Privacy Notice – Goyt Valley Medical Practice
This privacy notice explains why we collect information about you, how that information may be used and how we keep it safe and confidential in accordance with the General Data Protection Regulation (GDPR).
Goyt Valley Medical Practice is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about you as a patient. We are required under data protection legislation to notify you of the information contained within this privacy notice.
Health care professionals who provide you with care are required to maintain records about your health and any treatment or care you have received within ant NHS and other healthcare organisations. These records are used to provide you with the best possible healthcare.
How we keep information confidential and safe
Everyone working in the NGS is subject to the Common Law Duty of Confidentiality. Information provided in confidence will only be used for the purposes advised with consent given by the patient, unless there are other circumstances covered by law. The NHS Digital Code of Practice on Confidential Information applies to all our staff and they are required to protect you information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. All our staff are expected to make sure that information is kept confidential and receive training on how to do this.
These records may be electronic, on paper or a mixture of both and we use a combination of working practices and technologies to ensure that your information is kept confidential and secure. Your electronic records are backed up securely in line with NHS standard procedures. We ensure that the information we hold is kept in secure locations, is protected by appropriate security and access is restricted to authorised personnel. We also make sure that external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.
We are committed to protecting your privacy and will only use information collected lawfully in accordance with:
Information we hold
The practice holds information about you which may include the following:
When registering for NGS care, all patients who receive NHS care are registered on a national database, the database is held by NHS Digital, a national organisation which has legal responsibilities to collect NHS data. NHS Digital is the secure haven for NHS patient data, a single secure repository where data collected from all branches of the NHS is processed. NHS Digital provides reports on the performance of the NHS, statistical information, audits and patient outcomes. Examples includes; A&E and outpatient waiting times, the number of staff in the NHS, percentage target achievements, payments to GPs etc. and more specific targeted data collections and reports such as the general practice appointments data and English National Diabetes Audits. GPs are required by the Health and Social Care Act to provide NHS Digital with information when instructed. This is a legal obligation which overrides any patient wishes. These instructions are called “Directions”. More information on the Directions placed on the GPs can be found at https://digital.nhs.uk/articles/8059/NHS-England-Directions and www.nhsdatasharing.info
Care Quality Commission
The Care Quality Commission (CQC) is an organisation established in English law by the Health and Social Care Act. The CQC is the regulator for English health and social care services to ensure that safe care is provided. They inspect and produce reports on all English general practices. The law allows CQC to access identifiable patient data as well as requiring this practice to share certain types of data with them in certain circumstances, for instance following a significant safety incident. For more information about the CQC see: https://www.cqc.org.uk
National Screening Programmes
The NHS provides national screening programmes so that certain diseases can be detected at an early stage. These currently apply to bowel cancer, breast cancer, aortic aneurysms and diabetic retinal screening services. The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme. More information can be found at: https://www.gov.uk/topic/population-screening-programmes or speak to a member of staff at the practice.
Summary Care Record
The Summary Care Record is an English NHS development. It consists of a basic medical record held on a central government database on every patient registered with a GP surgery in England. The basic data is automatically extracted from your GP’s electronic record system and uploaded to the central system. GPs are required by their contract with the NHS to allow this upload. The basic upload consists of the name, address, date of birth and NHS number of the patient, current medication, allergies and details of any previous bad reactions to medicines.
As well as this basic record additional information can be added, and this can be far reaching and detailed. However, whereas the basic data is uploaded automatically any additional data will only be uploaded if you specifically request it and with your consent.
Summary Care Records can only be viewed within the NHS on NHS smartcard controlled screens or by organisations, such as pharmacies, contracted to the NHS.
You have the right to object to our sharing your data in these circumstances and you can ask you GP to block uploads.
You can find out more about the SCR at: https://digital.nhs.uk/summary-care-records
There are occasions when intervention is necessary in order to save or protect a patient’s life or to prevent them from serious immediate harm, for instance during a collapse or serious injury or accident. In many of these circumstances the patient may be unconscious or too ill to communicate. In these circumstances we have an overriding duty to try to protect and treat the patient. If necessary we will share your information and possibly sensitive confidential information with other emergency healthcare services, the police or fire brigade, so that you can receive the best treatment. The law acknowledges this and provides supporting legal justifications.
Individuals have the right to make pre-determined decisions about the type and extent of care they will receive should they fall ill in the future, these are known as “Advanced Directives”. If lodged in your records these will normally be honoured despite the observations in the above paragraph.
This practice may participate in research. We will only agree to participate in any project if there is an agreed clearly defined reason for the research that is likely to benefit healthcare and patients. Such proposals will normally have a consent process, ethics committee approval, and will be in line with the principles of Article 89(1) of GDPR.
Research organisations do not usually approach patients directly but will ask us to make contact with suitable patients to seek their consent. Occasionally research can be authorised under law without the need to obtain consent. This is known as the section 251 arrangement. We may also use your medical records to carry out research within the practice.
You have the right to object to your identifiable information being used or shared for medical research purposes. Please speak to a member of staff at the practice if you wish to object.
Contract holding GPs in the UK receive payments from their respective governments on a tiered basis. Most of the income is derived from baseline capitation payments made according to the number of patients registered with the practice on quarterly payment days. The amount paid per patient per quarter varies according to the age, sex and other demographic details for each patient. There are also graduated payments made according to the practice’s achievement of certain agreed national quality targets known as the Quality and Outcome Framework (QOF), for instance the proportion of diabetic patients who have had an annual review. The practice also receives payments for participating in agreed national or local enhanced services, for instance late opening hours. The practice also receives payments for certain national initiatives such as immunisation programmes. Finally there are short term initiatives and projects that the practice can take part in. The practice, or GPs may also receive income for participating in the education of medical students, junior doctors and GPs themselves as well as research. In order to make patient based payments basic and relevant necessary data about you needs to be sent to the various payment services. The release of this data is required by English laws.
Public health encompasses everything from national smoking and alcohol policies, the management of epidemics such as flu, the control of large scale infections such as TB and Hepatitis B to local outbreaks of food poisoning or Measles. Certain illnesses are also notifiable; the doctors treating the patient are required by law to inform the Public Health Authorities, for instance Scarlet Fever. This will mean the subjects personal and health information being shared with the Public Health organisations.
The records we keep enable us to plan for your care. The practice keeps data on you that we apply searches and algorithms to in order to identify preventive interventions. This means using only the data we hold or in certain circumstances linking that data to data held elsewhere by other organisations, and usually processed by organisations within or bound by contracts with the NHS. If any processing of this data occurs outside the practice your identity will not be visible to the processors. Only the practice will be able to identify you and the results of any calculated factors, such as your risk of having a heart attack in the next 10 years or your risk of being admitted to hospital with a complication of chest disease.
You have the right to object to our processing you data in these circumstances and before any decision based upon that processing is made about you. Processing of this type is only lawfully allowed where it results in individuals being identified with their associated calculated risk. It is not lawful for this processing to be used for other ill-defined purposes, such as “health analytics”. Despite this we have an overriding responsibility to do what is in your best interests. If we identify you as being at significant risk of having, for example a heart attack or stroke, we are justified in performing that process.
Some members of society are recognised as needing protection, for example children and vulnerable adults. If a person is identified as being at risk from harm we are expected as professionals to do what we can to protect them. In addition we are bound be certain specific laws that exist to protect individuals. This is called “Safeguarding”.
Where there is a suspected or actual safeguarding issue we will share information that we hold with other relevant agencies whether or not the individual or their representative agrees.
There are three laws that allow us to do this without relying on the individual or their representative agreement (unconsented processing), these are:
In addition there are circumstances when we will seek the agreement (consented processing) of the individual or their representative to share information with local child protection services.
North Derbyshire Clinical Commissioning Group (CCG) supports the practice to review medications prescribed to patients to ensure patients receive the most appropriate, up to date and cost effective treatments in line with CCG policies.
We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations:
We will never share your information outside of health partner organisations without your explicit consent unless there are exceptional circumstances such as when the health or safety of others is at risk, where the law requires it or to carry out a statutory function.
Access to your information
You have a right under the General Data Protection Regulation (2018) to request access to view or obtain copies of the information we hold about you. You do not need to give a reason to see your data. You also have the right to request that information is amended should it be inaccurate.
If you wish to access the information held about yourself by the practice you must make a request in writing and the practice will respond within 30 days. Under special circumstances information may be withheld.
Change of details
It is important that you tell the person treating you if any of your details such as your name or address have changed or if any of your details are incorrect in order for this to be amended. You are responsible to inform us of any changes so that our records are accurate and up to date.
Mobile numbers and e-mail addresses
If you provide us with your mobile phone number and or e-mail address we may use these to send your reminders about your appointments or other health screening information. Please let us know if you do not wish to receive correspondence via mobile or e-mail.
The Practice is registered with the Information Commissioners Office (ICO) to describe the purposes for which they process personal and sensitive information.
If you have any concerns or are unhappy about how your information is managed by the practice please contact the Practice Manager at the surgery.
If, following a review by the practice, you are still unhappy then you can contact the Information Commissioners Office (ICO) at www.ico.org.uk, or on 0303 123 1113.