurance services Data Retention Period: All records held in the Practice EMIS system are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care
|
|
The processing of personal data is permitted under the following GDPR and DPA conditions: GDPR Article 6(1) (e) - public interest or in the exercise of official authority; DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;
|
You have the right to: · To access, view or request copies of your personal information; · request rectification of any inaccuracy in your personal information; · restrict the processing of your personal information where: ü accuracy of the data is contested, ü the processing is unlawful or, ü where we no longer need the data for the purposes of the processing.
Right to object: You have a general right to raise an objection to your personal data being shared for the purpose of risk stratification.
If you wish to exercise any of your rights please contact the Practice (data controller) or the DPO and your request will be carefully considered.
|
|
|
The Practice ensures that personal data it collects from employees are used only for employment related purposes or where there is a statutory obligation to share the personal information with to regulatory bodies (e.g. courts, police or NHS England).
Data Retention Period: All records held in the Practice EMIS system are kept for the duration specified in the Records Management Codes of Practice for Health and Social Care
|
|
The processing of personal data is permitted under the following GDPR and DPA conditions: GDPR Article 6(1) (e) - public interest or in the exercise of official authority; DPA Section 8 (d) - processing is necessary for the exercise of statutory functions;
The processing of special categories of personal data concerning healthis permitted under the following GDPR and DPA conditions:
|
Employees have the right to: · To access, view or request copies of their personal information held by the Practice; · request rectification of any inaccuracy to their personal information; · restrict the processing of their personal information where: ü accuracy of the data is contested, ü the processing is unlawful or, ü where we no longer need the data for the purposes of the processing.
Right to object: Employees have a general right to raise an objection to the sharing personal data.
If an employee wishes to exercise his/her rights they can contact the Practice (data controller) or the DPO and their request will be carefully considered.
|
Right to complain:If you are dissatisfied with the way the Practice process your data, you have theright to appeal/complain to the Information Commissioner (IC). The IC can be contacted at:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
Tel: 0303 123 1113or 01625 545 745
Email: https://ico.org.uk/global/contact-us/
Your GP medical record is held on our secure clinical system calledEMIS Web. This clinical system allows for local record sharing with other healthcare providers who are commissioned in your area to provide care (e.g. acute hospitals, mental and community health). Through this record sharing, clinicians are able to see clinical information entered by other organisations who are party to the EMIS Web local record sharing agreement.
This local sharing is used to provide direct patient care for services such as continued extended access, home visits, universal offers, musculoskeletal service, GP at front door and other neighbourhood services across Medway in line the local Care delivery strategy and the NHS STP.
It also enables specific GPs identify their patients with highly complex, multiple morbidity and/or frailty, who might benefit from targeted multi-disciplinary team support as part of case management and care planning (the "Case Finding Purpose")
How will my information be made available
The information is accessed in real time and on-demand, meaning that data from your GP record is neither extracted, nor uploaded, nor sent anywhere. The data remains within your GP EMIS database and users are allowed read-view access only.If you have any concerns regarding EMIS local record sharing you can opt out by speaking to your GP Surgery.
We use anonymised data to plan health care services. Specifically we use it to:
- Check the quality and efficiency of the health services we provide;
- Prepare performance reports on the services we provide and,
- Review the healthcare we provide in order they are of the highest standard.
Data may be de-identified and linked so that it can be used to improve health care and development and monitor NHS performance. Where data is used for these statistical purposes, stringent measures are taken to ensure individual patients cannot be identified.
When analysing current health services and proposals for developing future services it is sometimes necessary to link separate individual datasets to be able to produce a comprehensive evaluation. This may involve linking primary care GP data with other data such as secondary uses service (SUS) data (inpatient, outpatient and A&E). In some cases there may also be a need to link local datasets which could include a range of acute-based services such as radiology, physiotherapy, audiology etc, as well as mental health and community-based services such as Improving Access to Psychological Therapies IAPT), community nursing, podiatry etc. When carrying out this analysis, the linkage of these datasets is always done using a unique identifier that does not reveal a person’s identity.
The organisation responsible for processing de-identified and linked data under this category,on behalf of the Practice isMedway CCG. We ensure that the data processor is legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.
We only use information that may identify you in accordance with theGDPR 2016 and DPA 2018. These legislationsrequire us to process your data only if there is a lawful basis for doing so and that any processing must be fair, lawful and transparent.
We also ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only, protect personal and confidential information held on equipment such as laptops with encryption (which masks data so that unauthorised users cannot see or make sense of it).
Our appropriate technical and security measures include:
- The ability to ensure ongoing confidentiality, integrity, availability and resilience of our systems;
- The ability to quickly restore availability and access to personal information in the event of a physical or technical incident; and
- A process regularly testing, assessing and evaluating the effectiveness of security measures, and ensure they comply with the concept of privacy by design and default.
The NHS Digital Code of Practice on Confidential Information applies to all of our staff, and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. All Practice staff are trained to ensure information is kept confidential.
We are registered with the Information Commissioner’s Office (ICO) as a data controller and collects data for a variety of purposes.
Where information from which you can be identified is held, you have the:
- Right of access to viewor request copies of the records
- Right to rectification of inaccurate personal data or special categories of personal data
- Right to restriction of the processing of your data where accuracy of the data is contested, processing is unlawful or where we no longer need the data for the purposes of the processing
- Right to object to any automated individual decision-making
- Right to data portability by requesting the data which you provided to us (not data generated by us) in a structured, commonly used machine readable format. Your right to portability applies only where:
- Data is processed by automated means, and
- You provided consent to the processing or,
- The processing is necessary for the fulfilment of a contract
These rights will only apply where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.
Your right to erasure (right to be forgotten)will only apply where you had given ‘consent’ to process your personal health data and later withdrew the consent, and doesnot apply to the extentwherethe processing of your personal health data is necessary for:
- Compliance with a legal obligation which we are subject to, under the UK law or, for the performance of a task carried out in the public interest or, in the exercise of official authority vested on us;
- Medical purposes and/or for reasons of public interest in the area of public health;
archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;the establishment, exercise or defense of legal claims
You can exercise your rights at any time bycontacting the Practice (data controller) or the Data Protection Officer (DPO) at the address below, although we will first need to explain how this may affect the care you receive and any overriding legitimate grounds for the processing that may apply.
You have the right to see or have a copy of personal data we hold that can identify you. You do not need to give a reason to see your data. However, some information may be withheld under some exceptional circumstances.
If you want to access your personal information you must do so in writing by completing our Subject Access Request (SAR) form.
The Freedom of Information Act 2000 (FOIA) gives people a general right of access to information held by or on behalf of public authorities, promoting a culture of openness and accountability across the public sector
What sort of information can I request?
In theory, you can request any information that the Practiceholds that does not fall under an exemption under the FOI Act. You may not ask for information that is covered by the Data ProtectionAct or EU General Data Protection Regulation (GDPR) under FOIA. However, you can request this under a Subject Access Request – see section above ‘Gaining access to the data we hold about you’.
- Glossary of Terms
Common Law of Duty of Confidentiality- Is not written out in one document like the GDPR or an Act of Parliament. Common Law is also referred to as ‘judge-made’ or case law. In practice, this means that all patient/client information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient/client. However, where the disclosure/sharing of the patient/client information is for the purpose of Direct Care consent to such disclosure/sharing may be implied where it is informed, given there is a legitimate relationship between the patient/client and the health professional.
Personal Data - means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Special Categories of Personal Data –data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.