General Data Protection Regulations
​
The GDPR requires practices to process data ‘fairly’ and in a ‘transparent manner’ which is ‘easily accessible and easy to understand’. This means that practices must provide information to patients about how the practice processes patient data in the form of ‘privacy notices’.
​
Our Privacy Notice
​
How we use your medical records - Important information for patients
-
This practice handles medical records in-line with laws on data protection and confidentiality
-
We share medical records with those who are involved in providing you with care and treatment.
-
In some circumstances we will also share medical records for medical research, for example to find out more about why people get ill.
-
We share information when the law requires us to do so, for example, to prevent infectious diseases from spreading or to check the care being provided to you is safe.
-
You have the right to be given access to your medical record.
-
You have the right to object to your medical records being shared with those who provide you with care.
-
You have the right to object to your information being used for medical research and to plan health services.
-
You have the right to have any mistakes corrected and to complain to the Information Commissioner’s Office. Please read the 'Legal' section at the end for more information about your rights.
Other important information about how your information is used to provide healthcare
​
-
All patients who receive NHS care are registered on a national database.
-
This database holds your name, address, date of birth and NHS Number but it does not hold information about the care you receive.
-
The database is held by NHS Digital and how it uses information can be found at: https://digital.nhs.uk/home , a national organisation which has legal responsibilities to collect NHS data.
More information can be found at: https://digital.nhs.uk/home or the phone number for general enquires is 0300 303 5678
​
Identifying patients who might be at risk of certain diseases
-
Your medical records will be searched by a computer programme so that we can identify patients who might be at high risk from certain diseases such as heart disease or unplanned admissions to hospital.
-
This means we can offer patients additional care or support as early as possible.
-
This process will involve linking information from your GP record with information from other health or social care services you have used
-
Information which identifies you will only be seen by this practice.
-
More information can be found at https://www.emishealth.com/sectors/research/ or speak to the practice
-
Safeguarding
​
-
Sometimes we need to share information so that other people, including healthcare staff, children or others with safeguarding needs, are protected from risk of harm.
-
These circumstances are rare.
-
We do not need your consent or agreement to do this. Please see a summary of our local safeguarding policies for more information: Safeguarding Policy
​
Detailed Practice privacy notices
​
To provide more detailed information for patients on exactly how we share information we have developed these four statements to cover the key elements of how we share information for
-
Provision of direct healthcare
-
Medical research and clinical audit
-
Legal requirements to share
-
National screening programmes.
​
At the end of this page are the legal statements for each section of how we use and share information
​
1 - Provision of direct care: How we use your information to provide you with healthcare
​
-
This practice keeps medical records confidential and complies with the General Data Protection Regulation. We hold your medical record so that we can provide you with safe care and treatment.
-
We will also use your information so that this practice can check and review the quality of the care we provide. This helps us to improve our services to you.
-
We will share relevant information from your medical record with other health or social care staff or organisations when they provide you with care. For example, your GP will share information when they refer you to a specialist in a hospital. Or your GP will send details about your prescription to your chosen pharmacy.
-
For more information on how we share your information with organisations who are directly involved in your care please see below Sections 2/3/4
-
Healthcare staff working in A&E and Out of Hours care will also have access to your information. For example, it is important that staff who are treating you in an emergency know if you have any allergic reactions. This will involve the use of your Summary Care Record. For more information see: https://digital.nhs.uk/summary-care-record
-
Harthill Primary Care Network - Harthill Primary Care Network (PCN) is a collaboration of six GP practices, led by a Clinical Director, working together to support a common goal : to improve the health outcomes for our patients, provide direct care and treatment to our registered patients within the Harthill PCN.
​
DATA OPT OUT - You have the right to object to information being shared for your own care. Patients can find out more and set their opt-out choice at nhs.uk/your-nhs-data-matters or speak to the practice if you wish to object. You also have the right to have any mistakes or errors corrected.
​
2 - Medical Research and Clinical audit: How we share information from medical records
​
We share information from your medical record
-
to support medical research when the law allows us to do so, for example to learn more about why people get ill and what treatments might work best
-
we will also use your medical records to carry out research within the practice​​​​
​
This is important because:
-
The use of information from GP medical records is very useful in developing new treatments and medicines
-
medical researchers use information from medical records to help answer important questions about illnesses and disease so that improvements can be made to the care and treatment patients receive.
​
We share information with the following medical research organisations with your explicit consent or when the law allows:
-
Q Surveillance - a real time surveillance system based from >3000 EMIS UK general practices which forms part of a critical part of the UK response to, for example, pandemic flu, natural chemical disasters etc.
It collects, analyses and reports disease rates, vaccine uptake by age and sex but NO individual patient data is extracted so there is
no risk to patient confidentiality. It is run in collaboration with Nottingham University, EMIS ClinRisk Ltd and approved by BMA,
MREC, NUG, RCGP. For more information please see http://www.qsurveillance.org
-
National Diabetes Audit - a legal requirement mandated by the Dept of Health which measures the effectiveness of diabetes healthcare against NICE Clinical Guidelines and NICE Quality Standards, in England and Wales. The NDA collects and analyses data for use by a range of stakeholders to drive changes and improvements in the quality of services and health outcomes for people with diabetes.
Information is collected at patient level but is anonymised so no individual patient can be identified. It is managed under an
agreement by the Healthcare Quality Improvement Partnership (HQIP) on behalf of NHS England and the Welsh Government. The
NDA is delivered by NHS Digital (previously known as 'the Health and Social Care Information Centre, HSCIC'), in partnership with
Diabetes UK and the National Cardiovascular Intelligence Network (part of Public Health England). For further information please
-
EMIS Clinical Systems Risk Stratification. Information is collected for Risk Stratification purposes to identify patients who may be - or may become - vulnerable to unexpected hospital admissions or disease related complications. Risk Stratification is a recognised tool to assist management of patients.
For more information please see https://www.emishealth.com/products/risk-stratification
​
The reason we have to contribute to national clinical audits is so that healthcare can be checked and reviewed.
-
Information from medical records can help doctors and other healthcare workers measure and check the quality of care which is provided to you.
-
The results of the checks or audits can show where hospitals are doing well and where they need to improve.
-
The results of the checks or audits are used to recommend improvements to patient care.
-
Data are sent to NHS Digital, a national body with legal responsibilities to collect data.
-
The data will include information about you, such as your NHS Number and date of birth and information about your health which is recorded in coded form - for example the code for diabetes or high blood pressure.
-
We will only share your information for national clinical audits or checking purposes when the law allows.
For more information about national clinical audits see the Healthcare Quality Improvements Partnership website: https://www.hqip.org.uk/ or phone 020 7997 737
You have the right to object to information being shared for research and clinical audit. Patients can find out more and set their opt-out choice at nhs.uk/your-nhs-data-matters or speak to the practice if you wish to object.
​
3 - Legal requirements to share information : how we meet legal requirements
​
The law requires us to share information from your medical records in certain circumstances. Information is shared so that the NHS or Public Health England can, for example:
-
plan and manage services;
-
check that the care being provided is safe;
-
prevent infectious diseases from spreading.
​
We will share information with NHS Digital, the Care Quality Commission and local health protection team (or Public Health England) and when the law requires us to do so (for example in cases of safeguarding/suspected abuse).
We must also share your information if a court of law orders us to do so
NHS Digital
​
NHS Digital is a national body which has legal responsibilities to collect information about health and social care services. It collects information from across the NHS in England and provides reports on how the NHS is performing.
These reports help to plan and improve services to patients.
This practice must comply with the law and will send data to NHS Digital, for example, when it is told to do so by the Secretary of State for Health or NHS England under the Health and Social Care Act 2012. More information about NHS Digital and how it uses information can be found at https://digital.nhs.uk/home
​
Care Quality Commission (CQC)
​
The CQC regulates health and social care services to ensure that safe care is provided.
The law says that we must report certain serious events to the CQC, for example, when patient safety has been put at risk.
For more information about the CQC see: http://www.cqc.org.uk/
Public Health
​
The law requires us to share data for public health reasons, for example to prevent the spread of infectious diseases or other diseases which threaten the health of the population.
We will report the relevant information to local health protection team or Public Health England.
For more information about Public Health England and disease reporting see: https://www.gov.uk/guidance/notifiable-diseases-and-causative-organisms-how-to-report
4 - National Screening Programmes - how we share information
​
The NHS provides national screening programmes so that certain diseases can be detected at an early stage. These screening programmes include bowel cancer, breast cancer, cervical cancer, aortic aneurysms and a diabetic eye screening service.
The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme.
More information can be found at: https://www.gov.uk/topic/population-screening-programmes
​
LEGAL STUFF
​
Below are the four legal sections of information we are obliged tell you about in respect of the handling of your information for the purposes our providing you with a health care service. These cover the four areas described above
-
Provision of direct healthcare
-
Medical research and clinical audit
-
Legal requirements to share
-
National screening programmes.
​
Data Controller contact details
​
Willerby & Swanland Surgery
Willand Primary Care Centre, Lowfield Road, Anlaby. HU10 7JR. Telephone 01482 652652
Data Protection Officer contact details
This Practice have appointed Barry Jackson to be the Data Protection Officer (DPO) He is employed by the East Riding CCG IT Provider, N3i, and can be contacted through their service desk on phone: 0300 002 0001 or email: dpo@n3i.co.uk
​
​
1 We are required by law to provide you with the following information about how we share your information for provision of direct healthcare
​
Purpose of the processing : To give direct health or social care to individual patients.
For example, when a patient agrees to a referral for direct care, such as to a hospital, relevant information about the patient will be shared with the other healthcare staff to enable them to give appropriate advice, investigations, treatments and/or care.
To check and review the quality of care. (This is called audit and clinical governance).
​
Lawful basis for processing
These purposes are supported under the following sections of the GDPR:
​
Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and
​
Article 9(2)(h)‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”
Healthcare staff will also respect and comply with their obligations under the common law duty of confidence.
Recipient or categories of recipients of the processed data
The data will be shared with:
· healthcare professionals and staff in this surgery;
· local hospitals;
· out of hours services;
· diagnostic and treatment centres;
· or other organisations involved in the provision of direct care to individual patients including national screening bodies;
· medical research and clinical audit/risk stratification providers as above;
Rights to object
· You have the right to object to information being shared between those who are providing you with direct care.
· This may affect the care you receive – please speak to the practice.
· You are not able to object to your name, address and other demographic
information being sent to NHS Digital.
· This is necessary if you wish to be registered to receive NHS care.
· You are not able to object when information is legitimately shared for
safeguarding reasons.
· In appropriate circumstances it is a legal and professional requirement to
share information for safeguarding reasons. This is to protect people from
harm.
· Such information will be shared with the local safeguarding service of the East
Riding of Yorkshire Council and the Named Safeguarding Doctor/Nurse
Right to access and correct
​
· You have the right to access your medical record and have any errors or mistakes corrected. Please speak to a member of staff or look at our ‘subject access request’ policy on the practice website Your Medical Records
We are not aware of any circumstances in which you will have the right to delete correct information from your medical record; although you are free to obtain your own legal advice if you believe there is no lawful purpose for which we hold the information and contact us if you hold a different view.
Retention period
GP medical records will be kept in line with the law and national guidance. Information on how long records are kept can be found at: https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016
Right to complain
You have the right to complain to the Information Commissioner’s Office. If you wish to complain follow this link https://ico.org.uk/global/contact-us/or call the helpline 0303 123 1113
​
Data we get from other organisations
​
We receive information about your health from other organisations who are involved in providing you with health and social care. For example, if you go to hospital for treatment or an operation the hospital will send us a letter to let us know what happens. This means your GP medical record is kept up-to date when you receive care from other parts of the health service.
2 We are required by law to provide you with the following information about how we share your information for medical research and clinical audit purposes.
Purpose of the processing - Medical research and to check the quality of care which is given to patients (this is called national clinical audit).
​
Lawful basis for processing
The following sections of the GDPR mean that we can use medical records for research and to check the quality of care (national clinical audits)
Article 6(1)(e) – ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’.
For medical research: there are two possible Article 9 conditions.
Article 9(2)(a) – ‘the data subject has given explicit consent…’
OR
Article 9(2)(j) – ‘processing is necessary for… scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member States law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject’.
To check the quality of care (clinical audit):
Article 9(2)(h) – ‘processing is necessary for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and services...’
Recipient or categories of recipients of the processed data
For medical research the data will be shared with EMIS Clinical Systems QSurveillance programme and risk stratification programme.
For national clinical audits which check the quality of care the data will be shared with NHS Digital and the LeDeR (Learning from Lives and Deaths – People with a Learning Disability and Autistic People) programme for relevant patients.
Rights to object and the national data opt-out
You have a choice about whether you want your confidential patient information to be used for national clinical audits. If you are happy with this use of information you do not need to do anything. If you do choose to opt-out your confidential patient information will still be used to support your individual care.
To find out more or to register your choice to opt out, please visitwww.nhs.uk/your-nhs-data-matters. On this web page you will:
-
See what is meant by confidential patient information
-
Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
-
Find out more about the benefits of sharing data
-
Understand more about who uses the data
-
Find out how your data is protected
-
Be able to access the system to view, set or change your opt-out setting
-
Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
-
See the situations where the opt-out will not apply
​
You can also find out more about how patient information is used at:
https://www.hra.nhs.uk/(which covers health and care research); and
https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)
​
You can change your mind about your choice at any time.
​
Data being used or shared for national purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.
​
Health and care organisations have until 2020 to put systems and processes in place so they can apply your national data opt-out choice. Our organisation is not currently able to apply your national data opt-out choice to any confidential patient information we may use or share with other organisations for purposes beyond your individual care
Right to access and correct
​
· You have the right to access your medical record and have any errors or mistakes corrected. Please speak to a member of staff or look at our policy on the practice website Your Medical Records
-
We are not aware of any circumstances in which you will have the right to delete correct information from your medical record; although you are free to obtain your own legal advice if you believe there is no lawful purpose for which we hold the information and contact us if you hold a different view.
-
Retention period
GP medical records will be kept in line with the law and national guidance. Information on how long records are kept can be found at: https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016
or speak to the practice.
Right to complain
You have the right to complain to the Information Commissioner’s Office. If you wish to complain follow this linkhttps://ico.org.uk/global/contact-us/ or call the helpline 0303 123 1113
3 We are required by law to provide you with the following information about how we handle your information and our legal obligations to share data.
​
Purpose of the processing : Compliance with legal obligations or court order.
Lawful basis for processing
The following sections of the GDPR mean that we can share information when the law tells us to.
Article 6(1)(c) – ‘processing is necessary for compliance with a legal obligation to which the controller is subject…’
Article 9(2)(h) – ‘processing is necessary for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and services...’
Recipient or categories of recipients of the processed data
· The data will be shared with NHS Digital.
· The data will be shared with the Care Quality Commission.
· The data will be shared with our local health protection team or Public
Health England.
· The data will be shared with the court if ordered.
Rights to object and the national data opt-out
There are very limited rights to object when the law requires information to be shared but government policy allows some rights of objection as set out below.
NHS Digital
· You have the right to object to information being shared with NHS Digital for reasons other than your own direct care.
· This is called a ‘Type 1’ objection – you can ask your practice to apply this code to your record.
· Please note: The ‘Type 1’ objection, however, will no longer be available after 2020.
· This means you will not be able to object to your data being shared with NHS Digital when it is legally required under the Health and Social Care Act 2012.
The national data op-out model is intended to provide you with an easy way of opting-out of identifiable data being used for health service planning and research purposes, including when it is shared by NHS Digital for these reasons.
To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters
​
LeDeR Programme
Primary care records are key to understanding the person who has died and will always be needed to help us understand whether there are lessons to be learned from the death of an individual. A LeDeR reviewer will always either need access to primary care records or have a conversation with the GP of a person with a learning disability or autistic person who has died.
- NHS England and NHS Improvement hold approval from the Confidentiality Advisory Group (CAG) of the Heath Research Authority
under Section 251, for information to be shared for the purpose of the LeDeR programme.
- Further details on the legal basis for sharing data with LeDeR reviewers can also be found in the LeDeR policy.
Details of the CAG S251 approval (ref: 20/CAG/0067 (previously 16/CAG/0056)) can be found on the Health Research Authority's website.
The General Medical Council’s (GMC) confidentiality guidance advises that doctors should disclose relevant information about a patient who has died where disclosure is authorised under section 251 of the NHS Act 2006.
Paragraph 137 of the GMC guidance advises:
“137 - Circumstances in which you should usually disclose relevant information about a patient who has died include:
• the disclosure is permitted or has been approved under a statutory process that sets aside the common law duty of confidentiality, unless you know the patient has objected.”
Paragraph 103 to 105 of the GMC guidance advises:
“103 - In England, Wales and Northern Ireland, statutory arrangements are in place for considering whether disclosing personal information without consent for health and social care purposes would benefit patients or the public sufficiently to outweigh
patients’ right to privacy. Examples of these purposes include medical research, and the management of health or social care services. There is no comparable statutory framework in Scotland.
“104 - Section 251 of the National Health Service Act 2006 allow the common law duty of confidentiality to be set aside for defined purposes where it is not possible to use anonymized information and where seeking consent is not practicable.
“105 - You may disclose personal information without consent if the disclosure is permitted or has been approved under regulations made under section 251 of the National Health Service Act 2006. If you know that a patient has objected to information being disclosed for purposes other than direct care, you should not usually disclose the information unless it is required under the regulations.”
​
Electronic Palliative Care Coordination Systems, or EPaCCS, is a means to capture and share information from people’s discussions about their care. The aim of this is to ensure that any professional involved in that person’s care has access to the most up to date information, including any changes to their preferences and wishes and personalised care plans.
The core record is usually kept by the General Practitioner in their electronic system and information sharing agreements put into place to allow relevant professionals involved in the person’s care to view and therefore be aware of the individual’s palliative and end of life personalised care plan.
Electronic Palliative Care Coordination Systems, or EPaCCS, is a means to capture and share information from people’s discussions about their care. The aim of this is to ensure that any professional involved in that person’s care has access to the most up to date information, including any changes to their preferences and wishes and personalised care plans.
The core record is usually kept by the General Practitioner in their electronic system and information sharing agreements put into place to allow relevant professionals involved in the person’s care to view and therefore be aware of the individual’s palliative and end of life personalised care plan.
​
Public health
· Legally information must be shared under public health legislation. This means that you are unable to object.
Care Quality Commission
· Legally information must be shared when the Care Quality Commission needs it for their regulatory functions. This means that you are unable to object.
Court order
· Your information must be shared if it ordered by a court. This means that you are unable to object.
​
Right to access and correct
​
· You have the right to access your medical record and have any errors or mistakes corrected. Please speak to a member of staff or look at our policy on the practice website Your Medical Records
-
We are not aware of any circumstances in which you will have the right to delete correct information from your medical record; although you are free to obtain your own legal advice if you believe there is no lawful purpose for which we hold the information and contact us if you hold a different view.
​
Retention period
GP medical records will be kept in line with the law and national guidance. Information on how long records are kept can be found at: https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016
or speak to the practice.
Right to complain
You have the right to complain to the Information Commissioner’s Office. If you wish to complain follow this link https://ico.org.uk/global/contact-us/ or call the helpline 0303 123 1113
4: We are required by law to provide you with the following information about how we handle your information in relation to our legal obligations to share data for national screening programmes.
​
Purpose of the processing : The NHS provides several national health screening programmes to detect diseases or conditions early such as cervical and breast cancer, aortic aneurysm and diabetes.
· The information is shared so that the correct people are invited for screening. This means those who are most at risk can be offered treatment.
Lawful basis for processing
The following sections of the GDPR allow us to contact patients for screening.
Article 6(1)(e) – ‘processing is necessary…in the exercise of official authority vested in the controller...’’
Article 9(2)(h) – ‘processing is necessary for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and services...’
Recipient or categories of recipients of the processed data
The data will be shared with Public Health England
https://www.gov.uk/topic/population-screening-programmes
Rights to object
For national screening programmes: you can opt so that you no longer receive an invitation to a screening programme.
See: https://www.gov.uk/government/publications/opting-out-of-the-nhs-population-screening-programmes or speak to the practice.
Right to access and correct
​
You have the right to access your medical record and have any errors or mistakes corrected. Please speak to a member of staff or look at our ‘subject access request’ policy on the practice website Your Medical Records
​
We are not aware of any circumstances in which you will have the right to delete correct information from your medical record; although you are free to obtain your own legal advice if you believe there is no lawful purpose for which we hold the information and contact us if you hold a different view.
​
Retention period
GP medical records will be kept in line with the law and national guidance.
Information on how long records can be kept can be found at: https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016
or speak to the practice.
Right to complain
You have the right to complain to the Information Commissioner’s Office. If you wish to complain follow this linkhttps://ico.org.uk/global/contact-us/ or call the helpline 0303 123 1113
Data we get from other organisations
​
We receive information about your health from other organisations who are involved in providing you with health and social care. For example, if you go to hospital for treatment or an operation the hospital will send us a letter to let us know what happens. This means your GP medical record is kept up-to date when you receive care from other parts of the health service.
​