GPs have responsibilities as an organisation that processes personal information (data controllers); these are regulated by law under the General Data Protection Regulations. This means ensuring that your personal confidential data (PCD) is handled in ways that are lawful, safe, transparent and what you would reasonably expect.

The Health and Social Care Act 2012 changed the way that personal confidential data is processed. Therefore, it is important that patients are made aware of these changes and understand them so that you have an opportunity to object if you wish.

Patient Identifiable Data

Personal data relates to an individual who can be identified from that information. Identification can be by the data alone or in conjunction with any other information in the data controller’s possession or likely to come in to their possession.

The processing of personal data is governed by the General Data Protection Regulation (the ‘GDPR’). This new regulation applies from 25th May 2018

How do we process your personal data?

Health care professionals maintain records about your health and any treatment or care you have received within the entire NHS. These records help to deliver the best possible healthcare.

NHS health records may be processed electronically, on paper or both. A combination of working practices and technology are used to ensure that your information is kept confidential and secure. Records held by this GP Practice may include the following information:

• Personal Details such as address, contact telephone number and date of birth.
• Any contact the surgery has had with you
• Notes and reports about your health
• Details about your treatment and care and prescribed medication
• Results of investigations
• Relevant information from other health professionals, relatives or carers

What is the legal basis for processing your personal data?

As a practice we collect and hold data in order to provide healthcare services and we will ensure that the information we possess remains confidential. There are some circumstances in which we will share personal information, these include:

• If it is required by law
• We receive your consent
• It is justified in the public interest

Some of this information will be held centrally and used for statistical purposes. Where we hold data centrally, we take strict measures to ensure that all patient identifiable data is removed.

Sharing your personal data

Sometimes your information may be required for research purposes. The Practice will always endeavour to gain your consent before releasing any personal information.

Under the Health and Social Care Act 2012 (HSCA) the Health and Social Care Information Centre (HSCIC) can request Personal Confidential Data (PCD) from GP Practices without seeking the patient’s consent. Improvements in information technology are also making it possible for us to share data with other healthcare providers with the objective of providing you with better care.

All patients have a right to object to their PCS being used in this way under the GDPR. In order to provide you with the opportunity to do this, the practice will make patients aware that a new data sharing scheme will be taking place by displaying notices both in the surgery and on our practice website.

With whom data could be shared

Below is a list of organisations that we may have to share your information with. Any data shared will be subject to strict agreement on how it will be used.

• NHS and specialist hospitals
• Independent Contractors such as dentists, opticians, pharmacists
• Private and Voluntary Sector Providers
• Ambulance Trusts
• Clinical Commissioning Groups and NHS England
• Social Care Services and Local Authorities
• Education Services
• Emergency services e.g. Police, Fire and Rescue Services
• Other ‘data processors’ during specific project work e.g. Diabetes UK

How do we maintain the confidentiality of your records?

We are committed to protecting your privacy and will only use information collected lawfully and for legitimate purposes in accordance with the GDPR (which is overseen by the Information Commissioner’s Office), Human Rights Act, the Common Law Duty of Confidentiality, and the NHS Codes of Confidentiality and Security.

All of our staff, contractors and committee members receive appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold patient confidentiality, failure to do so could result in disciplinary procedures. Only a limited number of authorised staff has access to
personal information where it is appropriate to their role and is strictly on a need-to-know basis.

We maintain our duty of confidentiality to you always. We will only ever use or pass on your personal data or information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), or where the law requires information to be passed on.

Your rights and your personal data

Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data:

• The right to request a copy of your personal data which this practice holds about you;
• The right to request that this practice corrects any personal data if it is found to be inaccurate or out of date;
• The right to request your personal data is erased where it is no longer necessary for the practice to retain such data. Although please note for Patients at this practice, your records will be retained for as long as is necessary
• The right to withdraw consent to the processing at any time (as mentioned above)
• The right to data portability
• The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
• The right to lodge a complaint with the Information Commissioners Office (details below)

Contact Details

If you have any concerns about how your information is managed or wish to object to any of the data collection at the Practice, please contact the Practice Manager or your healthcare professional to discuss your concerns and how the distribution of your personal information can be restricted. All patients have the right to change their minds and reverse a previous decision this can be done by contacting the practice.

If you would like to make a ‘data access request’ please contact the practice in writing. We aim to respond to your request within one calendar month or two months if the request is complex.

It is the responsibility of all employees of the practice to report suspected breaches of information security to the Practice lead and Data Protection Officer without delay.

The Practice is registered as a data controller with the ICO. The registration number is Z6526535 and can be viewed online in the public register at: ico.org.uk. You can contact the ICO on:

• 0303 123 1113
• via email
• or at: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Should we need to make any changes to this notice in the future, they can be found on our practice website and on our practice notice board.