This Privacy Notice tells you how we may collect, use and processes your personal data, and how we comply with our legal obligations to you; your privacy is important to us, and we are committed to protecting and safeguarding your data privacy rights.
For the purposes of the General Data Protection Regulations (GDPR), Parkside Medical Practice is the Data Controller of the data about you held by us. These Regulations describe how personal and sensitive information can be processed lawfully.
Our Practice policy is to respect the privacy of our patients, their families and our staff and to maintain compliance with GDPR and all UK specific Data Protection Requirements.
The data we collect, use and process
We collect both basic personal data about you (which does not include any special types of information or location-based information) and sensitive confidential data known as “special category personal data”, in the form of health information, religious belief (when relevant to your care) ethnicity, and sex during the provision of services to you and or linked to your healthcare through other health providers or third parties.
The information we hold about you may be held electronically, in paper records, or a mixture of both. We use safe working practices and technology to ensure that your information is kept confidential and secure. Records that the Practice hold about you may include the following information
- Details about you, such as your address, carer, legal representative, emergency contact details
- Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments, etc.
- Notes and reports about your health
- Details about your treatment and care
- Results of investigations such as laboratory tests, x-rays etc
- Relevant information from other health professionals, relatives or those who care for you
- Relevant information provided to us by other third parties where the law permits
Why we need to collect, use and process your information
Collecting, using and processing information about you helps us to provide appropriate, up to date and cost effective, healthcare to you and enables us to meet our legal and professional obligations to you.
Additionally, information held about you may be used to help protect the health of the public, to help us manage the NHS, and for clinical audit to monitor the quality of the service provided. When we use your information in this way we will only use the minimum information required for the purpose and will (when possible) do this in a way that makes it impossible to identify you individually.
The legal basis for using your data
We need to collect, use and process your personal, sensitive and confidential data in order to provide you with Healthcare services as a General Practice, under GDPR we will be lawfully using your information in accordance with
Article 6 (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
Article 9 (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems
By using information about you from a number of sources, risk stratification tools help to determine your risk of suffering a condition, preventing an unplanned or (re)admission and identifying a need for preventive intervention(s). This enables the Practice to focus on preventing ill health. You have the right to opt out of your data being used in this way.
Keeping your information secure
We will only use information collected lawfully in accordance with the following legislation and National Policies; Data Protection Act 2018, The General Data Protection Regulations 2016, Human Rights Act 1998, Common Law Duty of Confidentiality, Health and Social Care Act 2012, NHS Codes of Confidentiality, Information Security and Records Management, and Information: To Share or Not to Share Review (Dame Fiona Caldicott’s information sharing review)
Everyone who works for the Practice and with whom we may need to share your information has a legal obligation to keep information about you confidential. All of our employees and contractors are required to agree to a confidentiality agreement before being allowed to commence work for us. In some instances we may require subcontractors to act as data processors on our behalf; in these cases an appropriate contract will be agreed before any data is processed in this way.
We will only ever share information about you with other parties if they have a genuine need that cannot be met without having access to information about you. Additionally, we will not disclose your information to any third party without your permission unless
- there are exceptional circumstances (i.e. life or death situations, where disclosure is in your best interests)
- the law requires information to be shared, or
- in accordance with the information sharing principles detailed in Information: to share or not to share
Some information may be held outside of the Practice and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified. Sometimes your information may be requested to be used for research purposes; the Practice will always seek your consent before releasing the information for this purpose in an identifiable format. In some circumstances you can opt-out of the surgery sharing any of your information for research purposes.
Other uses of your data
Occasionally we may wish to use your data (such as contact details) to inform you of services that may benefit you or to offer you the chance to help the NHS by engaging in research projects. We will only ever use your data in this way with your express consent, unless the law requires otherwise.
When we would like to use your data for anything other than the specified purposes and where there is no lawful requirement for us to share or process your data, we will ensure that you have the ability to consent and opt out prior to any data processing taking place. We will never share your information for marketing purposes.
Our electronic records
All the data we process is processed in the UK however for the purposes of IT hosting and maintenance this information may be located on servers within the European Union. No third parties have access to your personal data unless the law allows them to do so and appropriate safeguards have been put in place. We have Data Protection processes in place to ensure the effective and secure processing of your data.
Our partner organisations
We may also have to share your information, subject to strict agreements on how it will be used, with the following partner organisations
- Bulwell and Top Valley Primary Care Network and constituent Practices within the network in order to increase your access to primary care and locality based services
- Care Quality Commission
- Clinical Commissioning Groups
- Fire and Rescue Services
- Independent Contractors such as dentists, opticians, pharmacists
- Local Authorities, including Education Services
- NHS Commissioning Support Units
- NHS Digital (NHSD)
- NHS England (NHSE)
- NHS Trusts, including hospitals and ambulance services
- Nottingham City GP Alliance, in order to provide GP+ and other services on our behalf
- Police & Judicial Services
- Private Sector Providers
- Social Care Services
- Voluntary Sector Providers
- Other ‘data processors’ which you will be informed of on a case by case basis
You will be informed who your data will be shared with and in some cases asked for consent for this to happen when this is required.
We are required by law to keep your information and data for the full retention period(s) as specified by the NHS Records Management Code of Practice for Health and Social Care and the National Archives Requirements.
Your rights: accessing, amending or removing your data
Even if we already hold your personal data, you still have various rights in relation to it. These are
Right to object if we are using your data because we deem it necessary for our legitimate interests to do so, and you do not agree, you have the right to object. We will normally respond to your request within 30 days and will usually only disagree with your request if certain limited conditions apply.
Right to withdraw consent where we have obtained your consent to process your personal data for specific activities you may withdraw your consent at any time. Although we may continue to collect, process and use your data if we have a lawful reason to do so.
Right to erasure in certain situations (for example, where we have processed your data unlawfully), you have the right to request us to “erase” your personal data. We will usually respond to your request within 30 days and will only disagree with you if certain limited conditions apply. In some circumstances we may need to store your data after your consent has been withdrawn to comply with a legal requirement. If we do agree to your request, we will delete your data but will generally assume that you would prefer us to keep a note of your name on our register of individuals who would prefer not to be contacted. That way, we will minimise the chances of you being contacted in the future where your data are collected in unconnected circumstances. If you would prefer us not to do this, you are free to say so.
Right of data portability if you wish, you have the right to transfer your data from us to another data controller. We will help with this with a GP to GP data transfer and transfer of your hard copy notes.
If you are considering using one or more of these rights please get in touch with us. We will seek to deal with your request without undue delay, and in any event in accordance with the requirements of any applicable laws. Please note that we may keep a record of your communications to help us resolve any issues which you raise.
Access to your personal information
You have a right under GDPR to request access to view or to obtain copies of what information the Practice holds about you and to have it amended should it be inaccurate. To request this, you should make your request directly to the Practice (or the data controller of the information if it relates to information provided to the Practice by a third party).
There is no charge for these requests unless the request is a repeated request for the same information.
It is helpful to be specific about what information you are looking for, and in all cases we will ask you to prove your identity and that you have the consent of the patient concerned if you are not the patient.
Your obligation to us
You must tell us if your information changes so that we can update our records to ensure their accuracy and that you receive the care and support that you may require. From time to time we may ask you to confirm that the information we hold is accurate and up-to-date.
Objections / Complaints
Should you have any concerns about how your information is managed at the Practice, please contact our Practice Manager or the Data Protection Officer. If you are still unhappy following a review by the Practice, you have a right to lodge a complaint with UK Supervisory Authority:
Information Commissioner 01625 545745
Wycliffe house https://ico.org.uk/
If you are happy for your data to be collected, processed and used for the purposes described in this privacy notice, then you do not need to do anything. If you have any concerns about how your data is shared, then please contact the Practice Manager or Practice Data Protection Officer.
If you would like to know more about your rights in respect of the personal data we hold about you, please contact the Data Protection Officer as below.
Data Protection Officer
The Practice Data Protection Officer is Paul Couldrey who can be contacted by email at Couldrey@me.com or by post at PCIG Consulting Limited, 7 Westacre Drive, Quarry Bank, Dudley, West Midlands, DY5 2EE.
This Privacy Notice is subject to change at any time. We will ensure that the most up to date version of this Notice is displayed within the Practice, on our Website and available upon request.