Information about you and how we use it
When you come to the surgery, information about you, your medical treatment and family background may be recorded, on paper and computer, to help us care for you. The information is part of your health record and will be kept in case we need to see you again. We hold demographic data (name, address, telephone numbers, date of birth, ethnic origin, family relationships, next of kin) and clinical data (e.g. diagnoses, family history, allergies and sensitivities, medication, consultation records, investigations, test results, referrals and letters to and from other NHS organisations about your care).
Members of the clinical teams looking after you may share your personal health information with each other. This team may include healthcare professionals and support staff. All NHS staff are bound by law and a strict code of confidentiality, and are monitored by the Surgery's Caldicott Guardian (Dr Philip West), who is responsible for ensuring patients' confidentiality is respected. Your confidentiality is very important to us, and we have strict controls in place to protect your information.
Data will be retained only for as long as necessary to provide care for you. Our document retention policy is available by clicking here.
How your records are used to help you
Accurate, up-to-date information about you:
- helps staff to assess your health and care for you
- will help staff to treat you in future, in the surgery or elsewhere
- allows staff to monitor and if necessary investigate the care you have received
How your records help us
Accurate, up-to-date information about you:
- helps us provide high quality care and meet all our patients' needs
- helps us train healthcare professionals and support research and development
- is necessary for the surgery to be paid for your treatment
- supports audits of NHS services and accounts
- supports investigation of any incidents or issues that arise
- contributes to national NHS statistics
Your information rights
- You have the right to know how we will use your personal information.
- You have the right to see your health record (your medical notes). This is known as Right of Subject Access.
- You have the right to object to us making use of your information.
- You can ask us to change or restrict the way we use your information and we have to agree if possible.
- You have the right to ask for your information to be changed, blocked or erased if it is incorrect.
Sharing your information
Sometimes we have to pass on information by law:
- to notify a birth or death
- when an infectious disease such as meningitis or measles may endanger the safety of others
- where a formal court order has been issued
- when sharing information with the police may prevent a serious crime, or prevent harm to you or other people
We may have to share information about you with non-NHS staff (for example Social Services): we will only do this if it is necessary, and if we need your consent we will ask you for it. The main NHS organisations which may need your information are Clinical Commissioning Groups, Commissioning Support Units, other NHS trusts, hospitals, other GP practices and ambulance services. If we have to share information about you, we will remove your personal details where possible.
Accessing your Record
You have a right under the General Data Protection Regulations 2018 to request access to view or to obtain copies of what information the surgery holds about you and to have it amended should it be inaccurate. In order to request this, you need to do the following:
- Your request must be made in writing to the GP - for information from the hospital you should write direct to them
- We are required to respond to you within 30 days
- You will need to give adequate information (for example full name, address, date of birth, NHS number and details of the reason for your request) so that your identity can be verified and your records located
To see a copy of your health record or to ask to see parts of it relating to specific points, please send a written request to:
Kevin Evans - Practice Manager
17 Winchester Road
Your notes will be prepared for you and depending on what you require access to online records may be granted, a document could be emailed to you or a qualified member of staff will talk you through the content. Your right to see some information may be limited - for example, if it includes details about other people.
Happy to Share
If you would like us to be able to share your health record electronically with other NHS Services, like hospitals, community clinics or the district nurses, please complete the form available at reception or download it from here.
If you would like to see a short video of how this new service can improve your health care and save you time repeating your medical history, click here.
Statement of Intent
We enable successful automated uploads of any changes to patient's summary information, at least on a daily basis, to the Summary Care Record (SCR). Having your Summary Care Record (SCR) available will help anyone treating you without your full medical record. They will have access to information about any medication you may be taking and any drugs that you have a recorded allergy or sensitivity to. Of course if you do not want your medical records to be available in this way then you will need to let us know using the opt out form, so that we can update your record.
If you would like us to make Additional information available on your Summary Care Record or to make your full Electronic Health Record available, please complete this form and send it to us. This information will ONLY be available to other health professionals such as hospital clinicians, paramedics or district nurses. It will only be available to health professionals and will not be passed on without your permission.
GP to GP record transfers
NHS England require practices to utilise the GP2GP facility, electronic transfer of clinical records, for the transfer of patient records between practices, when a patient registers or de-registers (not for temporary registration). It is very important that you are registered with a doctor at all times. If you leave your GP and register with a new GP, your medical records will be removed from your previous doctor and forwarded on to your new GP via NHS England. It can take your paper records up to two or more weeks to reach your new surgery. With GP2GP record transfers your electronic record is transferred to your new practice much sooner. We confirm that GP2GP transfers are already active and we send and receive patient records via this system.
CQC accessing records and GDPR
CQC has powers under the Health and Social Care Act 2008 to access and use information where we consider this is necessary for us to carry out our functions as a regulator. Where possible inspectors should explain why they are asking to look at certain records. They will consider any concerns and objections raised to them, and whether they can achieve CQC’s purpose by accessing the records of someone else. However, CQC relies on its legal powers to access information rather than consent, therefore may use its powers to access records even in cases where objections have been raised.
More detail on how we ensure compliance with data protection law (including GDPR) and our privacy statement is available on our website. As part of their own compliance with GDPR, providers’ own privacy statements should inform people of CQC’s powers to ensure their staff, people using services and their families are aware. It would be helpful for providers to include a link to CQC’s privacy statement in their own. The ICO provides more information and resources on GDPR compliance and can be contacted for advice.
Data for other purposes
It is already a requirement of the Health and Social Care Act that practices must meet the reasonable data requirements of commissioners and other health and social care organisations through appropriate and safe data sharing for secondary uses, as specified in the technical specification for care data. We have specific arrangements in place to allow patients to 'opt out' of care data which allows for the removal of data from the practice, please use this Care Data Opt Out form. More information about how your information is used by secondary care providers under the health and social care act is available here.
We confirm these arrangements are in place and that we undertake annual training and audits to ensure that all our data is handled correctly and safely via the Information Governance Toolkit.
National Data Opt-out
The national data opt-out is introduced on 25 May 2018, providing a facility for individuals to opt-out from the use of their data for research or planning purposes. This is provided in line with the recommendations of the National Data Guardian in her Review of Data Security, Consent and Opt-Outs. The service will initially be in beta, while we ensure the service design is optimal.
Individual preferences will be collected from 25 May and by 2020 all health and care organisations are required to have applied these preferences in all research and planning situations in which confidential patient information is used. NHS Digital will apply these preferences with immediate effect.
The national data opt-out will replace the previous 'type 2' opt-out, which required NHS Digital to refrain from sharing a patient's confidential patient information for purposes beyond their direct care. Any person with an existing type 2 opt-out will have it automatically converted to a national data opt-out from 25 May 2018 and will shortly receive a letter giving them more information and a leaflet explaining the new national data opt-out. We will continue to collect and convert type 2 opt-outs during the beta phase.
The national data opt-out choice can be viewed or changed at any time by using the online service at www.nhs.uk/your-nhs-data-matters or call 0300 303 5678.
The General Data Protection Regulations 2018 requires organisations to register a notification with the Information Commissioner to describe the purposes for which they process personal and sensitive information. This information is publicly available on the Information Commissioners Office (ICO) and the practice is registered with them.
Our Data Protection Officer responsible for keeping your information secure and confidential is Caroline Simms and can be contacted via the surgery.
Lawful basis for direct care and administrative purposes
All health and adult social care providers are subject to the statutory duty under section 251B of the Health and Social Care Act 2012 to share information about a patient for their direct care. This duty is subject to both the common law duty of confidence and currently the DPA98 (and in due course the DPA18 and GDPR).
For common law purposes, sharing information for direct care is on the basis of implied consent, which may also cover administrative purposes where the patient has been informed or it is otherwise within their reasonable expectations.
Under the GDPR, for processing personal data in the delivery of direct care, and for providers' administrative purposes, the Article 6 condition for lawful processing that applies to the surgery and all publicly funded health and social care organisations in the delivery of their functions is:
6(1)(e) for the performance of a task carried out in the public interest or in the exercise of official authority
Under the GDPR, personal data concerning health are special categories of personal data; the most appropriate Article 9 condition which applies to the surgery for direct care or administrative purposes is:
9(2)(h) medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems
Data transferred outside the EU
The data we hold on you will not be transferred outside the EU. Should any future changes in the NHS mean that this is possible, we will seek your permission before transferring any of your information outside the EU.