As a registered patient, Amicus Health has a legal duty to explain how we use any personal information we collect about you at the organisation. We collect records about your health and the treatment you receive in both electronic and paper format.
We are required to provide you with this privacy notice by law. It provides information about how we use the personal and healthcare information we collect, store and hold about you. If you have any questions about this privacy notice or are unclear about how we process or use your personal information or have any other issue regarding your personal and healthcare information, then please contact our Data Protection Officer:
Data Protection Officer
Delt Shared Services Ltd.
BUILDING 2 – DELT
Derriford Business Park
The main things the law says we must tell you about what we do with your personal data are:
A privacy notice (or ‘fair processing notice’) explains the information we collect about our patients and how it is used. Being open and providing clear information to patients about how an organisation uses their personal data is an essential requirement of the new UK General Data Protection Regulations (UK GDPR).
Under the UK GDPR, we must process personal data in a fair and lawful manner. This applies to everything that is done with patient’s personal information. This means that the organisation must:
Personal data must be processed in a fair manner – the UK GDPR says that information should be treated as being obtained fairly if it is provided by a person who is legally authorised or required to provide it. Fair processing means that the organisation has to be clear and open with people about how their information is used.
Amicus Health manages patient information in accordance with existing laws and with guidance from organisations that govern the provision of healthcare in England such as the Department of Health and theGeneral Medical Council.
We are committed to protecting your privacy and will only use information collected lawfully in accordance with:
This means ensuring that your personal confidential data (PCD) is handled clearly and transparently and in a reasonably expected way.
The Health and Social Care Act 2012 changed the way that personal confidential data is processed so it is important that our patients are aware of and understand these changes and that you have an opportunity to object and know how to do so.
We may also process your information for a particular purpose and therefore we may also be data processors. The purposes for which we use your information are set out in this privacy notice.
Our Caldicott guardian at Amicus Health is Kensa Harris, Practice Manager.
Information held by this organisation may include the following:
We collect and hold data for the purpose of providing healthcare services to our patients and we will ensure that the information is kept confidential. However, we can disclose personal information if:
To ensure you receive the best possible care, your records are used to enable the care you receive. Information held about you maybe used to help protect the health of the public and to help us to manage the NHS.
Information may be used for clinical audit purposes to monitor the quality of services provided, may be held centrally and may be used for statistical purposes. Where we do this, we ensure that patient records cannot be identified. Sometimes your information may be requested to be used for clinical research purposes – the organisation will always endeavour to gain your consent before releasing the information.
Improvements in information technology are also making it possible for us to share data with other healthcare providers with the objective of providing you with better care. You can choose to withdraw your consent to your data being used in this way. When the organisation is about to participate in any new data-sharing scheme, we will make patients aware by displaying prominent notices and on our website at least four weeks before the scheme is due to start. We will also explain clearly what you have to do to ‘opt-out’ of each new scheme.
A patient can object to their personal information being shared with other healthcare providers but if this limits the treatment that you can receive then the doctor will explain this to you at the time.
The law states that personal information about your health falls into a special category of information because it is extremely sensitive. Reasons that may entitle us to use and process your information maybe as follows:
The law says we need a legal basis to handle your personal and healthcare information.
Your data is collected for the purpose of providing direct patient care; however, we are able to disclose this information if it is required by law, if you give consent or if it is justified in the public interest.
In order to comply with its legal obligations, this organisation may have to send data to NHS Digital when directed by the Secretary of State for Health under the Health and Social Care Act 2012. Additionally, we may have to contribute to national clinical audits and will send the data that is required by NHS Digital as the law allows. This may include demographic data, such as date of birth, and information about your health which is recorded in coded form; for example, the clinical code for diabetes or high blood pressure.
Under the General DataProtection Regulation, we will be lawfully using your information in accordance with:
Whenever you use a health or care service, such as attending the local hospital or using the district nursing service, clinical information about you is collected to help ensure you get the best possible care and treatment. This information may be passed to other approved organisations where there is a legal basis to do so, to help with planning services, improving care, researching to develop new treatments and preventing illness. All of this helps in providing better care to you and your family and future generations.
However, as explained in this privacy notice, confidential information about your health and care is only used in this way as allowed by law and would never be used for any other purpose without your clear and explicit consent.
We may pass your personal information on to the following people or organisations because these organisations may require your information to assist them in the provision of your direct healthcare needs. It therefore may be important for them to be able to access your information in order to ensure they may deliver their services to you:
You will be informed who your data will be shared with and in some cases asked for explicit consent for this to happen when this is required.
This information only refers to you by way of a code that only your own practice can identify (it is pseudo-anonymised). This therefore protects you from anyone who may have access to this information at the Integrated Care Board from ever identifying you as a result of seeing the medical information and we will never give them the information that would enable them to do this.
The law gives you certain rights to your personal and healthcare information that we hold as set out below:
You have a right under the DataProtection legislation to request access to view or to obtain copies of what information the organisation holds about you and to have it amended should it be inaccurate. To request this, you need to do the following:
We are required under UK law to keep your information and data for the full retention periods as specified by the NHS Records Management Code of Practice for health and social care and national archives requirements.
More information on records retention can be found online at: NHSX – Records Management Code of Practice 2021.
All the personal data we process is processed by our staff in the UK. However, for the purposes of IT hosting and maintenance this information may be located on servers within the European Union.
No third parties have access to your personal data unless the law allows them to do so and appropriate safeguards have been put in place such as a data processor as above. We have data protection processes in place to oversee the effective and secure processing of your personal and/or special category data.
Amicus Health uses a clinical system provided by a data processor called EMIS. With effect from 10 June 2019, EMIS started storing the organisation’s EMIS web data in a highly secure, third-party cloud hosted environment, namely Amazon Web Services (‘AWS’).
Data does remain in the UK and will be fully encrypted both in transit and at rest. In doing this, there will be no change to the control of access to your data and the hosted service provider will not have any access to the decryption keys. AWS is one of the world’s largest cloud companies, already supporting numerous public sector clients (including the NHS), and it offers the highest levels of security and support.
We are committed to protecting your privacy and will only use information collected lawfully in accordance with the UK General Data Protection Regulations (which is overseen by the Information Commissioner’s Office), Human Rights Act, the Common Law Duty ofConfidentiality and the NHS Codes of Confidentiality and Security. Every staff member who works for an NHS organisation has a legal obligation to maintain the confidentiality of patient information.
All of our staff, contractors and locums receive appropriate and regular training to ensure they are aware of their personal responsibilities and have legal and contractual obligations to uphold confidentiality, enforceable through disciplinary procedures. Only a limited number of authorised staff have access to personal information where it is appropriate to their role and this is strictly on a need-to-know basis. If a sub-contractor acts as a data processor for Amicus Health, an appropriate contract (Article 24-28) will be established for the processing of your information.
We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e., life or death situations) or where the law requires information to be passed on and/or in accordance with the information sharing principle following Dame Fiona Caldicott’s information sharing review (Information to share or not to share) where “The duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles.
Our organisational policy is to respect the privacy of our patients, their families and our staff and to maintain compliance with the UK General Data Protection Regulation (UK GDPR)and all UK specific data protection requirements. Our policy is to ensure all personal data related to our patients will be protected.
In certain circumstances you may have the right to withdraw your consent to the processing of data. Please contact the organisation in writing if you wish to withdraw your consent. In some circumstances we may need to store your data after your consent has been withdrawn to comply with a legislative requirement.
We will normally ask you for your consent but there are times when we may be required by law to share your information without your consent, for example:
To enable us to deliver the best possible services, we will share data (where required) with other NHS bodies such as hospitals. In addition, the organisation will use carefully selected third party service providers. When we use a third-party service provider to process data on our behalf then we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately. Examples of functions that may be carried out by third parties include:
Sometimes we record information about third parties mentioned by you to us during any consultation. We are under an obligation to make sure we also protect that third party’s rights as an individual and to ensure that references to them that may breach their rights to confidentiality are removed before we send any information to any other party including yourself. Third parties can include spouses, partners and other family members.
Sometimes we may provide information about you in an anonymised form. If we do so, then none of the information we provide to any other party will identify you as an individual and cannot be traced back to you.
Auditing of clinical notes is done by Amicus Health as part of their commitment to the effective management of healthcare whilst acting as a data processor.
Article 9.2.h is applicable to the management of healthcare services and “permits processing necessary for the purposes of medical diagnosis, provision of healthcare and treatment, provision of social care and the management of healthcare systems or services or social care systems or services.’” No consent is required to audit clinical notes for this purpose.
Furthermore, compliance withArticle 9(2)(h) requires that certain safeguards are met. The processing must be undertaken by or under the responsibility of a professional subject to the obligation of professional secrecy or by another person who is subject to an obligation of secrecy.
Auditing clinical management is no different to a multi-disciplinary team meeting discussion whereby management is reviewed and agreed. It would be realistically impossible to require consent for every patient reviewed that is unnecessary. It is also prudent to audit under Health and Social Care Act 2008 (Regulated Activities) Regulations 2014: Regulation 17: Good Governance.
This organisation operates a clinical computer system on which NHS staff record information securely. This information can then be shared with other clinicians so that everyone caring for you is fully informed about your medical history including allergies and medication.
To provide around the clock safe care, unless you have asked us not to, we will make information available to our partner organisations. Wherever possible, their staff will ask your consent before your information is viewed.
Health and social care services in Devon and Cornwall have developed a system to share patient data efficiently and quickly and, ultimately, improvet he care you receive.
This shared system is called the Devon and Cornwall Care Record.
It’s important that anyone treating you has access to your shared record so they have all the information they need to care for you. This applies to your routine appointments and also in urgent situations such as going to A&E, calling 111 or going to an out-of-hours appointment.
It’s also quicker for staff to access a shared record than to try to contact other staff by phone or email.
Only authorised health and care staff can access the Devon and Cornwall Care Record and the information they see is carefully checked so that it relates to their job. Also, systems do not share all your data – just data that services have agreed is necessary to include.
For more information about the Devon and Cornwall Care Record, please go to
We share your record using GP Connect to make sure that, whether you are visiting the practice, attending hospital, or being seen in the community or at home by a care professional, everyone knows the care you need and how you want to be treated. Your electronic health record is available to local providers who are involved in your care. This includes the sharing of, personal contact details, diagnosis, medications, allergies and test results. Your records will be treated with the strictest confidence and can only be viewed if you use their service.
Please note that if you have previously dissented (opted-out) to sharing your records, this decision will be upheld.
Should you wish to opt-out of, please speak to a member of PST who will be able to update your personal preferences. Please note that by opting out of this sharing, other health professionals may not be able to see important medical information, which may impact on the care you receive.
Your information may be shared if you have received treatment to determine which Integrated Care Board (ICB) is responsible for paying for your treatment. This information may include your name, address and treatment date. All of this information is held securely and confidentially; it will not be used for any other purpose or shared with any third parties.
Cohorts of our patients aged 40-74 not previously diagnosed with cardiovascular disease are eligible to be invited for an NHS Health Check. Nobody outside the healthcare team in Amicus Health will see confidential information about you during the invitation process.
As we are obliged to protect any confidential information we hold about you, it is imperative that you let us know immediately if you change any of your contact details.
We may contact you using SMS texting to your mobile phone should we need to notify you about appointments and other services that we provide to you involving your direct care. This is to ensure we are sure we are contacting you and not another person. As this is operated on an ‘opt out’ basis we will assume that you have given us permission to contact you via SMS if you have provided your mobile telephone number.Please let the organisation know if you wish to opt out of this SMS service. We may also contact you using the email address you have provided to us.
The objective of primary care networks (PCNs) is for group practices together to create more collaborative workforces that ease the pressure of GPs, leaving them better able to focus on patient care. All areas within England are covered by a PCN.
Primary Care Networks form a key building block of the NHS long-term plan. Bringing general practices together to work at scale has been a policy priority for some years for a range of reasons including improving the ability of practices to recruit and retain staff, to manage financial and estates pressures, to provide a wider range of services to patients and to integrate with the wider health and care system more easily.
All GP practices have come together in geographical networks covering populations of approximately 30–50,000 patients to take advantage of additional funding attached to the GP contract. This size is consistent with the size of the primary care homes that exist in many places in the country but are much smaller than most GP federations.
This means that Amicus Health may share your information with other practices within the Primary Care Network to provide you with your care and treatment.
Risk stratification is a mechanism used to identify and subsequently manage those patients deemed as being at high risk of requiring urgent or emergency care. Usually this includes patients with long-term conditions, e.g., cancer. Your information is collected by a number of sources including Amicus Health. This information is processed electronically and given a risk score which is relayed to your GP who can then decide on any necessary actions to ensure that you receive the most appropriate care.
The organisation is dedicated to ensuring that the principles and duties of safeguarding adults and children are consistently and conscientiously applied with the wellbeing of all at the heart of what we do.
Our legal basis for processing for UK General Data Protection Regulation (UK GDPR) purposes is:
For the processing of special categories data, the basis is:
Safeguarding information such as referrals to safeguarding teams is retained by Amicus Health when handling a safeguarding concern or incident. We may share information accordingly to ensure a duty of care and investigation as required with other partners such as local authorities, the police or healthcare professionals (i.e., the mental health team).
To support your care and improve the sharing of relevant information to our partner organisations (as above) when they are involved in looking after you, we will share information to other systems.
You can opt out of this sharing of your records with our partners at any time if this sharing is based on your consent.
NHS England have implemented the SCR which contains information about you; including your name, address, date of birth, NHS number, medication you are taking and any bad reactions to medication that you have had in the past. This information is automatically extracted from your records and uploaded onto a central system.
Many patients who are seen outside of their GP Practice are understandably not able to provide a full account of their care or may not be in a position to do so. The SCR means patients do not have to repeat their medical history at every care setting and the healthcare professional they are seeing is able to access their SCR. TheSCR can only be viewed within the NHS on NHS smartcard-controlled screens or by organisations, such as pharmacies, contracted to the NHS.
As well as this basic record, additional information will also be added to include further information. You can find out more about the SCR here:
All patients with online accounts will be able to view all new entries in their GP medical records from the go-live date of November 2023. This access will be comprehensive, including the usual coded information alongside free text entries and letters/documents scanned into the clinical system.
Further information regarding this (including the steps that the practice must take) can be found in the email issued to practices on the 21st of June 2022. Additional information and resources are also available on the Home - NHS Digital
We may record telephone calls you make to us or we make to you in order to:
We do this in the interests of offering a good service to our patients and to protect our staff. If you object to this, you will need to end the call when you are told that calls maybe recorded. Alternative methods of communication are available.
Recordings will be kept for 6 months. This ensures that any subsequent investigation can be completed.
Your information may be shared with other organisations if they have a legal right to it.
The practice sometimes recruits patients for research studies supported by The South West Peninsula Clinical Research Network. All studies have been approved by an NHS Research Ethics Committee. If you are invited to participate in research there is no obligation to do so, and if you decline this will not affect your treatment in any way. Anonymised patient data may be used for research that is in the best interests of patients and the NHS as a whole.
As a practice we are supported in the set up and delivery of this research by experienced NIHR CRN staff who work as part of our practice team. These staff, as part of the practice team, will be able to access your patient record to identify if you would be eligible to participate in research opportunities, support recruitment and follow up activity related to clinical trials.
The RCGP email is: Research.Ready@rcgp.org.uk
We are a research practice and work with the NIHR Clinical Research Network for the South West NIHR Local | National Institute for Health and Care Research and the Clinical Practice Research Datalink 'CPRD' - part of the Medicines and Healthcare Products Regulatory Agency Safeguarding patient data | CPRD to deliver research studies and trials. Employees of the practices will access your information in order to determine whether you are suitable to be invited to participate in a study. We will only share your information with the research providers with your explicit consent. Further information regarding the research providers can be found here: UK Policy Framework for Health and Social Care Research - Health Research Authority (hra.nhs.uk)
Clinical Practice Research Datalink (CPRD)
This practice contributes to medical research and may send relevant data to CPRD. CPRD collects de-identified patient data from a network of GP practices across the UK. Primary care data is linked to a range of other health related data to provide a longitudinal, representative UK population health dataset. Further information regarding CPRD can be found here: Data protection and processing notice | CPRD
The National Cancer Registration and Analysis Service is run by Public Health England and is responsible for cancer registration in England, to support cancer epidemiology, public health, service monitoring and research.
Further information regarding the registry and your right to opt-out can be found at: National Cancer Registration and Analysis Service (NCRAS) - GOV.UK (www.gov.uk)
Data outside EEA:
We do not send your personal data outside of the EEA. However, if this is required, the practice would only do so, with your explicit consent.
If you use a link to any other website from the organisation’s website then you will need to read their respective privacy notice. We take no responsibility (legal or otherwise) for the content of other websites.
This is used by the NHS, local authorities, university and hospital researchers, medical colleges and pharmaceutical companies researching new treatments.
You can choose to opt out of sharing your confidential patient information for research and planning. There may still be times when your confidential patient information is used; for example, during an epidemic where there might be a risk to you or to other people’s health. You can also still consent to take part in a specific research project.
Your confidential patient information will still be used for your individual care. Choosing to opt out will not affect your care and treatment. You will still be invited for screening services such as screening for bowel cancer.
You do not need to do anything if you are happy about how your confidential patient information is used.
If you do not want your confidential patient information to be used for research and planning, you can choose to opt out by using one of the following:
The collection date is still to be confirmed, although when it has been, patient data will be collected from GP medical records about:
They will not collect your name or where you live. Any other data that could directly identify you, for example NHS number, General Practice Local Patient Number, postcode and date of birth, is replaced with unique codes that are produced by de-identification software before the data is shared with NHS Digital.
This process is called pseudonymisation and means that no one will be able to directly identify you from the data. The diagram helps to explain what this means. The diagram below helps to explain what this means and using the terms in the diagram, the data we share would be described as de-personalised.
We will share structured and coded data from GP medical records that is needed for specific health and social care purposes as explained above.
Data that directly identifies you as an individual patient, including your NHS number, General Practice Local Patient Number, postcode, date of birth and if relevant date of death, is replaced with unique codes produced by de-identification software before it is sent to NHS Digital. This means that no one will be able to directly identify you in the data.
NHS Digital will collect:
More detailed information about the patient data collected is contained within the Data Provision Noticed issued to GP practices.
NHS Digital will not collect:
When NHS Digital collects, analyses, publishes and shares patient data, there are strict laws in place that it must follow. Under the UK General Data Protection Regulation (UK GDPR), this includes explaining to patients what legal provisions apply under UK GDPR that allows it to process patient data. The UK GDPR protects everyone's data.
NHS Digital has been directed by the Secretary of State for Health and Social Care under the General Practice Data for Planning and Research Directions 2021 to collect and analyse data from GP practices for health and social care purposes including policy, planning, commissioning, public health and research purposes. NHS Digital is the controller of the patient data collected and analysed under the GDPR jointly with the Secretary of State for Health and Social Care.
All GP practices in England are legally required to share data with NHS Digital for this purpose under the Health and Social Care Act 2012 (2012 Act). More information about this requirement is contained in the Data Provision Notice issued by NHS Digital to GP practices.
NHS Digital has various powers to publish anonymous statistical data and to share patient data under sections 260 and 261 of the 2012 Act. It also has powers to share data under other Acts, for example the Statistics and Registration Service Act 2007.
Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002 (COPI) also allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency. The Secretary of State has issued legal notices under COPI (COPI Notices) requiring NHS Digital, NHS England and Improvement, arm's-length bodies (such as Public Health England), local authorities, NHS trusts, clinical commissioning groups and GP practices to share confidential patient information to respond to the COVID-19 outbreak.
Any information used or shared during the COVID-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use confidential patient information.
NHS Digital will analyse and link the patient data we collect with other patient data we hold to create national data sets and for data quality purposes. NHS Digital will be able to use the de-identification software to convert the unique codes back to data that could directly identify patients in certain circumstances for these purposes, where this is necessary and where there is a valid legal reason. There are strict internal approvals which need to be in place before NHS Digital can do this and this will be subject to independent scrutiny and oversight by the Independent Group Advising on the Release of Data (IGARD).
These national data sets are analysed and used by NHS Digital to produce national statistics and management information including public dashboards about health and social care which are published. NHS Digital never publish any patient data that could identify any individual. All data they publish is anonymous statistical data.
All data that is shared by NHS Digital is subject to robust rules relating to privacy, security and confidentiality and only the minimum amount of data necessary to achieve the relevant health and social care purpose will be shared.
All requests to access patient data from this collection, other than anonymous aggregate statistical data, will be assessed by NHS Digital’s Data Access Request Service to make sure that organisations have a legal basis to use the data and that it will be used safely, securely and appropriately.
These requests for access to patient data will also be subject to independent scrutiny and oversight by the Independent Group Advising on the Release of Data (IGARD). Organisations approved to use this data will be required to enter into a data sharing agreement with NHS Digital regulating the use of the data.
There are several organisations that are likely to need access to different elements of patient data from the General Practice Data for Planning and Research collection. These include but may not be limited to:
If the request is approved, the data will either be made available within a secure data access environment within the NHS Digital infrastructure or, where the needs of the recipient cannot be met this way, as a direct dissemination of data. NHS Digital plan to reduce the amount of data being processed outside central, secure data environments and increase the data it makes available to be accessed via its secure data access environment.
Data will always be shared in the uniquely coded form (de-personalised data in the diagram above) unless in the circumstances of any specific request it is necessary for it to be provided in an identifiable form (personally identifiable data in the diagram above), for example, when express patient consent has been given to a researcher to link patient data from the General Practice for Planning and Research collection to data the researcher has already obtained from the patient. It is therefore possible for NHS Digital to convert the unique codes back to data that could directly identify patients in certain circumstances, and where there is a valid legal reason which permits this without breaching the common law duty of confidentiality. This would include:
This would mean that the data was personally identifiable in the diagram above. Re-identification of the data would only take place following approval of the specific request through the Data Access Request Service and subject to independent assurance by IGARD and consultation with the Professional Advisory Group which is made up of representatives from the BMA and the RCGP. If patients have registered a national data opt-out this would be applied in accordance with the national data opt-out policy before any identifiable patient data (personally identifiable data in the diagram above) about the patient was shared.
Details of who NHS Digital have shared data with, in what form and for what purposes are published on their data release register.
NHS Digital only stores and processes patient data for this data collection within the United Kingdom (UK). Fully anonymous data (that does not allow patients to be directly or indirectly identified), for example statistical data that is published, may be stored and processed outside of the UK.
Some of the NHS Digital processors may process patient data outside of the UK. If they do, they will always ensure that the transfer outside of the UK complies with data protection laws.
The data protection officer (DPO) for Amicus Health is Rebekah Lovewell.
In the unlikely event that you are unhappy with any element of our data-processing methods, do please contact the practice manager at Amicus Health in the first instance. If you feel that we have not addressed your concern appropriately, you have the right to lodge a complaint with the ICO. For further details, visit ico.gov.uk and select “Raising a concern” or telephone: 0303 123 1113.
The Information Commissioner’s Office is the regulator for the General Data Processing Regulations and offers independent advice and guidance on the law and personal data including your rights and how to access your personal information.