In order to comply with data protection legislation, this notice has been designed to inform you of what you need to know about the personal information we process. This is your assurance that we are complying with our legal obligation to you and a good opportunity for you to understand or exercise your information rights.
We are legally required to tell you:
Your Personal Information
When we say personal information, we are referring to any information that can identify a specific person, either on its own or together with other information. The obvious examples are name, address and date of birth; however this could include other forms for data, such as email address, car registration, specific physical feature, NHS number, pictures, images and so forth.
Most of the personal information we process is confidential or sensitive because of the nature of our business activities (health and social care). This could be used in a discriminatory way and is likely to be of a private nature, so greater care is needed to ensure this is processed securely. Confidential or sensitive information includes the racial or ethnic origin of the data subject, political opinions, religious beliefs or other beliefs of a similar nature, Trade Union membership, physical or mental health or condition, sexual life, commission, alleged commission of or proceeding for any offence.
Anonymised data is not personal information. This is any information that cannot reasonably identify you, so it cannot be personal, confidential or sensitive. Anonymisation requires the removal of personal information that might identify you.
The personal information we collect may be used for any of the following specific purposes:
Without your personal information, we cannot:
Lawful Basis for Processing your Personal Information
We do not rely on consent to use your personal information as a ‘lawful basis for processing’ regarding using your information for healthcare instead follow guidance issued by the British Medical Association (BMA).
We rely on the following specific provisions under Articles 6 (Lawful Processing) and 9 (Processing of Special Categories of Personal Data) of the GDPR:
For your personal information
Article 6 (1c) ‘processing is necessary for compliance with a legal obligation…’
Article 6 (1e) ‘…a task carried out in the public interest or in the exercise of official authority vested in the controller.’
For your special category information
Article 9 (2b) ‘…for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…’
Article 9 (2h) ‘processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…’
Article 9 (2i) ‘processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices…’
Please note: You do have the right to say ‘NO’ to our use of your personal information but this may have an impact on our ability to provide appropriate care or services. Please speak a member of Essex House Surgery or our Data Protection Officer.
We never use your personal information for advertising, marketing and public relations or insurance purposes without your consent.
Retention and Disposal of Personal Information
Your personal information may be written down (manual), digitised or held on computers (electronic) centrally within or outside of Essex House Surgery. These may be paper records, scans, photographs, slides, CCTV images, microform (i.e. fiche/film), audio, video, emails, computerised records on IT systems, or scanned documents etc. which we process securely in accordance with data protection legislation and store in conjunction with the Records Management code of Essex House Surgery.
Keeping your Personal Information Safe
We are committed to keeping your information secure and have operational policies, procedures and technical measures in place to protect your information whether it is in a hardcopy, digital or electronic format.
We are registered to the Information Commissioner’s Office
Mandatory training and regular audits are in place to ensure that only authorised personnel with the absolutely necessary need to know your personal information can use it.
When there are data protection breaches (for example – unauthorised access, inappropriate use, failure to secure and keep personal information secure or accurate), these are reported and investigated, with appropriate action (disciplinary, legal, lessons learned, re-training etc.) taken.
Sharing Personal Information
We may need to share your personal information with another organisation e.g. NHS organisations, health and social care organisations, public bodies (Social Services, Probation Service, Police, Regulatory Authorities) or third party providers commissioned to process personal information on our behalf.
This is because of our duty to share which is equally as important as our duty of confidentiality. We may also share your personal information for planning services across the NHS. This is vital to delivering better healthcare and improving our services.
You have the right to say no and to opt out of or restrict this sharing. Your right to opt out for reasons other than direct care (e.g. planning and research purposes) is managed through the National Data Opt-Out Programme (search online or contact NHS Digital on 0300 303 5678 to find out more).
Your Information Rights
You have the right to:
Requests for information
Please complete a Request for Access to Records form on our website. We will require proof of identity before we can disclose any personal information.
Report Complaint or Concern
We try to meet the highest standards when processing personal information. You should let us know when we get something wrong.
Essex House Surgery employs an independent Data Protection Officer (DPO). The role our DPO is to examine our information handling and ensure we operate within the law.
These services are provided by Umar Sabat from IG-Health. He can be contacted on email@example.com. He can only assist with complaints about your personal information. All other complaints should be directed to the practice.