Privacy Policy

Health records play a vital role in the health care of patients – both storing important clinical information that is essential to your care and being used to improve public health and services.

 

Why we collect information about you

We aim to provide you with the highest quality health care. In order to do this we must keep records about you, your health and the care we have provided or plan to provide to you.

Your doctors and other health professionals caring for you (such as nurses, health visitors, physiotherapists, clinical pharmacists, midwives, occupational therapists, dieticians, speech and language therapists and others) keep records about your health and treatment so that they are able to provide you with the best possible care.

These records are called your ‘health care record’ and may be stored in paper form or on central computer databases; they may include:

  • basic details about you, such as your address, date of birth, telephone number, mobile phone number, email address and next of kin
  • contact we have had with you, such as clinical visits
  • notes and reports about your health
  • details and records about your treatment and care
  • Vaccinations, results of x-rays, laboratory tests etc.

The information in your health care record comes from a variety of sources including:

  • Information patients have provided about themselves
  • Information provided by family members or carers
  • Information from other health care professionals (both private and NHS)
  • Information from other services such as the ambulance service, the police, the armed forces, adult and childrens services or county councils.
  • Information from private companies such as insurance companies or lawyers

Information sharing

Information about you will be shared with others in the following circumstances:

  • to provide further medical care for you (for example from district nurses, hospital staff and other community service providers)
  • to help you get other services you require (for example from district councils or social work department, as well as ambulance/hospital transport services)
  • when we have a duty to others (for example in child protection safeguarding cases or when anonymized patient information is used to plan services at a local or national level by the NHS)
  • with your consent to help your when you are dealing with government agencies such as DWP, HSE, DVLA, The British Forces, or private organisations such as insurance companies and care homes.
  • if we are required to do so by legislation

Our guiding principle is that we hold your records in strict confidence

We have a duty to:

  • maintain full and accurate records of the care we provide to you
  • keep records about you confidential, secure and accurate
  • Provide information in a format that is accessible to you (for example, in large type if you are partially sighted)

We will not share information that identifies you for any reason unless:

  • the information is required for you to access medical care
  • you ask us to do so
  • we ask and you give us specific permission
  • we have to do this by law
  • we have special permission for health or research purposes
  • we have special permission because the interests of the public are thought to be of greater importance than your confidentiality

How your records are used to help you

Your health care record is used to ensure that:

  • health care professionals looking after you have accurate and up-to-date information about you to help them decide on any future care you may require
  • full information is available should you see another doctor or be referred to a specialist or another part of the NHS
  • there is a good basis for assessing the type and quality of care you have received
  • Your concerns can be properly investigated if you need to complain

And is used to help the NHS

  • looking after the health of the general public as well as yourself, e.g. notifying central NHS groups of outbreaks of infectious diseases in order to control these
  • reporting events to the appropriate authorities when we are required to do so by law, e.g. child protection, notification of deaths
  • paying your care provider (GP or hospital) for the care you have received
  • the audit of NHS accounts and clinical audit of the quality of services provided
  • reporting, investigating and dealing with complaints, claims and untoward incidents
  • planning services to ensure we meet the needs of our population in the future
  • Preparing statistics on our performance for the Department of Health.
  • reviewing our care to make sure that it is of the highest standard
  • teaching and training health care professionals
  • Conducting health research and development

 

Anticipating and planning your care in advance (risk stratification)

This is a process that helps your GP to help you manage your health.

By using selected information from your health records, a secure NHS computer system can look at recent medical details and at your existing health conditions. This will alert your doctor to the likelihood of a possible deterioration in your health. The clinical team at the surgery can use the information to help you get early care and treatment where it is needed.

The information will only be seen by qualified health workers involved in your care. Our security systems will protect your health information and patient confidentiality at all times.

Financial validation

The Clinical Commissioning Group (CCG) has contracted NHS South, Central & West Clinical Support Unit (CSU) to use limited information about individual patients to validate financial invoices received for your healthcare. This service ensures that the invoice is accurate and genuine and supports our CCG in ensuring public monies are spent appropriately.

This service is performed in a secure environment and will be carried out by a limited number of authorised NHS South, Central & West CSU staff. These activities and all identifiable information will remain within a Controlled Environment for Finance (CEfF) approved by NHS England.

How the NHS keeps your information safe

Everyone working for the NHS has a duty to keep your information confidential and secure.

However, from time to time, there may be a need to share some or all of your information with other health care professionals or NHS organisations so that we can work together to provide the best possible care.

We will only ever share your information if it is in the best interests for your NHS care.

We will not disclose any information that identifies you to anyone outside your care team without your express permission unless in exceptional circumstances, such as where we are required to do so by law.

Third party processors

In order to deliver the best possible service, the practice will share data (where required) with other NHS bodies such as other GP practices and hospitals. In addition the practice will use carefully selected third party service providers. When we use a third party service provider to process data on our behalf then we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately. Examples of functions that may be carried out by third parties includes:

  • Companies that provide IT services & support, including our core clinical systems; systems which manage patient facing services (such as our website and service accessible through the same); data hosting service providers; systems which facilitate appointment bookings or electronic prescription services; document management services etc.
  • Delivery services (for example if we were to arrange for delivery of any medicines to you).
  • Payment providers (if for example you were paying for a prescription or a service such as travel vaccinations).

 

The NHS Care Record Guarantee

This sets out the rules that govern how patient information is used in the NHS and what control you can have over this. It covers:

  • people's access to their own records
  • controls on others' access
  • how access will be monitored and policed
  • options people have to further limit access
  • access in an emergency
  • What happens when someone cannot make decisions for themselves

Everyone who works for the NHS or for organisations delivering services under contract to the NHS has to comply with this guarantee which was first published in 2005 and is regularly reviewed by the National Information Governance Board to ensure it remains clear and continues to reflect the law and best practice. It was last reviewed in January 2011.

Please read the NHS Care Record Guarantee version 5 (2011) for more information.

Your rights

A number of organisations (both within and outside the NHS) are commissioned to provide healthcare services to you and we may need to share your information with them in order for them to provide those services.

You have the right to tell us that you don’t want your information shared.  You will need to tell us who you don’t want to share your information with and we won’t share your information, unless we have reason to believe you are at risk or if we have another legal requirement to share your information.

If you have any concerns about how your information may be shared, please discuss them with your health care provider, e.g. GP, hospital consultant or dentist.

You have the right to confidentiality under the Data Protection Act 2018, the Human Rights Act 1998 and the common law duty of confidence. The Disability Discrimination and the Race Relations Acts may also apply.

You also have the right to ask for a copy of the records about you:

  • Your request must be made in writing (e-mail is acceptable) to the organisation holding your information.
  • The organisation is required to respond to you within 30 days. You will need to give adequate information (e.g. full name, address, date of birth, NHS number) and you will be required to provide identification before any information is released to you.
  • If a request is not manifestly excessive or unfounded, there is no longer a fee for this. However if the request is either excessive or repeated, it could either be declined or there may be a fee charged.

If you think that there are inaccuracies in your record, you have the right to request that these be corrected or annotated.

If you have any concerns about how your information may be shared, please discuss them with your health care provider, e.g. GP, hospital consultant or dentist.

How the NHS keeps your records confidential

Everyone working for the NHS has a legal duty to keep information about you confidential.

Your information is legally protected by the Data Protection Act (May 2018) and the Caldicott Principles and by the European General Data Protection Regulation.

The practice complies with the National and European data protection legislation. All our employees signed a confidentiality agreement and will only access information that is necessary in order to help us care for patients. Reception, office and administration staff require access to your medical records in order to do their jobs. These members of staff are bound by the same rules of confidentiality as medical staff.

The practice may record telephone calls for the purposes of patient and staff care, security and dispute resolution.  Such recordings will comply with the practices data protection processes.

Records will be kept in line with the Department of Health Records Management Code of Practice which determines the minimum length of time that records should be kept for.

How you can arrange to see your own health records

The Data Protection Act (2018) and the European General Data Protection Regulation entitles you to view the information contained in your health care record.

Please contact the following organisations to see or obtain a copy of your records:

  • For your GP health care records, please contact your GP practice directly.
  • In some cases, if you have received hospital treatment this may not be included in the health care records that your GP practice holds, so please contact the hospital directly.

You will need to apply in writing to either your GP practice or hospital trust as appropriate, and they will contact you to advise you of the process.

 

Privacy Notice Assessments for Specific Activities

In line with EU General Data Protection Regulations (GDPR), individual Privacy Notice assessments are available for the activities that we perform in order to enable us to deliver a high standard of health care for our patients. Please contact the practice if you wish to see a copy  The areas covered include:

Privacy Notice: Area or activity addressed

Purpose of processing of information

GDPR lawful basis for processing of information

Ambulance service

Provision of direct care

Article 6(1)(e) – Official Authority

Article 9(2)(h) – Provision of health

Core summary care record

Provision of direct care

Article 6(1)(e) – Official Authority

Article 9(2)(h) – Provision of health

Court Order

To enable provision of information to the court, when instructed by a “court order”.

Article 6(1)(c)– Legal Obligation

Article 9(2)(h) – Provision and Management of Health

Care Quality Commission (CQC)

To enable the CQC to access medical records for the purposes of assessment or investigation.

Article 6(1)(c) – Legal Obligation

Article 9(2)(h) – Provision of Health

Diabetes education

To permit patients newly diagnosed with diabetes to be referred for a structured education programme about the condition

Article 6(1)(e) – Official Authority

Article 9(2)(h) – Provision of health

Diabetes retinal screening

Enable patients with diabetes mellitus to receive invitations for diabetic eye screening

Article 6(1)(e) – Official Authority

Article 9(2)(h) – Provision of health

Disclosure to police or children services

Informing the appropriate agencies when there is concern that children or young people are at risk of abuse or neglect, in order to protect them.

Article 6(1)(d) – Vital Interests

Article 9(2)(h) – Management of Health

Communication, Mail or E-mailing clinicians or service providers

Enables our staff to communicate with clinicians or service providers (such as NHS trusts)

Article 6(1)(e) – Official Authority

Article 9(2)(h) – Provision of health

E-mailing patients

Enables our staff to communicate with patients via email

Article 6(1)(e) – Official Authority

Article 9(2)(h) – Provision of health

Emergencies

Enables our staff to provide relevant and necessary information to another healthcare professional or organisation, when further life-saving medical care is required by a patient and they are unable to give consent.

Article 6(1)(d) – Vital Interests

Article 9(2)(h) – Provision of health care

EMIS web – electronic record

To enable the staff to record relevant information about our patients within their GP electronic record

Article 6(1)(e) – Official Authority

Article 9(2)(h) – Provision of health

Enriched summary care record

Provision of direct care

Article 6(1)(e) – Official Authority

Article 9(2)(h) – Provision of health

Electronic prescribing service

Provision of direct care

Article 6(1)(e) – Official Authority

Article 9(2)(h) – Provision of health

Female Genital Mutilation [FGM]

Legal obligation to enable the NHS to prevent this and support  women and girls who have had or who are at risk of FGM

Article 6(1)(c) – Legal Obligation

Article 9(2)(h) – Provision of Health

General Medical Council

To enable The GMC access to a patient’s medical records for the purposes of an investigation into a doctor’s fitness to practise.

Article 6(1)(c)– Legal Obligation

Article 9(2)(g) – Public interest

Healthier You,

Pre-diabetes

 

To enable patients diagnosed with pre-diabetes mellitus to be invited to the NHS Diabetes Prevention Programme.

 

Article 6(1)(e) – Official Authority

Article 9(2)(h) – Provision of health

CHIE

[Care & Health Information Exchange]

Provision of direct care

Article 6(1)(e) – Official Authority

Article 9(2)(h) – Provision of health

Home Oxygen Provision

To enable patients to receive home oxygen

Article 6(1)(e) – Official Authority

Article 9(2)(h) – Provision of health

Health Service Ombudsman (HSO)

To enable the HSO to receive information concerning a patient for the purposes of an investigation.

 

Article 6(1)(c)– Legal Obligation

Article 9(2)(g) – Public interest

ICE Pathology Database

Provision of direct care

Article 6(1)(e) – Official Authority

Article 9(2)(h) – Provision of health

Integrated care team and community staff

Provision of direct care

Article 6(1)(e) – Official Authority

Article 9(2)(h) – Provision of health

Individual GP Level Data

A mandatory national monitoring system to enable NHS Digital to provide GPs with clinical information on the care provision for their patients.

Article 6(1)(c) – Legal Obligation

Article 9(2)(h) – Management of health

Lord Wandsworth Health Centre Staff

To enable access to GP records, by Lord Wandsworth Health Centre staff in order to care for patients.

Provision of Direct Care.

Article 6(1)(e) – Official Authority

Article 9(2)(h) – Provision of health

MJog and SMS texts

To enable staff at Dr Assadourian and Partners to communicate with patients via text (SMS)

Article 6(1)(e) – Official Authority

Article 9(2)(h) – Provision of health

National Diabetes Audit

A national monitoring system, auditing the care of patients with diabetes


Article 6(1)(c) – Legal Obligation

Article 9(2)(h) – Management of Health

NHS Counter Fraud

Investigations into fraud in the NHS may require access to confidential patient information.


Article 6(1)(c) – Legal Obligation

Article 9(2)(g) – Public interest

NHS Health Checks

To enable Hampshire County Council to invite patients on our behalf to undergo an NHS Health Check at the surgery.


Article 6(1)(e) – Official Authority

Article 9(2)(h) – Provision of Health

Out of Hours Care

To enable information to be shared about patients, when clinically necessary, with the out of hours care providers, for the purpose of provision of direct health care to the data subject.

 

Article 6(1)(e) – Official Authority

Article 9(2)(h) – Provision of health

Open Exeter

To enable staff working for us to access the Open Exeter database, in order to access required health related information such as patients’ vaccinations, smear data etc.


Article 6(1)(e) – Official Authority

Article 9(2)(h) – Management of health

Other disclosures to government representatives

To enable the provision of information to an officer of the government (e.g. Job centre plus, DWP etc.); the patient having given consent

 

Article 6(1)(e) – Official Authority

Article 9(2)(h) – Management of Health or Social Care Systems and Services

Other disclosures to the DVLA

To enable the provision of information to the DVLA; the patient having given consent

Article 6(1)(e) – Official Authority

Article 9(2)(g) – Public Interest

Other disclosures to the Police

With patient Consent

Or if there is an overriding public interest issue

Article 6(1)(e) – Public interest or Official Authority

Article 9(2)(g) – Public Interest

Other third party disclosures (Armed forces, solicitors, insurance companies, employers etc.)

With consent to provide information to other third parties such as The British Armed Forces, solicitors, insurance companies etc.

Article 6(1)(a) – Consent

Article 9(2)(a) – Explicit Consent

Other third party disclosures (data processing company MediData Exchange Ltd to enable the provision of SAR to solicitors or reports for insurance companies.)

With patient consent

Article 6(1)(a) – Consent

Article 9(2)(a) – Explicit Consent

Patient Online Services

To enable patients to securely access their GP record online and be able to book appointments, request repeat medication and view their medical information.

Article 6(1)(e) - Official Authority

Article 9(2)(h) – Provision of Health

Pharmacy communication

To enable communication with a pharmacy or providers of appliances/feeds

on behalf of patients

Article 6(1)(e) – Official Authority

Article 9(2)(h) – Provision of health

Population Health Management

To enable working together in order to:

Understand the health and care needs of the care system’s population, including health inequalities

Provide support to where it will have the most impact

Identify early actions to keep people well, not only focusing on people in direct contact with services, but looking to join up care across different partners.

 

Article 6(1)(e) – Official Authority

Article 9(2)(h) – Provision of health

Provision of Health Care

To enable staff to provide Health Care Services to patients

Article 6(1)(e) – Official Authority

Article 9(2)(h) – Provision of health

Public Health

To enable healthcare professionals to provide information about individuals to Public Health England, when medically required.

Article 6(1)(c)– Legal Obligation

Article 9(2)(g) – Public interest – Public health

Research

To enable healthcare professionals to provide information, derived from GP records, about individuals to accredited research organisations

Article 6(1)(a) – Consent

Article 9(2)(a) – Explicit Consent

Risk stratification

To enable the practice to identify patients most at risk of certain medical/illness outcomes and to target them with medical or social care input, if appropriate.

Article 6(1)(e) -  Official Authority

Article 9(2)(h) -  Provision of health

S17 – Childrens services

The provision of information from GP records concerning children and families in order to safeguard and promote the welfare of who are “in need”

Article 6(1)(e) – Official Authority

Article 9(2)(h) – Management of Health

S45 – Adult services

The provision of information from GP records about adults who may be at risk of harm (abuse or neglect)

This is a mandatory provision of information under Section 45 of the Care Act 2014

Article 6(1)(c) – Legal Obligation

Article 9(2)(h) – Management of Health

S47 – Children’s services

The provision of information from GP records concerning children and families where a child is taken into Police protection, and is the subject of an Emergency Protection Order or there are reasonable grounds to suspect that a child is suffering or is likely to suffer Significant H

This is a mandatory provision of information under Section 47 of the Children Act 1989

Article 6(1)(c) – Legal Obligation

Article 9(2)(h) – Management of Health

Scanning

To enable the practice to digitally scan part or all paper medical records/letters/results/communications into the electronic GP record.

Article 6(1)(e) – Official Authority

Article 9(2)(h) – Provision of health

Sharing information for direct healthcare/referrals

To enable healthcare staff to provide all relevant and necessary information to another healthcare professional or organisation, when further medical care is required by the data subject.

Article 6(1)(e) – Official Authority

Article 9(2)(h) – Provision of health

Statutory disclosures to government representatives

To enable staff to provide the officer of the government (e.g. the HSE, HMRC, NHS Pensions etc.) with information about the data subject when legally required to do so.

Article 6(1)(c) – Legal Obligation

Article 9(2)(g) – Public Interest

Statutory DVLA disclosure

To enable the provision of information to the DVLA; if there is an overriding public interest.

Article 6(1)(e) – Public Interest

Article 9(2)(g) – Public Interest

Statutory disclosure to the police

To enable the provision of information to the police, officer of the law or court; if there is a legal obligation to do so.

Article 6(1)(c) – Legal Obligation

Article 9(2)(g) – Public Interest

Tier 2 Urology Service

To provide and receive all relevant and necessary information to/from appropriate clinicians in the provision of a Tier 2 Urology service.

Article 6(1)(e) – Official Authority

Article 9(2)(h) – Provision of health