This privacy policy explains what personal information is held about our patients and how it is collected and processed.
This practice is supporting vital coronavirus (COVID-19) planning and research by sharing your data with NHS Digital.
The health and social care system is facing significant pressures due to the coronavirus (COVID-19) outbreak. Health and care information is essential to deliver care to individuals, to support health, social care and other public services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the coronavirus outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations. This practice is supporting vital coronavirus planning and research by sharing your data with NHS Digital, the national safe haven for health and social care data in England.
NHS Digital has been legally directed to collect and analyse patient data from all GP practices in England to support the coronavirus response for the duration of the outbreak. NHS Digital will become the controller under the General Data Protection Regulation 2016 (GDPR) of the personal data collected and analysed jointly with the Secretary of State for Health and Social Care, who has directed NHS Digital to collect and analyse this data under the COVID-19 Public Health Directions 2020 (COVID-19 Direction).
All GP practices in England are legally required to share data with NHS Digital for this purpose under the Health and Social Care Act 2012 (2012 Act). More information about this requirement is contained in the data provision notice issued by NHS Digital to GP practices.
Under GDPR our legal basis for sharing this personal data with NHS Digital is Article 6(1)(c) – legal obligation. Our legal basis for sharing personal data relating to health, is Article 9(2)(g) – substantial public interest, for the purposes of NHS Digital exercising its statutory functions under the COVID-19 Direction.
The data being shared with NHS Digital will include information about patients who are currently registered with a GP practice or who have a date of death on or after 1 November 2019 whose record contains coded information relevant to coronavirus planning and research. The data contains NHS Number, postcode, address, surname, forename, sex, ethnicity, date of birth and date of death for those patients. It will also include coded health data which is held in your GP record such as details of:
NHS Digital will analyse the data they collect and securely and lawfully share data with other appropriate organisations, including health and care organisations, bodies engaged in disease surveillance and research organisations for coronavirus response purposes only. These purposes include protecting public health, planning and providing health, social care and public services, identifying coronavirus trends and risks to public health, monitoring and managing the outbreak and carrying out of vital coronavirus research and clinical trials. The British Medical Association, the Royal College of General Practitioners and the National Data Guardian are all supportive of this initiative.
NHS Digital has various legal powers to share data for purposes relating to the coronavirus response. It is also required to share data in certain circumstances set out in the COVID-19 Direction and to share confidential patient information to support the response under a legal notice issued to it by the Secretary of State under the Health Service (Control of Patient Information) Regulations 2002 (COPI Regulations).
Legal notices under the COPI Regulations have also been issued to other health and social care organisations requiring those organisations to process and share confidential patient information to respond to the coronavirus outbreak. Any information used or shared during the outbreak under these legal notices or the COPI Regulations will be limited to the period of the outbreak unless there is another legal basis for organisations to continue to use the information.
Data which is shared by NHS Digital will be subject to robust rules relating to privacy, security and confidentiality and only the minimum amount of data necessary to achieve the coronavirus purpose will be shared. Organisations using your data will also need to have a clear legal basis to do so and will enter into a data sharing agreement with NHS Digital. Information about the data that NHS Digital shares, including who with and for what purpose will be published in the NHS Digital data release register.
The application of the National Data Opt-Out to information shared by NHS Digital will be considered on a case by case basis and may or may not apply depending on the specific purposes for which the data is to be used. This is because during this period of emergency, the National Data Opt-Out will not generally apply where data is used to support the coronavirus outbreak, due to the public interest and legal requirements to share information.
Being transparent and providing accessible information to patients about how we will use your personal information is a key element of the Data Protection Act 2018 and the EU General Data Protection Regulations (GDPR).
The following notice reminds you of your rights in respect of the above legislation and how we as your GP Practice will use your information for lawful purposes in order to deliver your care and the effective management of the local NHS system.
This notice reflects how we use information for:
As your registered GP practice, we are the data controller for any personal data that we hold about you.
The data protection officer for Amicus Health is:
Rebekah Lovewell
bex.lovewell@nhs.net
Data Protection Officer
Delt Shared Services Ltd.
BUILDING 2 - DELT
Derriford Business Park
Plymouth
PL6 5QZ
All personal data must be processed fairly and lawfully, whether is it received directly from you or from a third party in relation to your care. We will collect the following types of information from you or about you from a third party (provider organisation) engaged in the delivery of your care:
Your healthcare records contain information about your health and any treatment or care you have received previously (e.g. from an acute hospital, GP surgery, community care provider, mental health care provider, walk-in centre, social services). These records may be electronic, a paper record or a mixture of both. We use a combination of technologies and working practices to ensure that we keep your information secure and confidential.
The NHS Act 2006 and the Health and Social Care Act 2012 invests statutory functions on GP Practices to promote and provide the health service in England, improve quality of services, reduce inequalities, conduct research, review performance of services and deliver education and training. To do this we will need to process your information in accordance with current data protection legislation to:
Your information will be collected either electronically using secure NHS Mail or a secure electronic transferred over an NHS encrypted network connection. In addition, physical information will be sent to the practice. This information will be retained within your GP electronic patient record or within your physical medical records.
In order to deliver and coordinate your health and social care, we may share information with the following organisations:
Your information will only be shared if it is appropriate for the provision of your care or required to satisfy our statutory function and legal obligations.
Your information will not be transferred outside of the European Union. Whilst we might share your information with the above organisations, we may also receive information from them to ensure that your medical records are kept up to date and so that your GP can provide the appropriate care. In addition, we provide data to NHS Digital (as directed by the Department of Health) such as the uptake of flu vaccinations and disease prevalence.
We are committed to protecting your privacy and will only use information that has been collected lawfully. Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential. We maintain our duty of confidentiality by conducting annual training and awareness, ensuring access to personal data is limited to the appropriate staff and information is only shared with organisations and individuals that have a legitimate and legal basis for access.
Information is not held for longer than is necessary. We will hold your information in accordance with the Records Management Code of Practice for Health and Social Care 2016.
The GDPR sets a high standard for consent. Consent means offering people genuine choice and control over how their data is used. When consent is used properly, it helps you build trust and enhance your reputation. However, consent is only one potential lawful basis for processing information. Therefore, the practice may not need to seek your explicit consent for every instance of processing and sharing your information, on the condition that the processing is carried out in accordance with this notice. We will contact you if we are required to share your information for any other purpose which is not mentioned within this notice. Your consent will be documented within your electronic patient record.
You have the right to write to withdraw your consent to any time for any particular instance of processing, provided consent is the legal basis for the processing. Please contact the Practice for further information and to raise your objection.
Health Risk Screening or Risk Stratification is a process that helps your GP to determine whether you are at risk of an unplanned admission or deterioration in health. By using selected information such as age, gender, NHS number, diagnosis, existing long-term condition(s), medication history, patterns of hospital attendances, admissions and periods of access to community care your GP will be able to judge if you are likely to need more support and care from time to time, or if the right services are in place to support the local population’s needs.
To summarise, Risk Stratification is used in the NHS to:
As a practice we will use computer-based algorithms or calculations to identify registered patients who are at most risk, with support from the local Commissioning Support Unit and/or a third party accredited Risk Stratification provider. The risk stratification contracts are arranged by new Devon CCG or NHS England in accordance with the current Section 251 Agreement. [A Section 251 Agreement is where the Secretary of State for Health and Social Care has granted permission for personal data to be used for the purposes of risk stratification, in acknowledgement that it would overburden the NHS to conduct manual reviews of all patient registers held by individual providers.]
Neither the CSU nor your local CCG will at any time have access to your personal or confidential data. They will only act on behalf of your GP to organise the risk stratification service with appropriate contractual technical and security measures in place.
Your GP will routinely conduct the risk stratification process outside of your GP appointment. This process is conducted electronically and without human intervention. The resulting report is then reviewed by a multidisciplinary team of staff within the Practice. This may result in contact being made with you if alterations to the provision of your care are identified.
As mentioned above, you have the right to object to your information being used in this way. However, you should be aware that your objection may have a negative impact on the timely and proactive provision of your direct care. Please contact James Davies, our Managing Partner, to discuss how disclosure of your personal data can be limited.
Electronic patient records are kept in most places where you receive healthcare. Our local electronic systems (such as EMIS Web) enable your record to be shared with organisations involved in your direct care, such as:
In addition, NHS England have implemented the Summary Care Record which contains information including medication you are taking and any bad reactions to medication that you have had in the past.
In most cases, particularly for patients with complex conditions and care arrangements, the shared electronic health record plays a vital role in delivering the best care and a coordinated response, taking into account all aspects of a person’s physical and mental health.
Many patients are understandably not able to provide a full account of their care, or may not be in a position to do so. The shared record means patients do not have to repeat their medical history at every care setting.
Your record will be automatically setup to be shared with the organisations listed above; however you have the right to ask your GP to disable this function or restrict access to specific elements of your record. This will mean that the information recorded by your GP will not be visible at any other care setting.
You can also reinstate your consent at any time by giving your permission to override your previous dissent.
If you have received treatment within the NHS, the local Commissioning Support Unit (CSU) may require access to your personal information to determine which Clinical Commissioning Group is responsible for payment for the treatment or procedures you have received. Information such as your name, address, date of treatment and associated treatment code may be passed onto the CSU to enable them to process the bill. These details are held in a secure environment and kept confidential. This information is only used to validate invoices in accordance with the current Section 251 Agreement and will not be shared for any further commissioning purposes.
The practice is registered and complies with the Data Protection Act 2018 (DPA 2018). Any request for access to notes by a patient, patient’s representative or outside body will be dealt with in accordance with the Act.
The Data Protection Act and General Data Protection Regulations allows you to find out what information is held about you including information held within your medical records, either in electronic or physical format. This is known as the “right of subject access”. If you would like to have access to all or part of your records, you can make a request in writing to the organisation that you believe holds your information. This can be your GP, or a provider that is or has delivered your treatment and care. You should however be aware that some details within your health records maybe exempt from disclosure; however this will be in the interests of your wellbeing or to protect the identity of a third party. If you would like access to your GP record please submit your request in writing to James Davies – Practice Manager.
In the event that you feel we as your GP Practice have not complied with the current data protection legislation, either in responding to your request or in our general processing of your personal information, you should raise your concerns in the first instance in writing to James Davies – Practice Manager.
If you remain dissatisfied with our response you can contact the Information Commissioner’s Office at:
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Enquiry Line: 01625 545700
Website: www.ico.gov.uk
We may record telephone calls you make to us or we make to you in order to:
We do this in the interests of offering a good service to our patients and to protect our staff. If you object to this, you will need to end the call when you are told that calls maybe recorded. Alternative methods of communication are available. Your information will not be transferred outside the European Economic area.
Your information may be shared with other organisations if they have a legal right to it.
We will delete call recordings after 6 months after the call was made. This ensures that any subsequent investigation can be completed.
The Information you provide will be managed as required by Data Protection Law. You have a right to receive a copy of the call recording. You have the right to request that the call recording be deleted if you believe we are processing it for longer than necessary.
We may collect information about you when you request any information about us or our services, submit your personal details and/or complete any forms on the web site. The transmission of information via the internet cannot be considered secure. Whilst we will do our best to protect your personal data, we cannot ensure the privacy of any data transmitted from our web site. Any transmission of personal data via the web site is done so at your own risk. If you are concerned about the privacy of your information, please use alternative means. Once we have received your information we will use strict procedures and security features to prevent unauthorised access.
We may collect and process the following information about you:
The information we collect may be used to:
Our website may from time to time contain links to and from third party websites. If you follow a link to external websites, please note that these sites have their own privacy policies and we do not accept any responsibility or liability for these sites.
A cookie is a small file, typically of letters and numbers, downloaded on to a device (like your computer or smart phone) when you accesses certain websites.
Cookies allow a website to recognise a user’s device.
Some cookies help websites to remember choices you make. Analytical cookies are to help us measure the number of visitors to a website. Some cookies are temporary and disappear when you close your web browser, others may remain on your computer for a set period of time.
We do not knowingly collect or intend to collect any personal information about you using cookies. We do not share your personal information with anyone.
Our cookies declaration can be found here.
When you first visited this website, you should have been prompted to give or withdraw your consent for cookies which are not strictly necessary for the proper functioning of the website. You may change your consent preferences at any time by visiting the cookies declaration page.
.png)
.png){kind=icon}