As part of our legal duties, this practice is required to;
- Maintain full and accurate records of the care and services we provide you
- Keep records about you confidential and secure
The practice aims to provide you with safe, high quality care that is based on accurate, up to date information.
This information allows us to work with others involved in your care and this may involve sharing information with other health and social care organisations.
- Basic details such as address, date of birth and next of kin
- Contact we have had with you
- Notes and reports about your health
- Details and records about your treatment and care
Others may also need to use records about you to:
- Check the quality of care you are receiving
- Protect the health of the general public
- Keep track of NHS spending
- Help investigate any concerns or complaints you ask us to
- Teach students or staff
- Support health and social care research
Sometimes we share your information with third parties to support your care such as:
- Social care
- Community Health
- Clinical Commissioning Groups
- Mental Health Providers
- NHS Digital
When we are sharing information to support third parties in providing your care, we will work hard to ensure it is the minimum necessary and that it is done so securely and lawfully. We aim to ensure that we only use your personal information in a way that you would reasonably expect.
When we share information that is used for healthcare management or planning, this does not allow for you to be identified.
Sometimes we will be required to share information for other reasons;
- When required to by law
- We have special permission for health or research purposes (e.g. if you have agreed to take part in a research trial)
- There is a strong public interest (e.g. there is a risk of serious harm or crime)
You can choose not to have information that could identify you shared beyond your GP practice. You can also choose to prevent information that does not identify you from being shared for planning and research.
Simply contact your GP either to register an opt-out or end an opt-out you have already registered and they will update your medical record. Your GP practice will also be able to confirm whether or not you have registered an opt-out in the past.
If you have previously told your GP practice that you don’t want NHS Digital to share your personal confidential information for purposes other than your own care and treatment, your opt-out will have been implemented by NHS Digital from 29th April 2016 as instructed in a direction from the Secretary of State. It will remain in place unless you change it.
As the Secretary of State’s direction; this included the policy on how to apply opt-outs was not available before April 2016 it was not possible for NHS Digital to honour opt-outs made before this date. This means that information may have been shared without respecting these opt-outs between January 2014 and April 2016.
You can find more information on NHS Digital’s website:
Under Data Protection law, you have a right to;
- object to certain uses of your data
- to be provided with a copy information held about you
- that your information will not be used for direct marketing purposes
- have any incorrect information amended or erased
Please contact your surgery for any requests made in connection with these rights.
For a copy of your information;
- Your request must be made in writing to your surgery
- The surgery is required to respond to your request in writing within 40 days (a month from May 2018)
- You will need to give the surgery your full name, address, date of birth and NHS number
- You will be required to provide personal identification such as a driving licence or passport
Use of the Website
Generally, our website will not require you to enter personal information. When it does, for example; online appointment booking, we will apply the same confidentiality principles as those described above.
Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should be aware that we do not have any control over the other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting these sites.
We intend to protect the confidentiality, quality and integrity of your personal information and we have implemented appropriate technical and organisational measures to do so. These include staff training, up to date policies and procedures and working to align with national cyber security guidelines.
Fair Processing Notice
Being transparent with individuals about how their personal data is used is a key aspect of privacy and confidentiality law. GDPR introduced transparency as a new requirement into the first data protection principle, it states that processing must be ‘fair, lawful and transparent’. Information communicated to individuals should be provided in a layered approach, in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The first “layer” is an A3 notice containing the headline principles of sharing which then signposts documents which contain progressively detailed information on both your website and also CCG based sites.
To meet common law duty of confidentiality expectations, patients should also be aware and have a reasonable expectation that their information will be used for specified purposes if implied consent is to be used as the lawful basis.
Patients should have confidence about how their medical information is used, be aware of which purposes it’s used for, and understand the rights that they have in relation to their information. The NHS Constitution states that patients have the right to be informed about how their information is used. It is vital that patients trust how we use their data.
As with other GDPR undertakings, Fair Processing Notices are not just a tick box exercise. We need to be having a rolling “conversation” with our patients explaining how their personal data is used to support their healthcare and this can and should be delivered through a variety of different media which include but are not limited to:
- Direct conversation
- Paper and electronic documents
- YouTube videos
- Social media
- Radio/TV and other ‘broadcasting’
- Public engagement meetings
Meaningful and regular communication through various media and in different settings is one of the most important aspects of GDPR. Once our patients understand how their information is processed and know how to exercise choice, consent becomes almost academic. This remains an area we need to improve on and in addition to your input at the practice level, there are plans for a London wide campaign to promote better understanding of how we share records.
Talking about record sharing in our practice meetings will help improve staff understanding and enable them to better signpost and support patients.
Where information is collected from the data subject, GDPR details the information that needs to be provided to data subjects in Article 13, including:
- Contact details of the controller and the controller’s data protection officer
- Purposes of processing
- The lawful basis for processing
- Recipients of personal data
- Retention of data
- Data subject rights
Much of this information should already be held in the organisation’s Information Asset Register and records of processing, which helps to inform the fair processing material. GDPR mandates that all this information is provided albeit in a manner of ways and varying levels of detail. Therefore, all this information does not have to be provided in every single document, but it is essential that all this information is provided and easily accessible somewhere. How this can be presented is discussed below.
Content should be aimed at differing levels of understanding and capacity, especially when it relates to processing of children’s data. Therefore, consideration should be given not only to the content but the language used to provide the content. Fair processing information could be provided and discussed in patient engagement groups to ensure it is understood by patients with no NHS or privacy background.
Providing information to data subjects can take many forms and can no longer only be a statement on a website. In Practices, one of the most effective methods to provide high-level detail to patients is via easily readable posters in the waiting rooms or offices. This can include the basics which patients need to know, including the purposes their information is used for, who it may be shared with, and the key rights associated to their data, such as an objection to processing and access to their records. Such high-level materials can then provide information on where to get more information if required.
To ensure all information that is referred to in the Content section (above) is available, a larger document can then be produced which covers this. This can be made available on organisation websites as well as available in print form for those data subjects that do not have access to the internet. Given information must be provided to all, it would also be advantageous to have this available in different languages, either translated and provided in a separate document or via the use of a software on a browser such as google translate allowing the data subject to have it translated at the point of use.
These methods will primarily focus on those on who either actively visit Practices or Practice websites, so consideration should also be given to reaching those who may have limited contact but of whom their personal data is still processed. This could include taking out high-level advertisements in local media, use of local advertisements in public areas or postal campaigns. A simple way of informing patients of where to access such information could be a statement in the footer of all headed letter sent out by the Practice.
- Information Commissioners Office ‘The right to be informed’ guidance
- Information Commissioners Office right to be informed checklist
A number of documents have been produced to give Practices a starting place to inform their patients of the processing taking place. These include:
- An A4 GP Fair Processing Notice including all the required fields as stated in Article 13 of GDPR.
- An A3 GP information sharing poster which can be used in your waiting rooms/offices (Example pending feedback)
- An A3 GP fair processing notice poster which can be used in your waiting rooms/offices (Example pending feedback)