Privacy Notice (GDPR)
The EU’s General Data Protection Regulation was introduced to unify all EU member states’ approaches to data regulation, ensuring all data protection laws are applied identically in every country within the EU. It will protect EU citizens from organisations using their data irresponsibly and puts them in charge of what information is shared, where and how it’s shared.
‘Controllers’ and ‘processors’ of data need to abide by the GDPR. A data controller states how and why personal data is processed, while a processor is the party doing the actual processing of the data. So the controller could be any organisation, from a profit-seeking company to a charity or government. A processor could be an IT firm doing the actual data processing.
It’s the controller’s responsibility to ensure their processor abides by data protection law and processors must themselves abide by rules to maintain records of their processing activities. If processors are involved in a data breach, they are far more liable under GDPR than they were under the Data Protection Act.
As data controllers, GP’s have Fair Processing responsibilities under the Data Protection Act 1998. This means ensuring your personal confidential data (PCD) is handled in ways that are transparent and that you would reasonably expect. The Health and Social Care Act 2012 changed the way that PCD is processed, therefore it is important that patients are made aware of and understand these changes and that you have an opportunity to object and know how to do so.
The health care professionals who provide you with care maintain records about your health and any treatment or care you have received within the NHS. These records help to provide you with the best possible healthcare.
NHS health records may be processed electronically, on paper or a mixture of both, and a combination of working practices and technology are used to ensure that your information is kept confidential and secure. Records held by the surgery may include the following information:
- Details about you, eg, address and next of kin etc
- Any contacts with the surgery eg, appointments etc
- Notes and reports about your health
- Details about your treatment and care
- Results of investigations eg, blood tests, x-rays etc
- Relevant information from other health professionals, relatives or carers
- Research approved by the Local Research Ethics Committee. (If anything to do with the research would involve you personally, you will be contacted to provide consent)
- The practice collects and holds data for the sole purpose of providing healthcare services to our patients and we will ensure that the information is kept confidential
We can disclose personal information if:
- It is required by law
- You consent, either implicitly or for the sake of your own care or explicitly for other purposes
- It is justified in the public interest
Some of this information will be held centrally and used for statistical purposes. Where we hold data centrally, we take strict measures to ensure that individual patients cannot be identified. Sometimes your information may be requested to be used for research purposes, the Practice will always endeavour to gain your consent before releasing the information.
Under the powers of the Health and Social Care Act 2013 (HSCA) the Health and Social Care Information Centre (HSCIC) can request PCD from GP practices without seeking patient consent. Any patient can choose to withdraw their consent to their data being used in this way.
We may supply personal health data to comply with our legal obligations from time to time, as directed by the Secretary of State for Health, or other recognised Statutory Authority.
Anonymised data on the use of fit notes is being provided to the HSCIC on behalf of Department of Health, and the Department for Work and Pensions. This will enable the Department for Work and Pensions to undertake research analysis to inform policy relating to employment and sickness absence, including evaluation of Fit for Work. The practice has a comprehensive information leaflet and opt out form available from Reception.
Why we are providing this notice
We are required to provide you with this Privacy Notice by Law. It explains how we use the personal and healthcare information we collect, store and hold about you. If you are unclear about how we process or use your personal and healthcare information, or you have any questions about this Privacy Notice or any other issue regarding your personal and healthcare information, then please do contact our Data Protection Officer.
The law says:
- We must let you know why we collect personal and healthcare information about you
- We must let you know how we use any personal and/or healthcare information we hold on you
- We need to inform you in respect of what we do with it
- We need to tell you about who we share it with or pass it on to and why
- We need to let you know how long we can keep it for
The data protection officer
The Data Protection Officer for Andover Health Centre medical Practice is Laura Taw. You can contact her by email at email@example.com if:
- You have any questions about how your information is being held
- If you require access to your information or if you wish to make a change to your information
- If you wish to make a complaint about anything to do with the personal and healthcare information we hold about you
- If you wish to make a subject access request
- Or any other query relating to this policy and your rights as a patient
We, at the Andover Health Centre are a data controller of your information. This means we are responsible for collecting, storing and handling your personal and healthcare information when you register with us as a patient.
There may be times where we also process your information. That means we use it for a particular purpose and, therefore, on those occasions we may also be data processors. The purposes for which we use your information are set out in this privacy notice.
Information we collect from you
The information we collect from you will include:
- Your contact details (such as your name and email address, including place of work and work contact details)
- Details and contact numbers of your next of kin
- Your age range, gender, ethnicity, language, disability status, information we need to allow us to provide information in a more accessible format to you
- Details in relation to your medical history
- The reason for your visit to the surgery
- Medical notes and details of diagnosis and consultations with our GPs and other health professionals within the surgery involved in your direct healthcare
Information about you from others
We also collect personal information about you when it is sent to us from the following:
- A hospital, a consultant or any other medical or healthcare professional, or any other person involved with your general healthcare
- Insurance company in respect of requests for medical information, with your prior approval C. Police service in respect of a Firearms application you are making
- Social Services
- Solicitors – correspondence from them about you
- Benefit Agency
- Driving Vehicle Licensing Authority (DVLA)
- Indeed any organisation who you give permission to ask for your medical information
Summary care record
Your summary care record is an electronic record of your healthcare history (and other relevant personal information) held on a national healthcare records database provided and facilitated by NHS England.
This record may be shared with other healthcare professionals and additions to this record may also be made by relevant healthcare professionals and organisations involved in your direct healthcare.
You may have the right to demand that this record is not shared with anyone who is not involved in the provision of your direct healthcare. If you wish to enquire further as to your rights in respect of not sharing information on this record then please contact the Surgery.
Note if you do choose to opt out, you can still consent to your data being used for specific purposes. However, if you are happy with this use of information you do not need to do anything. You may however change your choice at any time.
Who we may provide your information to and why
Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care Services, important information about you is collected to help ensure you get the best possible care and treatment. This information may be passed to other approved organisations where there is a legal basis, to help with planning services, improving care, research into developing new treatments and preventing illness.
All of this helps in providing better care to you and your family and future generations. However, as explained in this privacy notice, confidential information about your health and care is only used in this way where allowed by law and would never be used for any other purpose without your clear and explicit consent.
We may pass your personal information on to the following people or organisations, because these organisations may require your information to assist them in the provision of your direct healthcare needs. It, therefore, may be important for them to be able to access your information in order to ensure they may properly deliver their services to you:
- Hospital professionals such as doctors, consultants, and nurses
- Other GPs/Doctors
- Nurses and other healthcare professionals such as district nurses and midwives
- Any other person that is involved in providing services related to your general healthcare, including mental health professionals
Other people who we provide your information to
We may also provide your information for the following:
- Clinical Commissioning Groups
- Local authorities
- Community health services, such as the Care and Health Information Exchange (CHIE), formerly Hampshire Health Record
The CHIE is an electronic summary record for people living in Hampshire, Portsmouth and Southampton. GP Surgeries, hospitals, social care and community care teams collect information about you and store it electronically on separate computer systems.
The Care and Health Information Exchange stores summary information from these organisations in one place so that, with your consent, professionals can view it to deliver better care to you. This record contains more information than the SCR, but is only available to organisations in Hampshire. For more information, please visit the CHIE website.
We grant this access for the following reasons:
- For the purposes of complying with the law. Police, Solicitors, Insurance Companies
- Anyone you have given your consent to, to view or receive your record, or part of your record. If you give another person or organisation consent to access your record we will need to contact you to verify your consent before we release that record. It is important that you are clear and understand how much and what aspects of, your record you give consent to be disclosed
- Extended Access – we provide extended access services to our patients which means you can access medical services outside of our normal working hours. In order to provide you with this service, we have formal arrangements in place with the Clinical Commissioning Group and with other practices whereby certain key “hub” practices offer this service on our behalf for you as a patient to access outside of our opening hours
- This means, those key “hub” practices will have to have access to your medical record to be able to offer you the service. Please note to ensure that those practices comply with the law and to protect the use of your information, we have very robust data sharing agreements and other clear arrangements in place to ensure your data is always protected and used for those purposes only
- Data Extraction by the Clinical Commissioning Group. The clinical commissioning group at times extracts medical information about you, but the information we pass to them via our computer systems cannot identify you to them. This information only refers to you by way of a code that only your practice can identify (it is pseudo-anonymised). This therefore protects you from anyone who may have access to this information at the Clinical Commissioning Group from ever identifying you as a result of seeing the medical information and we will never give them the information that would enable them to do this
There are good reasons why the Clinical commissioning Group may require this pseudonymised information. For example, to better plan the provision of services across a wider locality than practice level.
The key hub practices are as follows:
- Partnering Health Limited (PHL) – currently offering appointments at Ringwood, Lymington and Winchester
- The Frailty Service
- Tri Locality Care (TLC) –currently offering appointments at Romsey and Totton
- Mid Hampshire Healthcare Ltd (MHH) – currently officering appointments at Andover
Sometimes we may provide information about you in an anonymised form. If we do so, then none of the information we provide to any other party will identify you as an individual and cannot be traced back to you.
Your rights as a patient
The law gives you certain rights to your personal and healthcare information that we hold, as set out below:
Access and subject access requests
You have the right to see what information we hold about you and to request a copy of this information.
If you would like a copy of the information we hold about you please contact our Data Protection Officer in writing. We will provide this information free of charge however, we may in some limited and exceptional circumstances have to make an administrative charge for any extra copies if the information requested is excessive, complex or repetitive.
We have one month to reply to you and give you the information that you require. We would ask, therefore, that any requests you make are in writing and it is made clear to us what and how much information you require.
You may ask us if you wish to have online access to your medical record. However, there will be certain protocols that we have to follow in order to give you online access, including written consent and production of documents that prove your identity.
Please note that when we give you online access, the responsibility is yours to make sure that you keep your information safe and secure if you do not wish any third party to gain access.
We want to make sure that your personal information is accurate and up to date. You may ask us to correct any information you think is inaccurate. It is very important that you make sure you tell us if your contact details including your mobile phone number has changed.
You have the right to ask for your information to be removed however, if we require this information to assist us in providing you with appropriate medical services and diagnosis for your healthcare, then removal may not be possible.
We cannot share your information with anyone else for a purpose that is not directly related to your health, e.g. medical research, educational purposes, etc. We would ask you for your consent in order to do this however, you have the right to request that your personal and healthcare information is not shared by the Surgery in this way.
You have the right to request that your personal and/or healthcare information is transferred, in an electronic form (or other form), to another organisation, but we will require your clear consent to be able to do this.
Third parties mentioned on your medical record
Sometimes we record information about third parties mentioned by you to us during any consultation. We are under an obligation to make sure we also protect that third party’s rights as an individual and to ensure that references to them which may breach their rights to confidentiality, are removed before we send any information to any other party including yourself. Third parties can include: spouses, partners, and other family members.
How we use the information about you
We use your personal and healthcare information in the following ways:
- When we need to speak to, or contact other doctors, consultants, nurses or any other medical/healthcare professional or organisation during the course of your diagnosis or treatment or on going healthcare
- When we are required by Law to hand over your information to any other organisation, such as the police, by court order, solicitors, or immigration enforcement
We will never pass on your personal information to anyone else who does not need it, or has no right to it, unless you give us clear consent to do so.
Legal justification for collecting and using your information
The Law says we need a legal basis to handle your personal and healthcare information:
- Contract: We have a contract with NHS England to deliver healthcare services to you. This contract provides that we are under a legal obligation to ensure that we deliver medical and healthcare services to the public
- Consent: Sometimes we also rely on the fact that you give us consent to use your personal and healthcare information so that we can take care of your healthcare needs
- Please note that you have the right to withdraw consent at any time if you no longer wish to receive services from us
- Necessary Care: Providing you with the appropriate healthcare, where necessary. The Law refers to this as ‘protecting your vital interests’ where you may be in a position not to be able to consent
- Law: sometimes the Law obliges us to provide your information to an organisation
The Law states that personal information about your health falls into a special category of information because it is very sensitive. Reasons that may entitle us to use and process your information may be as follows:
- Public interest: where we may need to handle your personal information when it is considered to be in the public interest. For example, when there is an outbreak of a specific disease and we need to contact you for treatment, or we need to pass your information to relevant organisations to ensure you receive advice and/or treatment
- Consent: when you have given us consent
- Vital interest: if you are incapable of giving consent, and we have to use your information to protect your vital interests. For instance, if you have had an accident and you need emergency treatment
- Defending a claim: if we need your information to defend a legal claim against us by you, or by another party
- Providing you with health care: where we need your information to provide you with medical and healthcare services
How long we keep your information for
We carefully consider any personal information that we store about you, and we will not keep your information for longer than is necessary for the purposes as set out in this privacy notice.
There is a separate privacy notice for patients under the age of 16.
If English is not your first language
If English is not your first language you can request a translation of this privacy notice. Please contact our Data Protection Officer.
If you have a concern about the way we handle your personal data or you have a complaint about what we are doing, or how we have used or handled your personal and/or healthcare information, then please contact our Data Protection Officer.
However, you have a right to raise any concern or complaint with the UK information regulator, at the Information Commissioner’s Office. For more information, please visit the ICO website.
The only website this Privacy Notice applies to is the Surgery’s website. Currently this is: andoverhealthcentre.co.uk. If you use a link to any other website from the surgery’s website, then you will need to read their respective privacy notice. We take no responsibility for the content of other websites.
We take the security of your information very seriously and we do everything we can to ensure that your information is always protected and secure. We regularly update our processes and systems and we also ensure that our staff are properly trained.
We also carry out assessments and audits of the information that we hold about you and make sure that if we provide any other services, we carry out proper assessments and security reviews.
Because we are obliged to protect any confidential information we hold about you and we take this very seriously, it is imperative that you let us know immediately if you change any of your contact details.
We may contact you using SMS texting to your mobile phone in the event that we need to notify you about appointments and other services that we provide to you involving your direct care, therefore you must ensure that we have your up to date details. This is to ensure we are sure we are actually contacting you and not another person.
If you do not wish to be contacted by text or email please notify the surgery.
Changes to our privacy notice
We regularly review and update our privacy notice.
Summary care record
For the duration of the COVID-19 pandemic extended access has been deemed necessary on a national basis.
The ICO recognises the unprecedented challenges the NHS and other health professionals are facing during the Coronavirus (COVID-19) pandemic.
Coronavirus (COVID-19) pandemic and your information
The ICO also recognise that public bodies may require additional collection and sharing of personal data to protect against serious threats to public health.
The Government have also taken action in respect of this and on 20th March 2020 the Secretary of State for Health and Social Care issued a Notice under Regulation 3(4) of The Health Service (Control of Patient Information) Regulations 2002 requiring organisations such as GP Practices to use your information to help GP Practices and other healthcare organisations to respond to and deal with the COVID-19 pandemic.
In order to look after your healthcare needs during this difficult time, we may urgently need to share your personal information, including medical records, with clinical and non-clinical staff who belong to organisations that are permitted to use your information and need to use it to help deal with the Covid-19 pandemic.
This could (amongst other measures) consist of either treating you or a member of your family and enable us and other healthcare organisations to monitor the disease, assess risk and manage the spread of the disease. Please be assured that we will only share information and health data that is necessary to meet yours and public healthcare needs.
The Secretary of State for Health and Social Care has also stated that these measures are temporary and will expire on 30th September 2020 unless a further extension is required. Any further extension will be will be provided in writing and we will communicate the same to you.
The data protection and electronic communication laws do not stop us from sending public health messages to you, either by phone, text or email as these messages are not direct marketing.
It may also be necessary, where the latest technology allows us to do so, to use your information and health data to facilitate digital consultations and diagnoses and we will always do this with your security in mind. If you are concerned about how your information is being used, please contact our DPO using the contact details provided in this privacy notice.
Emis health data storage
A data processor acting on our behalf, EMIS Health, is changing certain technical aspects of the way in which it delivers services to us, and as part of this transition it will be moving the data which it hosts on our behalf from its own data centre to a third party data centre, which is owned and operated by Amazon Web Services (AWS).
We are informed that the way in which the AWS service operates means that there is no opportunity for AWS employees to access or view the data held within the EMIS Health allocated areas of the hosting service. The data will be encrypted both at rest and in transit and AWS will not have access to the encryption keys.
From the information provided by EMIS Health, we are satisfied that the security; availability; integrity and confidentiality, of the patient data will improve as a result of the move to the AWS data service. This change does not affect the underlying processing and the manner in which the processing is controlled by the practice (either directly or indirectly via NHS Digital) and from the practice’s and patient’s perspective nothing will change as a result of this technical/background switch
For more information, please contact our Data Protection Officer, Laura Taw by
- Email on firstname.lastname@example.org
We keep records about you and your health so we can look after you. This includes:
- Your name, where you live and how old you are
- Who you live with and who looks after you
- What care we have given you
- Any photographs we take of you
- Results and scans of your body like X-Rays
We keep this information on:
- Paper medical records
People in the practice who look after you can use your information to look after you. Sometimes we might need to share your records with other people who look after you, such as the hospital or another doctor or nurse.
People who use your information cannot tell anyone about what you say to them, unless they are worried about your safety, or the safety of someone else. Sometimes we need to use your information to help other people, to teach them or learn new things. We will remove your name, age and where you live so no one will know it’s about you.
If you want to look at your records or if you have some questions about them, or don’t think they are correct, please ask a member of staff and we can help. Ask your doctor or nurse any questions you want. You can also speak to the Data Protection Officer whose job it is to help us keep your information safe and private.
How we use your medical records
This information has been created in partnership with your GP Practice and Mid Hampshire Healthcare Ltd (MHH). MHH is a GP federation created to support your GP practice and enhance the delivery of healthcare services to all patients within the local area:
- This practice handles medical records in-line with laws on data protection and confidentiality
- We share medical records with those who are involved in providing you with care and treatment
- In some circumstances we will also share medical records for medical research, for example to find out more about why people get ill
- We share your information when the law requires us to do so, for example, to prevent infectious diseases from spreading or to check the care being provided to you is safe
- You have the right to be given a copy of your medical record
- You have the right to object to your medical records being shared with those who provide you with care
- You have the right to object to your information being used for medical research and to plan health services
- You have the right to have any mistakes corrected and to complain to the Information Commissioner’s Office. The Information Commissioner’s Office is an independent UK authority set up to uphold information rights. Please visit their website www.ico.org.uk for further advice