GDPR/Information Governance

Summary Care Record

There is a new Central NHS Computer System called the Summary Care Record (SCR). It is an electronic record which contains information about the medicines you take, allergies you suffer from and any bad reactions to medicines you have had.

Why do I need a Summary Care Record?

Storing information in one place makes it easier for healthcare staff to treat you in an emergency, or when your GP practice is closed.

This information could make a difference to how a doctor decides to care for you, for example which medicines they choose to prescribe for you.

Who can see it?

Only healthcare staff involved in your care can see your Summary Care Record.

Do I have to have one?

No, it is not compulsory. If you choose to opt out of the scheme, then you will need to complete a form and bring it along to the surgery. You can use the form at the foot of this page.

More Information

For further information visit the summary care records website

Download the opt out form >>>

London Care Record

With the progress of data sharing across London and beyond, the system formerly known as “Connect Care” has been renamed to “The London Care Record”.

The London Care Record enables health and care staff to have one secure view of a person’s relevant heath and care information. Even if a person’s details are held in other London care organisations, information can still be accessed safely and securely. For example, if someone from Barnes (South West London) attends A&E at Chelsea and Westminster Hospital (North West London), staff involved can access the information they need to treat that person quickly and safely. This could include information on allergies, current medications, or existing long-term conditions.

Information is transferred securely, via a health information exchange system – this enables more effective care at the first point of contact.

A short video explaining more about the London Care Record is available here:

https://www.youtube.com/watch?v=enuxS5fttTA&t=13s

If you have any questions, please visit the frequently asked questions page.

Data Choices

Your Data Matters to the NHS

Information about your health and care helps us to improve your individual care, speed up diagnosis, plan your local services and research new treatments. The NHS is committed to keeping patient information safe and always being clear about how it is used.

How your data is used

Information about your individual care such as treatment and diagnoses is collected about you whenever you use health and care services. It is also used to help us and other organisations for research and planning such as research into new treatments, deciding where to put GP clinics and planning for the number of doctors and nurses in your local hospital.  It is only used in this way when there is a clear legal basis to use the information to help improve health and care for you, your family and future generations.

Wherever possible we try to use data that does not identify you, but sometimes it is necessary to use your confidential patient information.

You have a choice

You do not need to do anything if you are happy about how your information is used. If you do not want your confidential patient information to be used for research and planning, you can choose to opt out securely online or through a telephone service. You can change your mind about your choice at any time.

Will choosing this opt-out affect your care and treatment?

No, choosing to opt out will not affect how information is used to support your care and treatment. You will still be invited for screening services, such as screenings for bowel cancer.

What do you need to do?

If you are happy for your confidential patient information to be used for research and planning, you do not need to do anything.

To find out more about the benefits of data sharing, how data is protected, or to make/change your opt-out choice visit www.nhs.uk/your-nhs-data-matters

This practice is supporting vital health and care planning and research by sharing your data with NHS Digital. For more information about this see the GP Practice Privacy Notice for General Practice Data for Planning and Research.

Opting out

If you don’t want your identifiable patient data (personally identifiable data in the diagram above) to be shared for purposes except for your own care, you can opt-out by registering a Type 1 Opt-out or a National Data Opt-out, or both. These opt-outs are different and they are explained in more detail below. Your individual care will not be affected if you opt out using either option.

Type 1 Opt-out (opting out of NHS Digital collecting your data)

If you do not want your identifiable patient data (personally identifiable data in the diagram above) to be shared outside of the GP practice for purposes except your own care, you can register an opt-out with the GP practice. This is known as a Type 1 Opt-out.

Type 1 Opt-outs were introduced in 2013 for data sharing from GP practices, but may be discontinued in the future as a new opt-out has since been introduced to cover the broader health and care system, called the National Data Opt-out. If this happens, patients who have registered a Type 1 Opt-out will be informed. There is more information about National Data Opt-outs below.

NHS Digital will not collect any patient data for patients who have already registered a Type 1 Opt-in line with current policy. If this changes patients who have registered a Type 1 Opt-out will be informed.

If you do not want your patient data shared with NHS Digital for the purposes above, you can register a Type 1 Opt-out with your GP practice. You can register a Type 1 Opt-out at any time. You can also change your mind at any time and withdraw a Type 1 Opt-out.

If you have already registered a Type 1 Opt-out with your GP practice your data will not be shared with NHS Digital.

If you wish to register a Type 1 Opt-out with your GP practice before data sharing starts with NHS Digital, this should be done by returning this form to your GP practice. If you have previously registered a Type 1 Opt-out and you would like to withdraw this, you can also use the form to do this. You can send the form by post or email to your GP practice or call 0300 3035678 for a form to be sent out to you.

If you register a Type 1 Opt-out after your patient data has already been shared with NHS Digital, no more of your data will be shared with NHS Digital. NHS Digital will however still hold the patient data which was shared with them before you registered the Type 1 Opt-out.

If you do not want NHS Digital to share your identifiable patient data (personally identifiable data in the diagram above) with anyone else for purposes beyond your own care, then you can also register a National Data Opt-out. There is more about National Data Opt-outs and when they apply below.

GDPR Privacy Policy

Privacy-Direct Care (Routing Care & Referrals)

This practice keeps data on you relating to who you are, where you live, what you do, your family, possibly your friends, your employers, your habits, your problems and diagnoses, the reasons you seek help, your appointments, where you are seen and when you are seen, who by, referrals to specialists and other healthcare providers, tests carried out here and in other places, investigations and scans, treatments and outcomes of treatments, your treatment history, the observations and opinions of other healthcare workers, within and without the NHS as well as comments and aide memoires reasonably made by healthcare professionals in this practice who are appropriately involved in your health care.

When registering for NHS care, all patients who receive NHS care are registered on a national database, the database is held by NHS Digital, a national organisation which has legal responsibilities to collect NHS

GPs have always delegated tasks and responsibilities to others that work with them in their surgeries, on average an NHS GP has between 1,500 to 2,500 patients for whom he or she is accountable. It is not possible for the GP to provide hands on personal care for each and every one of those patients in those circumstances, for this reason GPs share your care with others, predominantly within the surgery but occasionally with outside organisations.

If your health needs require care from others elsewhere outside this practice we will exchange with them whatever information about you that is necessary for them to provide that care. When you make contact with healthcare providers outside the practice but within the NHS it is usual for them to send us information relating to that encounter. We will retain part or all of those reports. Normally we will receive equivalent reports of contacts you have with non NHS services but this is not always the case.

Your consent to this sharing of data, within the practice and with those others outside the practice is assumed and is allowed by the Law.

People who have access to your information will only normally have access to that which they need to fulfil their roles, for instance admin staff will normally only see your name, address, contact details, appointment history and registration details in order to book appointments, the practice nurses will normally have access to your immunisation, treatment, significant active and important past histories, your allergies and relevant recent contacts whilst the GP you see or speak to will normally have access to everything in your record.

You have the right to object to our sharing your data in these circumstances but we have an overriding responsibility to do what is in your best interests. Please see below.

We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.

1) Data Controller contact details Essex House Surgery Station Road Barnes SW13 0LW
2) Data Protection Officer contact details Umar Sabat
dpo.swl@nhs.net
3) Purpose of the processing Direct Care is care delivered to the individual alone, most of which is provided in the surgery. After a patient agrees to a referral for direct care elsewhere, such as a referral to a specialist in a hospital, necessary and relevant information about the patient, their circumstances and their problem will need to be shared with the other healthcare workers, such as specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.
4) Lawful basis for processing The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR: 

Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.

Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”

We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”*
5) Recipient or categories of recipients of the processed data The data will be shared with Health and care professionals and support staff in this surgery and at hospitals, diagnostic and treatment centres who contribute to your personal care.
6) Rights to object You have the right to object to some or all the information being processed. Please contact the Data Controller or the practice. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance
7) Right to access and correct You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
8) Retention period The data will be retained in line with the law and national guidance. https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016 or speak to the practice.
9) Right to Complain. You have the right to complain to the Information Commissioner’s Office.

Privacy Policy

Privacy Policy – Your Data

In order to comply with data protection legislation, this notice has been designed to inform you of what you need to know about the personal information we process. This is your assurance that we are complying with our legal obligation to you and a good opportunity for you to understand or exercise your information rights.

We are legally required to tell you:

  • What personal information we use
  • Why we need your personal information
  • The lawful basis for processing your personal information i.e. legitimate reasons for collecting, keeping, using and sharing it
  • How we use, store, protect and dispose of your personal information
  • How long we keep it for and who we may share it with
  • About your information rights
  • How to report a complaint or concern

Your Personal Information

When we say personal information, we are referring to any information that can identify a specific person, either on its own or together with other information. The obvious examples are name, address and date of birth; however this could include other forms for data, such as email address, car registration, specific physical feature, NHS number, pictures, images and so forth.

Most of the personal information we process is confidential or sensitive because of the nature of our business activities (health and social care). This could be used in a discriminatory way and is likely to be of a private nature, so greater care is needed to ensure this is processed securely. Confidential or sensitive information includes the racial or ethnic origin of the data subject, political opinions, religious beliefs or other beliefs of a similar nature, Trade Union membership, physical or mental health or condition, sexual life, commission, alleged commission of or proceeding for any offence.

Anonymised data is not personal information. This is any information that cannot reasonably identify you, so it cannot be personal, confidential or sensitive. Anonymisation requires the removal of personal information that might identify you.

The personal information we collect may be used for any of the following specific purposes:

  • Health care for patients – diagnosis, treatment and referral
  • Accounting, financial management and auditing
  • Education and training
  • Consultancy and Advisory services
  • Human resources and staff administration
  • Crime prevention and prosecution
  • Health administration and services management
  • Business activity information and databank administration
  • Contractual arrangements for data processing by third parties
  • Occupational Health referrals
  • Research, national surveys
  • Security services e.g CCTV monitoring, confidentiality audits

Without your personal information, we cannot:

  • Direct, manage and deliver the health care you may require
  • Ensure we have accurate and up to date information to assess and provide what you require
  • Provide the appropriate level of assistance or adequate guidance
  • Refer you to a specialist or another service
  • Protect the general public or promote public health
  • Manage, develop or improve our services
  • Investigate complaints or proceed with legal actions for claims
  • Employ you to join our workforce
  • Procure products and services
  • Commission business activities
  • Comply with a court order
  • Comply with regulatory requirements
  • Meet some of our legal obligations
  • Compile statistics to review our performance
  • Educate and train our workforce
  • Undertake clinical trials and research studies you have consented to
  • Complete occupational health checks you have consented to
  • Keep you and other service users safe on our premises

 

Lawful Basis for Processing your Personal Information
We do not rely on consent to use your personal information as a ‘lawful basis for processing’ regarding using your information for healthcare instead follow guidance issued by the British Medical Association (BMA).

We rely on the following specific provisions under Articles 6 (Lawful Processing) and 9 (Processing of Special Categories of Personal Data) of the GDPR:

For your personal information

Article 6 (1c) ‘processing is necessary for compliance with a legal obligation…’

Article 6 (1e) ‘…a task carried out in the public interest or in the exercise of official authority vested in the controller.’

For your special category information

Article 9 (2b) ‘…for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…’

Article 9 (2h) ‘processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…’

Article 9 (2i) ‘processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices…’

Please note: You do have the right to say ‘NO’ to our use of your personal information but this may have an impact on our ability to provide appropriate care or services. Please speak a member of Essex House Surgery or our Data Protection Officer.

We never use your personal information for advertising, marketing and public relations or insurance purposes without your consent.

Retention and Disposal of Personal Information
Your personal information may be written down (manual), digitised or held on computers (electronic) centrally within or outside of Essex House Surgery. These may be paper records, scans, photographs, slides, CCTV images, microform (i.e. fiche/film), audio, video, emails, computerised records on IT systems, or scanned documents etc. which we process securely in accordance with data protection legislation and store in conjunction with the Records Management code of Essex House Surgery.

– Records Management Code of  Practice 2016

Keeping your Personal Information Safe
We are committed to keeping your information secure and have operational policies, procedures and technical measures in place to protect your information whether it is in a hardcopy, digital or electronic format.

We are registered to the Information Commissioner’s Office

Mandatory training and regular audits are in place to ensure that only authorised personnel with the absolutely necessary need to know your personal information can use it.

When there are data protection breaches (for example – unauthorised access, inappropriate use, failure to secure and keep personal information secure or accurate), these are reported and investigated, with appropriate action (disciplinary, legal, lessons learned, re-training etc.) taken.

Sharing Personal Information
We may need to share your personal information with another organisation e.g. NHS organisations, health and social care organisations, public bodies (Social Services, Probation Service, Police, Regulatory Authorities) or third party providers commissioned to process personal information on our behalf.

This is because of our duty to share which is equally as important as our duty of confidentiality. We may also share your personal information for planning services across the NHS. This is vital to delivering better healthcare and improving our services.

You have the right to say no and to opt out of or restrict this sharing.  Your right to opt out for reasons other than direct care (e.g. planning and research purposes) is managed through the National Data Opt-Out Programme (search online or contact NHS Digital on 0300 303 5678 to find out more).

Your Information Rights
You have the right to:

  • Be informed about the processing of your personal information by Essex House Surgery (done through this notice)
  • Access the information we hold about you (paper, digital or electronic copies)
  • Ask Essex House Surgery to correct or complete your personal information
  • Ask Essex House Surgery to erase your personal information under certain circumstances, if Essex House Surgery does not have a lawful basis to process it
  • Ask Essex House Surgery to restrict the processing of your personal information under certain circumstances
  • Ask Essex House Surgery to move, copy and transfer your personal information which you have provided to Essex House Surgery, in a portable, commonly-used/machine readable format and securely, for your own purpose
  • Ask us not to process your personal information
  • Ask us not to use your personal information for public interests, direct marketing, automated decision-making, profiling, research or statistical purposes
  • Receive a response to your access or change request within a calendar month

Requests for information
Please complete a Request for Access to Records form on our website. We will require proof of identity before we can disclose any personal information.

Report Complaint or Concern
We try to meet the highest standards when processing personal information. You should let us know when we get something wrong.

Essex House Surgery employs an independent Data Protection Officer (DPO). The role our DPO is to examine our information handling and ensure we operate within the law.

These services are provided by Umar Sabat from IG-Health. He can be contacted on dpo.swl@nhs.net. He can only assist with complaints about your personal information. All other complaints should be directed to the practice.

Additional Information

Contraception

GDPR/Information Governance

Non-NHS Services

Resources and Useful Links

Self Referral

Travel Vaccinations