This Privacy Notice tells you how we may collect, use and processes your personal data, and how we comply with our legal obligations to you; your privacy is important to us, and we are committed to protecting and safeguarding your data privacy rights.
For the purposes of the General Data Protection Regulations (GDPR), Parkside Medical Practice is the Data Controller of the data about you held by us. These Regulations describe how personal and sensitive information can be processed lawfully.
Our Practice policy is to respect the privacy of our patients, their families and our staff and to maintain compliance with GDPR and all UK specific Data Protection Requirements.
The data we collect, use and process
We collect both basic personal data about you (which does not include any special types of information or location-based information) and sensitive confidential data known as “special category personal data”, in the form of health information, religious belief (when relevant to your care) ethnicity, and sex during the provision of services to you and or linked to your healthcare through other health providers or third parties.
The information we hold about you may be held electronically, in paper records, or a mixture of both. We use safe working practices and technology to ensure that your information is kept confidential and secure. Records that the Practice hold about you may include the following information
- Details about you, such as your address, carer, legal representative, emergency contact details
- Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments, etc.
- Notes and reports about your health
- Details about your treatment and care
- Results of investigations such as laboratory tests, x-rays etc
- Relevant information from other health professionals, relatives or those who care for you
- Relevant information provided to us by other third parties where the law permits
Why we need to collect, use and process your information
Collecting, using and processing information about you helps us to provide appropriate, up to date and cost effective, healthcare to you and enables us to meet our legal and professional obligations to you.
Additionally, information held about you may be used to help protect the health of the public, to help us manage the NHS, and for clinical audit to monitor the quality of the service provided. When we use your information in this way we will only use the minimum information required for the purpose and will (when possible) do this in a way that makes it impossible to identify you individually.
The legal basis for using your data
We need to collect, use and process your personal, sensitive and confidential data in order to provide you with Healthcare services as a General Practice, under GDPR we will be lawfully using your information in accordance with
Article 6 (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
Article 9 (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems
By using information about you from a number of sources, risk stratification tools help to determine your risk of suffering a condition, preventing an unplanned or (re)admission and identifying a need for preventive intervention(s). This enables the Practice to focus on preventing ill health. You have the right to opt out of your data being used in this way.
Keeping your information secure
We will only use information collected lawfully in accordance with the following legislation and National Policies; Data Protection Act 2018, The General Data Protection Regulations 2016, Human Rights Act 1998, Common Law Duty of Confidentiality, Health and Social Care Act 2012, NHS Codes of Confidentiality, Information Security and Records Management, and Information: To Share or Not to Share Review (Dame Fiona Caldicott’s information sharing review)
Everyone who works for the Practice and with whom we may need to share your information has a legal obligation to keep information about you confidential. All of our employees and contractors are required to agree to a confidentiality agreement before being allowed to commence work for us. In some instances we may require subcontractors to act as data processors on our behalf; in these cases an appropriate contract will be agreed before any data is processed in this way.
We will only ever share information about you with other parties if they have a genuine need that cannot be met without having access to information about you. Additionally, we will not disclose your information to any third party without your permission unless
- there are exceptional circumstances (i.e. life or death situations, where disclosure is in your best interests)
- the law requires information to be shared, or
- in accordance with the information sharing principles detailed in Information: to share or not to share
Some information may be held outside of the Practice and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified. Sometimes your information may be requested to be used for research purposes; the Practice will always seek your consent before releasing the information for this purpose in an identifiable format. In some circumstances you can opt-out of the surgery sharing any of your information for research purposes.
Other uses of your data
Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
- improving the quality and standards of care provided
- research into the development of new treatments
- preventing illness and diseases
- monitoring safety
- planning services
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.
Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.
To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters. On this web page you will:
- See what is meant by confidential patient information
- Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
- Find out more about the benefits of sharing data
- Understand more about who uses the data
- Find out how your data is protected
- Be able to access the system to view, set or change your opt-out setting
- Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
- See the situations where the opt-out will not apply
You can also find out more about how patient information is used at:
https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and
https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)
You can change your mind about your choice at any time.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.
Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. Our organisation ‘is / is not currently’ compliant with the national data opt-out policy. “
Our electronic records
All the data we process is processed in the UK however for the purposes of IT hosting and maintenance this information may be located on servers within the European Union. No third parties have access to your personal data unless the law allows them to do so and appropriate safeguards have been put in place. We have Data Protection processes in place to ensure the effective and secure processing of your data.
Our partner organisations
We may also have to share your information, subject to strict agreements on how it will be used, with the following partner organisations
- Bulwell and Top Valley Primary Care Network and constituent Practices within the network in order to increase your access to primary care and locality based services
- Care Quality Commission
- Clinical Commissioning Groups
- Fire and Rescue Services
- Independent Contractors such as dentists, opticians, pharmacists
- Local Authorities, including Education Services
- NHS Commissioning Support Units
- NHS Digital (NHSD)
- NHS England (NHSE)
- NHS Trusts, including hospitals and ambulance services
- Nottingham City GP Alliance, in order to provide GP+ and other services on our behalf
- Police & Judicial Services
- Private Sector Providers
- Social Care Services
- Voluntary Sector Providers
- Other ‘data processors’ which you will be informed of on a case by case basis
You will be informed who your data will be shared with and in some cases asked for consent for this to happen when this is required.
We are required by law to keep your information and data for the full retention period(s) as specified by the NHS Records Management Code of Practice for Health and Social Care and the National Archives Requirements.
Your rights: accessing, amending or removing your data
Even if we already hold your personal data, you still have various rights in relation to it. These are
Right to object if we are using your data because we deem it necessary for our legitimate interests to do so, and you do not agree, you have the right to object. We will normally respond to your request within 30 days and will usually only disagree with your request if certain limited conditions apply.
Right to withdraw consent where we have obtained your consent to process your personal data for specific activities you may withdraw your consent at any time. Although we may continue to collect, process and use your data if we have a lawful reason to do so.
Right to erasure in certain situations (for example, where we have processed your data unlawfully), you have the right to request us to “erase” your personal data. We will usually respond to your request within 30 days and will only disagree with you if certain limited conditions apply. In some circumstances we may need to store your data after your consent has been withdrawn to comply with a legal requirement. If we do agree to your request, we will delete your data but will generally assume that you would prefer us to keep a note of your name on our register of individuals who would prefer not to be contacted. That way, we will minimise the chances of you being contacted in the future where your data are collected in unconnected circumstances. If you would prefer us not to do this, you are free to say so.
Right of data portability if you wish, you have the right to transfer your data from us to another data controller. We will help with this with a GP to GP data transfer and transfer of your hard copy notes.
If you are considering using one or more of these rights please get in touch with us. We will seek to deal with your request without undue delay, and in any event in accordance with the requirements of any applicable laws. Please note that we may keep a record of your communications to help us resolve any issues which you raise.
Access to your personal information
You have a right under GDPR to request access to view or to obtain copies of what information the Practice holds about you and to have it amended should it be inaccurate. To request this, you should make your request directly to the Practice (or the data controller of the information if it relates to information provided to the Practice by a third party).
There is no charge for these requests unless the request is a repeated request for the same information.
It is helpful to be specific about what information you are looking for, and in all cases we will ask you to prove your identity and that you have the consent of the patient concerned if you are not the patient.
Your obligation to us
You must tell us if your information changes so that we can update our records to ensure their accuracy and that you receive the care and support that you may require. From time to time we may ask you to confirm that the information we hold is accurate and up-to-date.
Objections / Complaints
Should you have any concerns about how your information is managed at the Practice, please contact our Practice Manager or the Data Protection Officer. If you are still unhappy following a review by the Practice, you have a right to lodge a complaint with UK Supervisory Authority:
Information Commissioner 01625 545745
Wycliffe house https://ico.org.uk/
If you are happy for your data to be collected, processed and used for the purposes described in this privacy notice, then you do not need to do anything. If you have any concerns about how your data is shared, then please contact the Practice Manager or Practice Data Protection Officer.
If you would like to know more about your rights in respect of the personal data we hold about you, please contact the Data Protection Officer as below.
Data Protection Officer
The Practice Data Protection Officer is Paul Couldrey who can be contacted by email at Couldrey@me.com or by post at PCIG Consulting Limited, 7 Westacre Drive, Quarry Bank, Dudley, West Midlands, DY5 2EE.
This Privacy Notice is subject to change at any time. We will ensure that the most up to date version of this Notice is displayed within the Practice, on our Website and available upon request.