This Privacy Notice has been published to provide information for our registered patients on what to expect in relation to how we control and process your personal information which we collect, handle and process.
Who we are
Your GP Practice is part of the NM Health Innovation Ltd Surgery Group which currently includes, Buckshaw Village Surgery, Adlington Medical Centre, Eaves Lane Surgery, Medicare Unit Surgery, Croston Medical Centre and The Village Surgery Lostock Hall – and with others expected to be incorporated).
Buckshaw Village Surgery
Unity Place
Buckshaw Village
Chorley
PR7 7HZ
Adlington Medical Centre
22-24 Babylon Lane
Anderton
Chorley
PR6 9NW
Eaves Lane Surgery
Tatton Gardens
Eaves Lane
Chorley
Lancashire
PR6 0QA
Medicare Unit Surgery
1 Croston Road
Lostock Hall
Preston
PR5 5RS
Croston Medical Centre
30 Brookfield
Croston
Leyland
PR26 9HY
The Village Surgery Lostock Hall
1 William Street
Lostock Hall
Preston
PR5 5RZ
Dr Nimalendran Muttucumaru of Unity Place, Buckshaw Village Surgery, Chorley, PR77HZ is the independent healthcare provider who delivers services for all registered patients. Dr Muttucumaru and his team are approved by the NHS to provide Primary Care services (Under the General Medical Service, Primary Medical Service and Alternative Provider Medical Service) contracts to NHS patients. We also treat private patients. Our organisation is categorised under the incoming GDPR regulations as a Public Body for Adlington/Eaves Lane/Medicare Croston and The Village (Lostock Hall) Surgeries (Buckshaw Village Surgery contract is not categorised as a public body)
Why issue a privacy notice?
We care about your personal data and it is important that you know how we use it and how we keep it safe. We recognise the importance of protecting personal and confidential information in all that we do to provide patients with the reassurance they need, but also to meet out legal and regulatory duties. This notice is one of the ways in which we can demonstrate our commitment to our values and being transparent and open and commitment to our values of respecting diversity, acting with integrity and demonstrating compassion, striving for excellence and listening to our patients. This notice covers how, when and why we use your information it also explains the choices you can make about the way in which we use your information and how you have the right to change your mind at any time. This notice applies to all information held by our organisation relating to individuals, whether you are a patient, service user, member of staff or contractor. This privacy notice is not exhaustive however and is subject to change. We review our privacy notice on an annual basis, with the last review having taken place in August 2018.
Types of Information we hold
We need to use information about you in a variety of forms and we will only ever use the minimum amount of information necessary for the purpose. Our organisation processes several different types of information:
-
Identifiable
Containing details that identify an individual (ie: Name/Address/DOB)
-
Pseudonymised
Information where individuals can be identified by using a coded reference which does not show their ‘real world’ identity
-
Aggregated
Statistical information about a group of individuals that has been combined to show trends or used for benchmarking
All records we hold may be on paper and/or in electronic computer systems.
What are we governed by
Any personal data of yours that we handle will be processed in accordance with all applicable data protection laws in force from time to time. We are committed to protecting your privacy and will only use information collected lawfully in accordance with:
- Data Protection Act 2018
- Human Rights Act 1998
- Access to Health Records Act 1990
- Freedom of Information Act 2000
- The Common Law Duty of Confidentiality
- Health and Social Care Act 2012/2015
- Public Records Act 1958
- The Re Use of Public Sector Information Regulations 2015
- The Environmental Information Regulations 2004
- Computer Misuse Act 1990
- The Care Record Guarantee for England
- The Social Care Record Guarantee for England
- International Organisation for Standardisation (ISO)
- Information Security Management Standards (ISMS)
- Accessible Information Standards (AIS)
- General Data Protection Regulations (GDPR) – Post 25th May 2018
- NHS Codes of Confidentiality, Information Security and Records Management
- Information: To Share or Not to Share Review
The General Data Protection Regulation (GDPR) is an EU Regulation which became law in the UK on 5 May 2018. The GDPR should be read alongside the UK Data Protection Act 2018 (DPA 2018). The GDPR and the DPA 2018 replace the Data Protection Act 1998. Changes to our data handling obligations will be introduced accordingly.
Who are we governed by
Department of Health: www.gov.uk/government/organisations/department-of-health
Information Commissioners Office: ico.org.uk
Care Quality Commission: www.cqc.org.uk
NHS England: www.england.nhs.uk
All of our GP’s, nurses and allied health professionals are also regulated and governed by professional bodies including royal colleges.
What is the legal basis for processing the information?
There must be a lawful basis for all processing of personal data – unless there is an exemption or derogation). The lawful basis’ terms and definitions for processing your personal data have changed with the GDPR regulations. In processing your data we have identified which lawful basis applies (some information may be processed for multiple lawful basis reasons). This lawful basis’ are:
-
Consent
Clear consent has been given to process personal data for a specific purpose.
-
Contract
Processing is necessary for a contract held with an individual
-
Legal Obligation
Processing is necessary to comply with the law
-
Vital Interests
Processing is necessary to protect someone’s life
-
Public Task
Processing is necessary to perform a task in the public interest or an official function or where there is a clear basis in law.
-
Legitimate Interests
Processing is necessary for an individual’s legitimate interests or those of a third party.
Additionally, there are further conditions for processing special category data under the GDPR (similar to the conditions under Schedule 3 of the Data Protection Act 1998 for processing of sensitive personal data.) These conditions are:
-
The data subject has given explicit consent to the processing of their personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
-
Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
-
Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
-
Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
-
Processing relates to personal data which are manifestly made public by the data subject;
-
Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
-
Processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
-
Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
-
Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
-
Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
The information we collect
We may collect, hold and process personal confidential information about you which will be used to support the delivery of appropriate care and treatment. This is to support the provision of high quality care. Information will be collected at many stages, including registration, each contact with the practice and provided to us via other Health Care professionals. It may also include personal sensitive information such as sexuality, race, your religion or beliefs, and whether you have a disability, allergies or health conditions. It is important for us to have a complete picture, as this information assists staff involved in your care to deliver and provide improved care, deliver appropriate treatment and care plans, to meet your needs.
Information is collected in a number of ways, with the main methods detailed below:
A. Information collected and processed for registration purposes is as follows:
- Your title
- Your Name (Family/Given/Middle/Alias)
- Your previous Family Name
- Your Date of Birth (DOB) and Age.
- Your country of birth *
- Your place of birth *
- Your NHS Number *
- Your gender * (As per current NHS Number) *
- Your religion *
- Your Marital Status
- Your Ethnicity *
- Your main language *
- Your home address (and/or your residential status (ie: Homeless )
- Access instructions
- Your telephone number(s) – Home/Work/Mobile (and emergency contact)*
- Other contact details (Fax Number – Video Conferencing details)
- Your Primary and Secondary email address
- Your preferred contact method.
- Your previous home address
- Your temporary address
- Details of your assigned Usual GP *
- Details of your previous GP *
- Your Hospital Number (if applicable) *
- Where records are kept (if applicable) *
- Your old NHS number (if applicable) *
- Details of your assigned surgery *
- Your Transport Needs *
- Your Advocacy Needs *
- Details of your assigned CCG *
- Details of Residential Institute *
- Rural information required for access
- Next of Kin details
- Contact details (as above) of Carer and/or those with power of attorney *
- Your notification preferences for SMS and E mail notifications
- Your registration type presentation *
- Information relation to Armed Services Medical cover (enlistment and/or leaving dates)
- Additional miscellaneous information useful for the provision of service. *
On registration all patients are generated a unique Patient Record Number (EMIS No)
The GDPR legal basis relating to this data is as follows:
- legal obligation
- vital interests
- contract
In the case of Adlington/Eaves Lane/Medicare Unit/Croston and Village (Lostock Hall) Surgeries, this data is also collected for
For Buckshaw Village Surgery this data is also collected for
The data collected marked with an * is also held under special category conditions
- Processing is necessary for the purposes medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.
- Processing is necessary for reasons of public interest in the area of public health
- Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
B. Information collected and processed during consultations -treatment:
- A summary of the discussion (consultation) between Clinician and patient
- Current Problems/Symptoms/Conditions
- Previous Problems/Symptoms/Conditions (Past History)
- Family History of Conditions
- Any allergies
- An description of findings following an examination
- Any social/demographic observations relating to consultation
- Details of follow up activities relating to problem/symptom/conditions
- Details of any procedures (planned or past) carried out.
- Miscellaneous Comments relating to consultation or patient
- Any test requests required
- Any onward referral requests
- Documentation that is required to be stored to patient record.
- Details of Medication (current/past)
- Name of Medication
- Dosage
- Quantity
- Duration
- Prescription Type (Acute/Repeat)
- Authorising Clinician
This information may be collected and captured using system algorithms (IE Body Mass index) or imported into the record using diagnostic equipment.
The GDPR legal basis relating to this data is as follows:
In the case of Adlington/Eaves Lane/Medicare Unit/Croston and Village (Lostock Hall) Surgeries this data is also collected for
For Buckshaw Village Surgery this data is also collected for
Additionally in the case of Medication, information is also held under:
All of this data is held under following special category data definitions:
- Processing is necessary for the purposes medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.
- Processing is necessary for reasons of public interest in the area of public health
- Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
C. Information collected and processed following consultations - treatment:
Following each patient interaction, patient information is stored in our patient record database to provide a full historical care record for current and future treatment
- A record of all consultations showing
- All information outlined in Section B above.
- Date
- Time
- Consulting Clinician/Person
- A record of all medication issued/taken (current and past) showing
- All information outlined in Section B above.
- Date
- Indication of usage (Average and Current)
- Last issue date and Issue Method (Electronic or manual)
- Prescription Destination
- A record of all problems/conditions/treatments showing
- Defined by national clinical coding and terminology
- Sorted by Active and Past problems (significant or minor)
- Listed by Onset date.
- A record of all practice generated investigations showing
- Date received
- Investigation Type (term) ie: Serum Cholesterol
- Values (results)
- Range indication (if applicable)
- Requesting Clinician/Person
- Clinician authorising investigation is saved to patient record.
- A diary record of all future practice based appointments/procedures or treatments due showing:
- Planned Date
- Type of Interaction
- Details from clinical record
- A record and electronic version of all internal and external documentation relating to patient (for example: Hospital Discharge Notes, Referral Documentation, Diagnostic results and practice letters) showing:
- Date received
- Document Type
- Document Title
- Full electronic attachment with content
- A record and summary of all practice generated patient referrals showing:
- Date referral sent
- Referral Title/Term
- Receiving Body
- Referring Clinician
- Status of Referral (Active/Ended)
- A record and summary of all practice generated patient referrals showing:
- Date referral sent
- Referral Title/Term
- Receiving Body
- Referring Clinician
- Status of Referral (Active/Ended)
Additionally, all the above information is grouped into a full historic (listed and sorted by – Day-Month-Year) to form a patient’s Care Record view. All medical terminology has a national clinical code applied to allow data to be grouped and targeted.
Each patient record is summarised to provide an overview for practice and other health professionals – this summary care record view provides:
- List of Current-Active Problems/Conditions
- List of Repeat Medication
- List of known Allergies
- List of recent contacts with practice
- Details of what Record Sharing consents apply to the patient record.
The GDPR legal basis relating to this data is as follows:
In the case of Adlington/Eaves Lane/Medicare Unit/Croston and Village (Lostock Hall) Surgeries, this data is also collected for
For Buckshaw Village Surgery this data is also collected for
Additionally in the case of Medication, information is also held under:
All of this data is held under following special category data definitions:
- Processing is necessary for the purposes medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.
- Processing is necessary for reasons of public interest in the area of public health
- Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
D. Information collected and processed on request for appointment or when booked into service
Patients attending the surgery (in person or via appointment booking via telephone/online sources) have the following information (added systemically from patient database) inserted into the appointment system
- Your title
- Your Full Name (Given and Surname)
- Your Date of Birth (DOB) and Age.
- Emis & NHS Number
- Telephone Number (Home/Work/Mobile)
- E mail address
Additional information is captured at point of patient contact as follows:
- Reason for Appointment
- Booking notes
The GDPR legal basis relating to this data is as follows:
In the case of Adlington/Eaves Lane/Medicare Unit/Croston and Village (Lostock Hall) Surgeries, this data is also collected for
For Buckshaw Village Surgery this data is also collected for
All of this data is held under following special category data definitions:
- Processing is necessary for the purposes medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.
- Processing is necessary for reasons of public interest in the area of public health
- Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
E. Information collected and processed by medical diagnostic equipment
We use a number of specialist medical equipment for the purpose of diagnosis, treatment and condition monitoring. Dependant on the device in question, patient data is captured and processed either:
- Directly into the device
- Onto PC software
- In paper format
In a number of cases, this information is pulled directly from the clinical system, in other cases this will be input by the practice at point of patient contact. Data collected and processed differs for each device but is limited to:
- Your title
- Your Full Name (Given and Surname)
- Your Date of Birth (DOB) and Age.
- A patient identifiable number (ordinarily NHS Number or Emis – but unique in some cases)
- Telephone Number (Home/Work/Mobile)
- Result of specific test/diagnosis/monitoring
- Historical results if applicable
The GDPR legal basis relating to this data is as follows:
In the case of Adlington/Eaves Lane/Medicare Unit/Croston and Village (Lostock Hall) Surgeries, this data is also collected for
For Buckshaw Village Surgery this data is also collected for
Additionally in the case of Medication, information is also held under:
All of this data is held under following special category data definitions:
- Processing is necessary for the purposes medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.
- Processing is necessary for reasons of public interest in the area of public health
- Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
F. Information collected and processed during telephone conversations
Telephone calls into and out of the surgery may be recorded. These recordings are stored and retrievable via a systemic database. The following information is stored:
- Telephone Number making call into practice
- Receiving extension
- Date of call
- Time of call
- Duration of Call
- A digital recording of the call * Sensitive - F
The GDPR legal basis relating to this data is as follows:
With regards the digital recording of calls (marked with * above) the data is held under following special category data definition:
- Processing is necessary for the establishment, exercise or defence of legal claims.
G: Information held in Paper Format
All registered patients will have their GP Paper Records (commonly known as Lloyd George Notes) sent to us for the duration of registration. These paper records are centrally managed by the Primary Care Support England medical records service and transported to and from General Practices across England when a patient registers are leaves a practice. All patients will have a set of notes created on registration of birth. Each folder or the ‘Lloyd George Envelope’ details the following:
- Gender (as per current NHS number)
- Surname
- Forename
- Date of Birth
- Status (Single/Married/Widow(er))
- NHS Number
- Address
- Telephone Number(s)
- Subsequent Addresses
- Occupation and Years of Occupation
- Date of Death
- Cause of Death
With the introduction of electronic care record systems, the notes a now a historic record of interactions with GP’s prior to registration with us. Included in the folders are paper copies of:
- Handwritten Consultations
- Patient Correspondence (Practice and Hospital)
- Results
- Other miscellaneous Health records (eg: Child Vaccination charts)
On receipt of notes, we summarise key clinical problems and conditions and in cases where previous GP’s have not done so we will also scan documents to provide a digital copy on the electronic care record.
The GDPR legal basis relating to this data is as follows:
- legal obligation
- vital interests
In the case of Adlington/Eaves Lane/Medicare Unit/Croston and Village (Lostock Hall) Surgeries, this data is also collected for
For Buckshaw Village Surgery this data is also collected for
The data collected marked with an * is also held under special category conditions
- Processing is necessary for the purposes medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.
- Processing is necessary for reasons of public interest in the area of public health
- Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
How we use the information
We aim to provide you with the highest quality of health care. We use the information we hold about you to:
- Help inform decisions that we make about your care.
- Ensure that your treatment is safe and effective.
- Work effectively with other organisations who may be involved in your care.
- Support the health of the general public.
- Ensure our services can meet future needs.
- Review care provided to ensure it is of the highest standard possible.
- Train healthcare professionals.
- For Research and audit.
- Prepare statistics on NHS performance.
- Monitor how we spend public money.
Specific to your primary care needs, we use information to:
- Provide patient consultations in the surgery, at home, by telephone and via the internet.
- Manage repeat prescriptions
- Provide targeted and specialist disease clinics, for example diabetes
- Manage incoming and outgoing correspondence and related actions, for example patient referrals and following up pathology test results
- Enable practice administrative functions to be completed
- Provide leadership and participation in our CCG
- Provide clinical sessions in primary and/or secondary care settings as GP Out of Hours, GP with special interest (GPwSL) or clinical assistant roles
- To train GP trainees
- To provide external or non-NHS related work, for example prison care, private medical officer, medicolegal work, employment tribunals and high-cose drugs appeal tribunals.
There is huge potential to use your information to deliver care and improve health and care services across the NHS and social care. The information can be used to help:
- Improve individual care.
- Understand more about disease risks and causes.
- Improve diagnosis.
- Develop new treatments and prevent disease.
- Plan services.
- Improve patient safety.
- Evaluate Government, NHS and Social Care policy.
It helps you because:
- Accurate and up-to-date information assists us in providing you with the best possible care.
- If you see another healthcare professional, specialist or another part of the NHS, they can readily access the information they need to provide you with the best possible care.
- Where possible, when using information to inform future services and provision, non-identifiable information will be used
How information is retained and kept safe?
Information is retained in secure electronic and paper records and access is restricted to only those who need to know.
It is important that information is kept safe and secure, to protect your confidentiality. There are a number of ways in which your privacy is shielded; by removing your identifying information, using an independent review process, adhering to strict contractual conditions and ensuring strict sharing or processing agreements are in place.
The Data Protection Act 1998 and future GDPR regulates the processing of personal information. Strict principles govern our use of information and our duty to ensure it is kept safe and secure.
All our practices are registered with the Information Commissioners Office (ICO). Details of our registration can be found on:
ico.org.uk/esdwebpages/search
Enter our registration number (Z2888550) and click ‘search register: Z2888550
All practices are registered under Buckshaw Village Surgery’s registration number.
Technology allows us to protect information in a number of ways, in the main by restricting access. Our guiding principle is that we are holding your information in strict confidence.
How do we keep information confidential?
Everyone working for our organisation is subject to the Common Law Duty of Confidentiality and the Data Protection Act 1998 (to be replaced with the GDPR Regulations).
Information provided in confidence will only be used for the purposes to which you consent to, unless there are other circumstances covered by the law.
Under the NHS Confidentiality Code of Conduct, all employees are required to protect information, inform you of how your information will be used and allow you to decide if and how your information can be shared. This will be noted in your records.
All employees are required to undertake annual training in data protection, confidentiality, IT/cyber security, with additional training for specialist, such as healthcare records, data protection officers and IT staff.
Some of our buildings are shared with other Health Care Professionals. Access to your records is controlled via electronic means and through secure and lockable rooms and storage. Where there is an unavoidable need for non-practice employed staff to access areas where your data can be accessed, a confidentiality agreement is signed and evidence of NHS Confidentiality Code of Conduct training completion is required prior to access being granted.
Clinical placements for students commonly take place within the NHS. Students, such as GP trainees, student nurses, could be receiving training in the service that is caring for you. This may be when you are in consultation or when you are being visited by health or social care staff at home. If staff would like a student to be present during a consultation they will always ask for your permission before that meeting or episode of care. The treatment or care you receive will not be affected if you refuse to have a student present during your episode of care.
Non-patient facing Contractors (such as building engineers etc) are required to sign legal binding confidentiality agreements prior to being granted access to common areas.
Who will the information be shared with?
To provide best care possible, sometimes we will need to share information about you with others. For your benefit, we may need to share information from your records with NHS and non-NHS organisations, from which you are also receiving care, such as social services or private healthcare organisations. However, we will not disclose any health information to third parties without your explicit consent, unless there are exceptional circumstances, such as when the health or safety of others is at risk or where the law requires the disclosure of information.
We may share your information with a range of Health and Social Care organisations and Health regulatory bodies. These include but are not limited to:
- Acute Trust Organisations/Hospitals – ie: Lancashire Teaching Hospitals
- Community Trust Organisations – ie: Lancashire Care Foundation Trust
- Private Commissioned Health Providers (ie: Virgin Health Care)
- Out of Hours GP providers (ie: Go2Doc)
- Other GP providers
- The Care Quality Commission (CQC)
- NHS England
- Clinical Commissioning Group
- The Department of Health
- Public Health England
You may be contacted by any one of these organisations for a specific reason; they will have a duty to tell you why they have contacted you. Information sharing is governed by specific rules and law.
We may also be asked to share basic information about you, such as your name and parts of your address, which does not include sensitive information from your health records.
Generally, we would only do this to assist them to carry out their statutory duties (such as usages of healthcare services, public health or national audits).
In these circumstances, where it is not practical to obtain your explicit consent, we are informing you through this notice, which is referred to as a Privacy Notice, under the Data Protection Act and future GDPR.
Where patient information is shared with other non-NHS organisations, an information sharing agreement is drawn up to ensure information is shared in a way that complies with relevant legislation.
Non-NHS organisations may include, but are not restricted to:
- Local Authorities (Social Care) – ie: Lancashire County Council
- Education services
- The police
- Voluntary sector providers
- Private sector providers
Your Rights under GDPR?
Under the new GDPR regulations, you have rights to the following key principles regarding your data:
-
The right to be informed
This document provides the core information required under your rights to be informed and further information will be provided and available following the full publication of the GDPR regulations.
-
The right of access
The GDPR includes a best practice recommendation that, where possible, organisations should provide remote access to a secure self-service system which would provide an individual with direct access to their personal data. Our organisation provides free secure access to your medical records and we encourage all patients to take up this service. Requests made for data under the GDPR will be provided within 4 weeks (30 days) of request and if available ordinarily available free of charge (if your request is unfounded or excessive - where we may charge a reasonable fee or refuse to comply). Due to the highly sensitive nature of the data we hold we do not provide access directly to Third Party organisations but instead consider requests for access that are received directly from the Data Subject (Patient) or their advocate (in circumstances where the Data Subject is a child or an adult under care). Requests should be made using a Subject Access Form (full instructions are contained within) and following successful Identification checks.
-
The right to rectification
Should you become aware of data relating to you that is either inaccurate or incomplete then under the GDPR, this should be rectified within one month. Please contact the surgery should you become aware of any data inaccuracies.
-
The right to erasure
The GDPR has introduced a principle to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing. As your health records relate to your health needs and provide clinical members of staff with the information to treat you safely and effectively, such requests would be considered on a case by case basis and are not absolute. Our organisation would refuse requests for erasure where the personal data is processed for the following reasons:
-
To comply with our legal obligations for the performance of a public interest task or exercise of official authority.
-
For public health purposes in the public interest;
-
Archiving purposes in the public interest, scientific research historical research or statistical purposes; or
-
The exercise or defence of legal claims.
-
The right to restrict processing
You may request we restrict the processing of your personal data in the following circumstance if you:
-
Contest the accuracy of the personal data, (we would do so until the accuracy is verified
-
Believe the processing is unlawful and you requests restriction as opposed to erasure.
-
If you belief we no longer need the personal data but you require the data to establish, exercise or defend a legal claim
-
The right to data portability
The GDPR allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. The NHS offers data portability through the Patient Access systems, but due to complexity of some investigation and results on medical records it is not always possible to offer this in other formats. Please contact your surgery to discuss any individual requests.
-
The right to object
The GDPR offers individuals have the right to object to:
-
Processing based on legitimate interests or the performance of a task in the public
-
interest/exercise of official authority (including profiling)
-
Direct marketing (including profiling); and
-
Processing for purposes of scientific/historical research and statistics.
This Privacy Notice informs individuals of the right to object
Objections must be on “grounds relating to your particular situation”.
Processing WILL be stopped unless there are compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or the processing is for the establishment, exercise or defence of legal claims.
This privacy notice draws your attention to the essential need to hold and use all communication methods/means you provide in order to provide your care. We will attempt to contact you using all provided contact details – regardless of opt out preferences – when it is required to make contact with you. This includes – but is not limited to:
- Invitation for Health Screening via Letter/Phone/SMS/Email
- Health Information via Letter/SMS/E mail
- Urgent Recall/contact via Letter/SMS/E mail
H. Rights in relation to automated decision making and profiling.
The GDPR has additional rules to protect individuals if we carry out solely automated decision-making that has legal or similarly significant effects on them. We can only carry out this type of decision-making where the decision is:
- Necessary for the entry into or performance of a contract; or
- Authorised by union or member state law applicable to the controller; or
- Based on the individual’s explicit consent.
This privacy notice draws your attention to the importance of automated decision making medical equipment that is used in the process of delivering life-saving treatment. We use a number of medical diagnostic tools that would be necessary for the performance of the ‘contract’. These include but are not limited to:
- International Normalised Ratio (INR) decision making tools. (used to determine Warfarin and anti-coagulation therapy/medication dosage.)
- Defibrillators (Used to treat sudden cardiac arrest, checking a patient’s heart rhythm and sending an electric shock to the heart to try to restore a normal rhythm.
For full details on these rights, more information can be found at ico.org.uk. Some of these rights may be limited with regards Health Records, and as the GDPR regulations are incorporated in UK law, further clarification will be provided.
Objections / Complaints
Should you have any concerns about how we manage and control your information please contact the GP Practice Manager at your home surgery in the first instance. We will endeavor to address your concerns to a mutual satisfaction. If you remain unhappy following our review you can then complain to the Information Commissioners Office (ICO) via their website www.ico.org.uk, casework@ico.org.uk, or by telephone: 0303 123 1113 (local rate) or 01625 545 745
Please note, this Privacy Notice may be changed by us from time to time. This Privacy Notice will be updated in due course to comply with the further requirements under the GDPR which came into force on 25 May 2018.
Our organisation has appointed a Data Protection Officer who will be appointed to oversee these important requirements.