Keeping Your Record Safe
Stony Medical Centre Patient Briefing – How we use your information
Updated for the GDPR 2016 and Data Protection Act 2018
General Data Protection Regulations (GDPR)
Why we collect information about you
In the Practice we aim to provide you with the highest quality of health care. To do this we must keep records about you, your health and the care we have provided or plan to provide to you.
These records may include:
- Basic details about you, such as address, date of birth, next of kin
- Contact we have had with you such as clinical visits
- Details and records about your treatment and care
- Results of x-rays, laboratory test etc.,
- Relevant information from people who care for you and know you well, such as health professionals and relatives
It is good practice for people in the NHS who provide care to:
- Discuss and agree with you what they are going to record about you
- Give you a copy of letters they are writing about you; and
- Show you what they have recorded about you, if you ask
We will only store your information in identifiable form for a long as in necessary in and in accordance with the NHS England’s Rules found here: -
How your records are used
The people who care for you use your records to:
- Provide a good basis for all health decisions made by you and care professionals
- Allow you to work with those providing care
- Make sure your care is safe and effective, and
- Work effectively with others providing you with care
Others may also need to use records about you to:
- Check the quality of care (such as clinical audit)
- Protect the health of the public
- Keep track of NHS spending
- Manage the health service
- Help investigate any concerns or complaints you or your family have about your health care
- Teach health workers and
- Help with research
Some information will be held centrally to be used for statistical purposes. In these instances, we take strict measures to ensure that individual patients cannot be identified.
We use anonymous information, wherever possible, but on occasions we may use personally confidential information for essential NHS purposes such as research and auditing. However, this information will only be used with your consent, unless the law requires us to pass on the information.
The Legal Part
You have a right to privacy under the General Data Protection Regulation 2016 (GDPR) and the Data Protection Act. The Practice needs your personal, sensitive and confidential data in order perform our statutory health duties, in the public interest or in the exercise of official authority vested in the controller in compliance with Article 6 (e) of the GDPR and for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the in compliance with Article 9, (h) of the GDPR.
You have the right to ask for a copy of all records about you.
- Your request should be made in writing to the practice holding your information
- We are required to respond to you within one Month
- You will need to give adequate information (for example full name, address, date of birth NHS number etc.)
To access your record contact
If you think anything is inaccurate or incorrect, please inform the Practice as soon as possible. For other rights about the use of your information please see our website.
How we keep your records confidential
Everyone working for the NHS has a legal duty to keep information about you confidential.
We have a duty to:
- Maintain full and accurate records of the care we provide to you
- Keep records about you confidential, secure and accurate
- Provide information in a format that is accessible to you (i.e., in large type if you are partially sighted).
We will not share information that identifies you for any reason, unless:
- you ask us to do so;
- we ask, and you give us specific permission;
- we must do this by law;
- we have special permission for health or research purposes or
- we have special permission because the interests of the public are thought to be of greater importance than your confidentiality
Our guiding principle is that we are holding your records in strict confidence
Who are our partner organisations?
We may share information with the following main partner organisations:
- NHS England
- Our Commissioners
- NHS Trusts / Organisation (Hospitals, CCG’s)
- Specialist Trusts
- Ambulance Service
- Social Services
- Independent Contractors such as dentists, opticians, pharmacists
- Private Sector Providers
- Social Care Services
- Fire and Rescue Services
We may also share your information, with your consent and subject to strict sharing protocols about how it will be used, with:
- Education Services
- Local Authorities
- Voluntary Sector Providers
- Private Sector
Anyone who receives information from us also has a legal duty to keep it confidential
What if I think there has been a breach of my Data Protection Rights?
If you believe there has been a breach of any of your Data Protection Rights you have a right to complain to the UK supervisory Authority as below.
Tel: 01625 545745
Sharing Your Medical Record
In order to give clinicians access to the most up to date information when attending patients, patient medical data may be shared between GP surgeries and other NHS health care providers.
The systems we operate require that any sharing of medical information is consented to by patients beforehand. Patients must consent to sharing of the data held by a health provider out to other health providers and must also consent to which of the other providers can access their data.
For more information please review our privacy polies and GDPR statements.
COVID-19 Privacy Notice
(This Privacy Notice is to run alongside our standard Practice Privacy Notice)
Due to the unprecedented challenges that the NHS and we, Stony Medical Centre face due to the worldwide COVID-19 pandemic, there is a greater need for public bodies to require additional collection and sharing of personal data to protect against serious threats to public health.
In order to look after your healthcare needs in the most efficient way we, Stony Medical Centre may therefore need to share your personal information, including medical records, with staff from other GP Practices including Practices within our Primary Care Network, as well as other health organisations (i.e. Clinical Commissioning Groups, Commissioning Support Units, Local authorities etc.) and bodies engaged in disease surveillance for the purposes of research, protecting public health, providing healthcare services to the public and monitoring and managing the Covid-19 outbreak and incidents of exposure.
The Secretary of State has served notice under Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 (COPI) to require organisations to process confidential patient information in the manner set out below for purposes set out in Regulation 3(1) of COPI.
Purpose of this Notice
The purpose of this Notice is to require organisations such as Stony Medical Centre to process confidential patient information for the purposes set out in Regulation 3(1) of COPI to support the Secretary of State’s response to Covid-19 (Covid-19 Purpose). “Processing” for these purposes is defined in Regulation 3(2) and includes dissemination of confidential patient information to persons and organisations permitted to process confidential patient information under Regulation 3(3) of COPI. This Notice is necessary to require organisations such as Stony Medical Centre to lawfully and efficiently process confidential patient information as set out in Regulation 3(2) of COPI for purposes defined in regulation 3(1), for the purposes of research, protecting public health, providing healthcare services to the public and monitoring and managing the Covid-19 outbreak and incidents of exposure.
Requirement to Process Confidential Patient Information
The Secretary of State has served notice to recipients under Regulation 3(4) that requires Stony Medical Centre to process confidential patient information, including disseminating to a person or organisation permitted to process confidential patient information under Regulation 3(3) of COPI.
Stony Medical Centre is only required to process such confidential patient information:
- where the confidential patient information to be processed is required for a Covid-19 Purpose and will be processed solely for that Covid-19 Purpose in accordance with Regulation 7 of COPI
- from 20th March 2020 until 31 March 2021.
A Covid-19 Purpose includes but is not limited to the following:
- understanding Covid-19 and risks to public health, trends in Covid-19 and such risks, and controlling and preventing the spread of Covid-19 and such risks
- identifying and understanding information about patients or potential patients with or at risk of Covid-19, information about incidents of patient exposure to Covid-19 and the management of patients with or at risk of Covid-19 including: locating, contacting, screening, flagging and monitoring such patients and collecting information about and providing services in relation to testing, diagnosis, self-isolation, fitness to work, treatment, medical and social interventions and recovery from Covid-19
- understanding information about patient access to health services and adult social care services and the need for wider care of patients and vulnerable groups as a direct or indirect result of Covid-19 and the availability and capacity of those services or that care
- monitoring and managing the response to Covid-19 by health and social care bodies and the Government including providing information to the public about Covid-19 and its effectiveness and information about capacity, medicines, equipment, supplies, services and the workforce within the health services and adult social care services
- delivering services to patients, clinicians, the health services and adult social care services workforce and the public about and in connection with Covid-19, including the provision of information, fit notes and the provision of health care and adult social care services
- research and planning in relation to Covid-19.
Recording of processing
A record will be kept by Stony Medical Centre of all data processed under this Notice.
Sending Public Health Messages
Data protection and electronic communication laws will not stop Stony Medical Centre from sending public health messages to you, either by phone, text or email as these messages are not direct marketing.
It may also be necessary, where the latest technology allows Stony Medical Centre to do so, to use your information and health data to facilitate digital consultations and diagnoses and we will always do this with your security in mind.
Research and Pandemic Planning
The Secretary of State has directed NHS Digital to collect, process and analyse data in connection with COVID-19 to support the Secretary of State’s response to COVID-19 and support various COVID-19 purposes set out in the COVID-19 Public Health Directions 2020, 17 March 2020 (as amended) (COVID-19 Direction) and below. This enables NHS Digital to collect data and analyse and link the data for COVID-19 purposes with other data held by NHS Digital.
The purpose of the data collection is also to respond to the intense demand for General Practice data to be shared in support of vital planning and research for COVID-19 purposes, including under the general legal notice issued by the Secretary of State under Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 (COPI).
NHS Digital has therefore been requested by the joint co-chairs of the Joint GP IT Committee (JGPITC) (the BMA and RCGP) to provide a tactical solution during the period of the COVID-19 pandemic to meet this demand and to relieve the growing burden and responsibility on General Practices. On 15 April 2020 the BMA and RCGP therefore gave their support via JGPITC to NHS Digital’s proposal to use the General Practice Extraction Service (GPES) to deliver a data collection from General Practices, at scale and pace, as a tactical solution to support the COVID-19 response in the pandemic emergency period.
It is a requirement of the JGPITC that all requests by organisations to access and use this data will need to be made via the NHSX SPOC COVID-19 request process, that will triage and prioritise these requests and refer appropriate requests on to the NHS Digital Data Access Request Service (DARS). NHS Digital will consult with representatives of the BMA and the RCGP on all requests for access to the data. An outline of the process for this agreed with the BMA and the RCGP is published here. Requests by organisations to access record level data from this collection will also be subject to Independent Group Advising on the Release of Data (IGARD) consideration. Data applicants will need to demonstrate they have a lawful basis to access the data for COVID-19 purposes.
Benefits of this sharing
Organisations, including the Government, health and social care organisations and researchers need access to this vital data for a range of COVID-19 purposes, to help plan, monitor and manage the national response to the COVID-19 pandemic, which will help save lives. COVID-19 purposes for which this data may be analysed and used may include:
- understanding COVID-19 and risks to public health, trends in COVID-19 and such risks, and controlling and preventing the spread of COVID-19 and such risks
- identifying and understanding information about patients or potential patients with, or at risk of COVID-19, information about incidents of patient exposure to COVID-19 and the management of patients with or at risk of COVID-19 including: locating, contacting, screening, flagging and monitoring such patients and collecting information about and providing services in relation to testing, diagnosis, self-isolation, fitness to work, treatment, medical and social interventions and recovery from COVID19
- understanding information about patient access to health services and adult social care services as a direct or indirect result of COVID-19, and the availability and capacity of those services • monitoring and managing the response to COVID-19 by health and social care bodies and the Government including providing information to the public about COVID-19 and its effectiveness and information about capacity, medicines, equipment, supplies, services and the workforce within the health services and adult social care services
- delivering services to patients, clinicians, the health services and adult social care services workforce and the public about and in connection with COVID-19, including the provision of information, fit notes and the provision of health care and adult social care services; and
- research and planning in relation to COVID-19.
Data may be analysed and linked to other data held by NHS Digital or held by other organisations to which access to the data is granted for COVID-19 purposes, through the process described above.
Data will be collected nationally from all GP Practices by NHS Digital every fortnight. All requests to access this data will be triaged through the NHSX SPOC COVID-19 request process and assessed and fulfilled by NHS Digital through DARS. This will significantly reduce the burden on General Practice at a time when demand on resources is high, enabling General Practice to focus on delivering health care and support to patients. It will also reduce compliance burden and risk for General Practice associated with sharing data and complying with the terms of the general legal notice issued under COPI, which applies to General Practices.
Legal Basis for this collection
NHS Digital has been directed by the Secretary of State under section 254 of the 2012 Act under the COVID-19 Direction to establish and operate a system for the collection and analysis of the information specified for this service: GPES Data for Pandemic Planning and Research (COVID-19). A copy of the COVID-19 Direction is published here: https://digital.nhs.uk//about-nhs-digital/corporate-information-and-documents/directions-anddata-provision-notices/secretary-of-state-directions/covid-19-public-health-directions-2020.
Details of the information to be collected can be found on the NHS Digital website – Specification of this DPN. Type 1 objections will be upheld in collecting this data from General Practices and therefore the data for those patients who have registered a Type 1 objection with their GP will not be collected. The Type 1 objection prevents an individual’s personal identifiable confidential information from being shared outside of their GP Practice except when it is being used for the purposes of their direct care. The National Data Opt-Out will not apply to the collection of the data, as this is a collection which is required by law.
This information is required by NHS Digital under section 259(1)(a) of the 2012 Act to comply with the COVID-19 Direction. In line with section 259(5) of the 2012 Act, all organisations in England that are within the scope of this Notice, as identified below under Health and Social Care Bodies within the scope of the collection, must comply with the requirement and provide information to NHS Digital in the form, manner and for the period specified in this Notice. This Notice is issued in accordance with the procedure published as part of NHS Digital’s duty under section 259(8) of the 2012 Act.
Visitors to The Practice
We have an obligation to protect our staff and employees’ health, so it is reasonable for staff at Stony Medical Centre to ask any visitors to our practice to tell us if they have visited a particular country, or are experiencing COVID-19 symptoms. This must only be in pre-approved circumstances and we would also ask all patients to consider government advice on the NHS 111 website and not attend the practice.
Where it is necessary for us to collect information and specific health data about visitors to our practice, we will not collect more information than we need, and we will ensure that any information collected is treated with the appropriate safeguards.
Review and Expiry of this Notice
This Notice will be reviewed on or before 31 March 2021 and may be extended by The Secretary of State. If no further notice is sent to Stony Medical Centre by The Secretary of State this Notice will expire on 31 March 2021.