Privacy policy

Data Protection Privacy Notice for Patients

Introduction

 For the purpose of applicable data protection legislation including the General Data Protection Regulation (EU 2016/679) and the Data Protection Act 2018, the GP practice responsible for your personal data is The Crescent Medical Centre .

We, The Crescent Medical Centre , will be known as the ‘Controller’ of the personal data you provide to us.

Your privacy is important to us, and we are committed to protecting and safeguarding your data privacy rights.

This Privacy Notice applies to personal information processed by or on behalf of the Practice. It applies to the personal data of our patients and to the data you have given us about your carers/family members. It covers the following topics: Why do we need your data?

 What data do we collect about you?

 What is the legal basis for using your data?

  •  How do we store your data?
  •  How do we maintain the confidentiality of your data?
  •  How long do we keep your data?
  •  What are your data protection rights?
  •  Who do we share your data with?
  •  Are there other projects where your data may be shared?
  •  When is your consent not required?
  •  How can you access or change your data?
  •  What should you do if your personal information changes?
  •  Changes to our privacy policy
  •  Our Data Protection Officer
  •  How to contact the appropriate authorities

 Why do we need your data?

As your General Practice, we need to know your personal, sensitive and confidential data in order to provide you with appropriate healthcare services. Your records are used to facilitate the care you receive, and to ensure you receive the best possible healthcare.

Information may be used within the GP practice for clinical audit, to monitor the quality of the service provided.

What data do we collect about you?

Personal data: We collect basic personal data about you which does not include any special types of information or location-based information.  This includes your name, postal address and contact details such as email address and telephone number.

By providing the Practice with your contact details, you are agreeing to the Practice using those channels to communicate with you about your healthcare, i.e. by letter (postal address), by voice-mail or voice-message (telephone or mobile number), by text message (mobile number) or by email (email address). If you are unhappy or have a concern about our using any of the above channels, please let us know.

Special Category personal data: We also collect confidential data linked to your healthcare which is known as “special category personal data”, in the form of health information, religious belief (if required in a healthcare context) ethnicity and gender. This is obtained during the services we provide to you and through other health providers or third parties who have provided you with treatment or care, e.g. NHS Trusts, other GP surgeries, Walk-in clinics etc.

Records which the Practice holds about you may include the following information:

  • Details about you, such as your address, carer, legal representative, emergency contact details
  • Any contact the Practice has had with you, such as appointments, clinic visits, emergency appointments etc.
  • Notes and reports about your health
  • Details about your treatment and care
  • Results of investigations such as laboratory tests, x-rays etc
  • Relevant information from other health professionals, relatives or those who care for you
  • NHS records may be electronic, on paper, or a mixture of both.


What is the legal basis for using your data?

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

Data Protection Act 2018

The General Data Protection Regulations 2016

Human Rights Act 1998

Common Law Duty of Confidentiality

Health and Social Care Act 2012

NHS Codes of Confidentiality, Information Security and Records Management

 Under the General Data Protection Regulation we will lawfully be using your information in accordance with:

Article 6 (e) - "processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”

Article 9 (h) - "processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems"

For the processing of special categories data, the basis is:

Article 9 (2) (b) – "processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment   and social security and social protection law"

These articles apply to the processing of information and the sharing of it with others for specific purposes.

How do we store your data?

We have a Data Protection regime in place to oversee the effective and secure processing of your personal and special category (sensitive, confidential) data. No third parties have access to your personal data unless the law allows them to do so and appropriate safeguards have been put in place.

The Practice uses the system EMIS Web to manage clinical information for your care and health. This system is provided by a company called EMIS Health Ltd which acts as a data processor on behalf of the Practice. They also use a sub-processor, Amazon Web Services, which acts under written instructions from EMIS Health Ltd. Under no circumstances are any of these organisations allowed or able to access your information.

All the personal data we use is processed by our staff in the UK. However, for the purposes of IT hosting and maintenance this information may be located on servers within the European Union.

In certain circumstances you may have the right to withdraw your consent to the processing of data. These circumstances will be explained in subsequent sections of this document.

In some circumstances we may need to store your data after your consent has been withdrawn, in order to comply with a legislative requirement.

How do we maintain the confidentiality of your data?

Our Practice policy is to respect the privacy of our patients, their families and our staff and to maintain compliance with the General Data Protection Regulations (GDPR) and all UK specific Data Protection requirements. Our policy is to ensure all personal data related to our patients will be protected.

We use a combination of working practices and technology to ensure that your information is kept confidential and secure.

Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential.

All employees and sub-contractors engaged by our Practice are asked to sign a confidentiality agreement. The Practice will, if required, sign a separate confidentiality agreement if the client deems it necessary.  If a sub-contractor acts as a data processor for The Crescent Medical Centre an appropriate contract will be established for the processing of your information.

Some of this information will be held centrally and used for statistical purposes. Where this happens, we take strict measures to ensure that individual patients cannot be identified.

Sometimes your information may be requested to be used for research purposes. The Practice will always gain your consent before releasing the information for this purpose in an identifiable format.   In some circumstances you can Opt-out of the Practice sharing any of your information for research purposes.

How long do we keep your data?

We are required under UK law to keep your information and data for the full retention periods as specified by the NHS Records Management Code of Practice for Health and Social Care and in accordance with National Archives requirements.

More information on records retention can be found online at: https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016

What are your data protection rights?

If we already hold your personal data, you have certain rights in relation to it.

Right to object: If we are using your data because we deem it necessary for our legitimate interests to do so, and you do not agree, you have the right to object. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases). Generally, we will only disagree with you if certain limited conditions apply.

Right to withdraw consent: Where we have obtained your consent to process your personal data for certain activities (for example a research project), or consent to market to you, you may withdraw your consent at any time.

Right to erasure: In certain situations (for example, where we have processed your data unlawfully), you have the right to request us to erase your personal data. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases) and will only disagree with you if certain limited conditions apply.

Right of data portability: If you wish, you have the right to transfer your data from us to another data controller. We will help with this with a GP to GP data transfer and transfer of your hard copy notes.

Data Provision Notice sharing information with NHS Digital

The Practice is required to comply with the Health and Social Care Act 2012. NHS Digital have the power under the Health and Social Care Act 2012 Section 259 (1) to issue a Data Provision Notice. This mandates us to share information about you unless you tell us not to.

 To opt out please complete the opt out form before 30th June 2021 and return it to the Practice.

Opt out form: https://nhs-prod.global.ssl.fastly.net/binaries/content/assets/website-assets/data-and-information/data-collections/general-practice-data-for-planning-and-research/type-1-opt-out-form.docx

 You can see a list of the Data Provision Notices here: https://digital.nhs.uk/about-nhs-digital/corporate-information-and-documents/directions-and-data-provision-notices/data-provision-notices-dpns 

 National Data Opt-Out: The National Data Opt-Out is a service introduced on 25 May 2018 that allows people to opt out of their confidential patient information being used for research and planning purposes. The National Data Opt-Out replaces the previous Type 2 Opt-Out, which required NHS Digital not to share a patient’s confidential patient information for purposes beyond their individual care. Any patient who had a Type 2 Opt-Out has had it automatically converted to a National Data Opt-Out from 25 May 2018 and has received a letter giving them more information and a leaflet explaining the new service. If a patient wants to change their choice, they can use the new service to do this. You can find out more from the Practice or by visiting:

https://www.nhs.uk/your-nhs-data-matters/

 If you wish to raise a query or request relating to any of the above, please contact us. We will seek to deal with it without undue delay, and in any event in accordance with the requirements of any applicable laws. Please note that we may keep a record of your communications to help us resolve any issues which you raise.

Who do we share your data with?

 We consider patient consent as being the key factor in dealing with your health information.

To provide around-the-clock safe care, we will make information available to trusted organisations for specific purposes unless you have asked us not to,

To support your care and improve the sharing of relevant information to our partner organisations when they are involved in looking after you, we will share information to other systems. The general principle is that information is passed to these systems unless you request that this does not happen, but that system users should ask for your consent before viewing your record.

Our partner organisations are:

NHS Trusts / Foundation Trusts

GPs

NHS Commissioning Support Units

Independent Contractors such as dentists, opticians, pharmacists

Private Sector Providers

Voluntary Sector Providers

Ambulance Trusts

Clinical Commissioning Groups

Social Care Services

NHS England (NHSE) and NHS Digital (NHSD)

Multi Agency Safeguarding Hub (MASH)

Local Authorities

Education Services

Fire and Rescue Services

Police and Judicial Services

Voluntary Sector Providers

Private Sector Providers

Other ‘data processors’ which you will be informed of

 You will be informed who your data will be shared with, and in cases where your consent is required you will be asked for it.

Below are some examples of when we would wish to share your information with trusted partners.

Primary Care Networks: We are a member of Blue PCN Primary Care Network. This means we work closely with a number of local practices and care organisations for the purpose of direct patient care. They will only be allowed to access your information if it is to support your healthcare needs. If you have any concerns about how your information may be accessed within our primary care network, we would encourage you to speak or write to us.

Enhanced Access: We provide enhanced access appointments  to our patients which means you can access medical services outside of our normal working hours. In order to provide you with this service, we have formal arrangements in place with the BLUE Enhanced Access who will need to access your medical record to be able to offer you the service. We have robust data sharing agreements and other clear arrangements in place to ensure your data is always protected and used for those purposes only.

Medicines Management: The Practice may conduct Medicines Management Reviews of medications prescribed to its patients. This service performs a review of prescribed medications to ensure patients receive the most appropriate, up-to-date and cost-effective treatments. Our local NHS Clinical Commissioning Group employs specialist pharmacists and they may at times need to access your records to support and assist us with prescribing. This reason for this is to help us manage your care and treatment.

Individual Funding Requests: An Individual Funding Request is a request made on your behalf, with your consent, by a clinician, for the funding of specialised healthcare which falls outside the range of services and treatments that ICB has agreed to commission for the local population. An Individual Funding Request is considered when a case can be set out by a patient’s clinician that there are exceptional clinical circumstances which make the patient’s case different from other patients with the same condition who are at the same stage of their disease, or when the request is for a treatment that is regarded as new or experimental and where there are no other similar patients who would benefit from this treatment. A detailed response, including the criteria considered in arriving at the decision, will be provided to the patient’s clinician.

Are there other projects where your data may be shared?

GP Data Sharing Project with NHS East Midlands Ambulance Service: The Practice is working with the local ambulance service trust, NHS East Midlands Ambulance Service, to share your healthcare information for the purposes of your care and treatment. They can only access your information if it is for care purposes. If you have any concerns, please speak to the Practice.

GENVASC: NHS Arden and Greater East Midlands CSU (AGEM CSU) support the Practice in providing information to the GENVASC Research Study.  AGEM CSU will securely extract data from the Practice system.  They will then provide the GENVASC Study with the agreed information relating to patients who have signed a GENVASC Research Study consent form.  Please note that AGEM CSU operate under the instructions of the Practice at all time and have processes and safeguards in place to ensure the confidentiality and security of all information at all times. If further information is required please contact the GENVASC study team at NIHR Leicester Biomedical Research Centre Cardiovascular theme on 0116 2583385 or visit www.genvasc.uk

 

Severe Mental Illness: ‘We are working closely with St Andrew’s Healthcare to provide outreach services for patients with severe mental health illnesses who require annual physical health checks. Relevant clinical information will be shared for direct patient care.’ 

 

 Summary Care Records

All patients registered with a GP have a Summary Care Record, unless they have chosen not to have one. The information held in your Summary Care Record gives registered and regulated healthcare professionals, away from your usual GP practice, access to information to provide you with safer care, reduce the risk of prescribing errors and improve your patient experience.

Your Summary Care Record contains basic (Core) information about allergies and medications and any reactions that you have had to medication in the past.

Some patients, including many with long term health conditions, previously have agreed to have Additional Information shared as part of their Summary Care Record. This Additional Information includes information about significant medical history (past and present), reasons for medications, care plan information and immunisations.

Change to information held in your Summary Care Record

In light of the current emergency, the Department of Health and Social Care has removed the requirement for a patient’s prior explicit consent to share Additional Information as part of the Summary Care Record.

This is because the Secretary of State for Health and Social Care has issued a legal notice to healthcare bodies requiring them to share confidential patient information with other healthcare bodies where this is required to diagnose, control and prevent the spread of the virus and manage the pandemic. This includes sharing Additional Information through Summary Care Records, unless a patient objects to this.

If you have already expressed a preference to only have Core information shared in your Summary Care Record, or to opt-out completely of having a Summary Care Record, these preferences will continue to be respected and this change will not apply to you. For everyone else, the Summary Care Record will be updated to include the Additional Information. This change of requirement will be reviewed after the current coronavirus (COVID-19) pandemic.

Why we have made this change

In order to look after your health and care needs, health and social care bodies may share your confidential patient information contained in your Summary Care Record with clinical and non-clinical staff in other health and care organisations, for example hospitals, NHS 111 and out of hours organisations. These changes will improve the healthcare that you receive away from your usual GP practice.

Your rights in relation to your Summary Care Record

Regardless of your past decisions about your Summary Care Record preferences, you will still have the same options that you currently have in place to opt out of having a Summary Care Record, including the opportunity to opt-back in to having a Summary Care Record or opt back in to allow sharing of Additional Information.

You can exercise these rights by doing the following:

  1. Choose to have a Summary Care Record with all information shared. This means that any authorised, registered and regulated health and care professionals will be able to see a detailed Summary Care Record, including Core and Additional Information, if they need to provide you with direct care.
  2. Choose to have a Summary Care Record with Core information only. This means that any authorised, registered and regulated health and care professionals will be able to see limited information about allergies and medications in your Summary Care Record if they need to provide you with direct care.
  3. Choose to opt-out of having a Summary Care Record altogether. This means that you do not want any information shared with other authorised, registered and regulated health and care professionals involved in your direct care. You will not be able to change this preference at the time if you require direct care away from your GP practice. This means that no authorised, registered and regulated health and care professionals will be able to see information held in your GP records if they need to provide you with direct care, including in an emergency.

To make these changes, you should inform your GP practice or complete this form and return it to your GP practice

The NHS App

We use the NHS Account Messaging Service provided by NHS England to send you messages relating to your health and care. You need to be an NHS App user to receive these messages. Further information about the service can be found at the privacy notice for the NHS App managed by NHS England.

Computer System

This practice operates a Clinical Computer System "EMIS"on which NHS Staff record information securely.  This information can then be shared with other clinicians so that everyone caring for you is fully informed about your medical history, including allergies and medication.

To provide around the clock safe care, unless you have asked us not to, we will make information available to our Partner Organisation (above).  Wherever possible, their staff will ask your consent before your information is viewed.

GP Connect Service

The GP Connect service allows authorised clinical staff at NHS 111 to seamlessly access our practice’s clinical system and book directly on behalf of a patient. This means that should you call NHS 111 and the Clinician believes you need an appointment with your GP Practice, the Clinician will access available appointment slots only (through GP Connect) and book you in. This will save you time as you will not need to contact the practice direct for an appointment.

The practice will not be sharing any of your data and the practice will only allow NHS 111 to see available appointment slots. They will not even have access to your record. However, NHS 111 will share any relevant data with us, but you will be made aware of this. This will help your GP in knowing what treatment / service / help you may require.

Please note if you no longer require the appointment or need to change the date and time for any reason you will need to speak to one of our reception staff and not NHS 111.

Local Research: We regularly work with local health and academic organisations to conduct research studies with the aim of improving care for the general population. We will always ask for your permission to take part, except in situations where we can demonstrate that your information has been anonymised (where you cannot be identified) and your privacy is protected. In these situations we are not required to seek consent from individuals.

Call Recording: The Practice records all telephone calls. This is done so that we have a record of conversations we have with you, staff and healthcare workers are protected from potential abuse. If you would like a copy of call recording which are you are the data subject for you are entitled to ask for a copy of this.

COVID-19: The Health and Social system is facing pressure due to the COVID-19 outbreak. Health and care information is essential to deliver care to individuals and to support local health and social care services. In the current emergency it has become more important to share health and care information across relevant organisations, including with LLR patient care Locally  to manage the triage hub forest house surgery and DHU healthcare CIC to deliver IV service.

Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law, the Secretary of State has required NHS Digital; NHS England and Improvement; Arm’s Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the COVID-19 outbreak. Any information used or shared during the COVID-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data. Further information is available on gov.uk and some FAQs on this law are also available on the NHSX website.

During this period of emergency, opt-outs will not generally apply to the data used to support the COVID-19 outbreak, due to the public interest in sharing information.

Population Health Management

Population Health Management (or PHM for short) is aimed at improving the health of an entire population.  The PHM approach requires health care organisations to work together with communities and partner agencies, for example, GP practices, community service providers, hospitals and other health and social care providers.   These organisations will share and combine information with each other in order to get a view of health and services for the population in a particular area. This information sharing is subject to robust security arrangements.

As part of this programme, personal data about your health care will have all identifiers removed (like your name or NHS Number) and replaced with a code which will be linked to information about care received in different health care settings.  If we see that an individual might benefit from some additional care or support, we will send the information back to your GP or hospital provider and they will use the code to identify you and offer you relevant services. 

As part of this programme your GP and other care providers will send the information they hold on their systems to the North Of England Commissioning Support Unit (NECS).  NECS are part of NHS England. More information can be found here https://www.necsu.nhs.uk

NECS will link all the information together. Your GP and other care providers will then review this information and make decisions about the whole population or particular patients that might need additional support.  NECS work in partnership with a company called Optum to help them with this work.  Both NECS and Optum are legally obliged to protect your information and maintain confidentiality in the same way that your GP or hospital provider is. More information about Optum can be found here www.optum.co.uk.

Health and Social Care Providers are permitted by data protection law to use personal information where it is ‘necessary for medical purposes’. This includes caring for you directly as well as management of health services more generally.

The PHM project is time-limited to 22 weeks.  Once the project has completed all de-identified , information processed by NECS / Optum will be securely destroyed.  This will not affect any personal information held by your GP or other health or social care providers.

Risk Stratification: Risk stratification data tools are increasingly being used in the NHS to help determine a person’s risk of suffering a condition, preventing an unplanned admission or re-admission and identifying a need for preventive intervention. Information about you is collected from a number of sources including NHS Trusts and from this GP practice. A risk score arrived at through an analysis of your de-identified information is provided back to your GP practice as data controller in an identifiable form. Risk stratification enables your GP to focus on preventing ill health and not just the treatment of sickness. If necessary, your GP may be able to offer you additional services. Please note that you have the right to opt out of your data being used in this way.

Other research projects: With your consent we would also like to use your name, contact details and email address to inform you of services that may benefit you. There may be occasions when authorised research facilities would like to invite you to participate in research, innovations, identifying trends or improving services. At any stage where we would like to use your data for anything other than the specified purposes and where there is no lawful requirement for us to share or process your data, we will ensure that you have the ability to consent or to opt out prior to any data processing taking place. This information is not shared with third parties or used for any marketing and you can unsubscribe at any time via phone, email or by informing the Practice.

Online Access

You may ask us if you wish to have online access to your medical record. However, there will be certain protocols that we have to follow to give you online access, including written consent and the production of documents that prove your identity.

Please note that when we give you online access, the responsibility is yours to make sure that you keep your information safe and secure if you do not wish any third party to gain access.

When is your consent not required?

We will only ever use or pass on information about you to others involved in your care if they have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances.

There are certain circumstances where we are required by law to disclose information, for example:

where there is a serious risk of harm or abuse to you or other people

where a serious crime, such as assault, is being investigated or where it could be prevented

notification of new births

where we encounter infectious diseases that may endanger the safety of others, such as meningitis or measles (but not HIV/AIDS)

where a formal court order has been issued

where there is a legal requirement, for example if you had committed a Road Traffic Offence

We are also required to act in accordance with Principle 7 of the Caldicott Review (Revised version 2013) which states: “The duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott Principles.

How can you access or change your data?

You have a right under the Data Protection legislation to request access to view or to obtain copies of the information the Practice holds about you and to have it amended should it be inaccurate.

Your request should be made to the Practice and we have a form (SAR - Subject Access Request) which you will need to complete. We are required to respond to you within one calendar month.

For information from the hospital you should write direct to them. You will need to give adequate information (full name, address, date of birth, NHS number and details of your request) so that your identity can be verified and your records located.

There is no charge to receive a copy of the information held about you. 

What should you do if your personal information changes?

Please contact the surgery as soon as any of your details change. This is especially important for changes of address or contact details (such as your mobile phone number).

 The Practice will from time to time ask you to confirm that the information we currently hold is accurate and up-to-date.

 Changes to our privacy policy

 It is important to point out that we may amend this Privacy Notice from time to time.

 Our Data Protection Officer

 The Practice has appointed :-

Head of Information Governance MLCSU
Heron House, 120 Grove Road, Fenton, Stoke-on-Trent, ST4 4LX

Tel 01782 916875
Email mlcsu.dpo@nhs.net

 as or Data Protection Officer.

If you have any concerns about how your data is shared, or if you would like to know more about your rights in respect of the personal data we hold about you, then please contact the Practice Data Protection Officer.

How to contact the appropriate authorities

If you have any concerns about how your information is managed at your GP Practice, please contact the GP Practice Manager or the Data Protection Officer in the first instance.

If you are still unhappy following a review by the GP Practice, you have a right to lodge a complaint with the UK supervisory authority, the Information Commissioner's Office (ICO), at the following address:

Information Commissioner

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Tel:     01625 545745

Email: https://ico.org.uk/

Last reviewed: 19.06.24