NHS Digital is a data controller and has a legal duty, in line with the UK General Data Protection Regulation (UK GDPR), to explain why it is using data and what data is being used. Similarly, Oulton Medical Centre has a duty to advise candidates applying for work of the purpose of personal data and the methods by which their personal data will be processed.

1.2 Status

The organisation aims to design and implement policies and procedures that meet the diverse needs of our service and workforce, ensuring that none are placed at a disadvantage over others, in accordance with the Equality Act 2010. Consideration has been given to the impact this policy might have with regard to the individual protected characteristics of those to whom it applies.

This document and any procedures contained within it are non-contractual and may be modified or withdrawn at any time. For the avoidance of doubt, it does not form part of your contract of employment.

1.3 Training and support

The organisation will provide guidance and support to help those to whom it applies to understand their rights and responsibilities under this policy. Additional support will be provided to managers and supervisors to enable them to deal more effectively with matters arising from this policy.

2 Scope

2.1 Who it applies to

This document applies to all candidates applying for work within Oulton Medical Centre

Furthermore, it applies to clinicians who may or may not be applying to be employed by the organisation but who will be working under the Additional Roles Reimbursement Scheme (ARRS).[1]

2.2 Why and how it applies to them

Every candidate should be aware of the candidate privacy notice and understand how information may be used and with whom the organisation will share that information.

The first principle of data protection is that personal data must be processed fairly and lawfully. Being transparent and providing accessible information to persons about how their personal data is used is a key element of the UK General Data Protection Regulation.

3 Definition of terms

3.1 Privacy notice

A statement that discloses some or all of the ways in which the organisation gathers, uses, discloses and manages a person’s data. It fulfils a legal requirement to protect a person’s privacy.

3.2 Data Protection Act 2018 (DPA18)[2]

The Data Protection Act (DPA18) will ensure continuity by putting in place the same data protection regime in UK law pre- and post-Brexit.

3.3 Information Commissioner’s Office (ICO)[3]

The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals

3.4 UK General Data Protection Regulation (UK GDPR)[4]

The UK GDPR replaced the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across Europe to protect and empower all EU citizens’ data privacy and to reshape the way in which organisations across the region approach data privacy. The UK GPDR came into effect in May 2018.

3.5 Data controller

The entity that determines the purposes, conditions and means of the processing of personal data

3.6 Data subject

A natural person whose personal data is processed by a controller or processor

4 Compliance with regulations

4.1 UK GDPR

In accordance with the UK GDPR, this organisation will ensure that information provided to subjects about how their data is processed will be:

Concise, transparent, intelligible and easily accessible

Written in clear and plain language, particularly if addressed to a child

Free of charge

4.2 Article 5 compliance

In accordance with Article 5 of the UK GDPR, this organisation will ensure that any personal data is:

Processed lawfully, fairly and in a transparent manner in relation to the data subject

Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes

Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed

Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate having regard to the purposes for which it is processed, is erased or rectified without delay

Kept in a form that permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed

Processed in a manner that ensures the appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage by using appropriate technical or organisational measures

Article 5 also stipulates that the controller shall be responsible for, and be able to demonstrate compliance with, the above.

4.3 Communicating privacy information

At Oulton Medical Centre, the organisation’s candidates applying for work privacy notice is displayed on our website and in writing if requested.

We will:

Inform candidates how their data will be used and for what purpose
Allow candidates to opt out of sharing their data, should they so wish

5 Further information

5.1 Privacy notice checklists

The ICO has provided a privacy notice checklist that can be used to support the writing of the organisation’s privacy notice. The checklist can be found by following this link.

5.2 Privacy notice template

A privacy notice template can be found at Annex A.

It is recognised that the type and style of privacy notices may vary. However, this privacy notice template has been reviewed as appropriate by a current DATA PROTECTION OFFICER. It is acknowledged to be extensive and covers all eventualities that may occur around information governance.

5.3 e-Learning

Both General Data Protection Regulation (GDPR) and GDPR – The Perfect Practice e-Learning courses are available on the HUB

6 Summary

It is the responsibility of all candidates applying for work at Oulton Medical Centre to ensure that they understand what information is held about them and how this information may be used.

Furthermore, the organisation must adhere to the DPA18 and the UK GDPR to ensure compliance with extant legal rules and legislative acts.

Annex A – Candidates applying for work privacy notice

Introduction

At Oulton Medical Centre we have a legal duty to explain how we use any personal information we collect about you at the organisation. We collect records during the recruitment stage and then data is continued to be collected for any successful candidate. This is in both electronic and paper format.

This privacy notice applies to personal information processed by or on behalf of Oulton Medical Centre. We are required to provide you with this privacy notice by law. It provides information on how we use the personal and healthcare information we collect, store and hold about you. If you have any questions about this privacy notice or are unclear about how we process or use your personal information or have any other issue regarding your personal and healthcare information, then please contact our data protection officer Louise Whitworth. Contact details: wyicb-leeds.dpo@nhs.net

This notice explains:

Who we are, how we use your information and our Data Protection Officer (DPO)
What kind of personal information about you we process
What the legal grounds are for our processing of your personal information (including when we share it with others)
What you should do if your personal information changes
How long your personal information is retained by us
What your rights are under data protection laws

The UK General Data Protection Regulation (UK GDPR) became law on 24th May 2016. This is a single EU-wide regulation on the protection of confidential and sensitive information. It entered into force in the UK on the 25th May 2018, repealing the Data Protection Act (1998).

For the purpose of applicable data protection legislation (including but not limited to the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”), and the Data Protection Act 2018 (DPA2018) the organisation responsible for your personal data is [insert organisation name].

This notice describes how we collect, use and process your personal data and how, in doing so, we comply with our legal obligations to you. Your privacy is important to us and we are committed to protecting and safeguarding your data privacy rights. This privacy policy applies to the personal data collected from candidates applying for roles within the organisation.

How we use your information and the law

Oulton Medical Cenre will be what is known as the ‘controller’ of the personal data you provide to us. Upon applying for work with the organisation you will be asked to supply the following personal information:

Name

Address

Telephone numbers

Email address

Date of birth

Previous employment data

Recruitment information such as your application form and CV, references, qualifications and membership of any professional bodies and details of your employment history, skills and experience

Information about your current level of remuneration, including benefit entitlements

Whether or not you have a disability for which the organisation needs to make reasonable adjustments during the recruitment process

Information in relation to your right to work in the UK [as per the Rights to Work in the UK – guide to checking]

Information from the Disclosure and Barring Service (DBS) in order to administer relevant checks and procedures

Vaccination and immunisation status/information

The information that we ask you to provide to the organisation is required for the following reasons:

In order for us to review your application

In order for us to contact you with interview details

To comply with appropriate employment law

To ensure that we can provide any reasonable adjustments as necessary

The organisation may collect this information in a variety of ways, for example from application forms, CVs or resumes, obtained from your passport or other identity documents such as your driving licence and from forms completed by you or through interviews, meetings or other assessments including on-line tests.

This personal data might be provided to us by you, or someone else (such as a former employer’s reference, information from background check providers including criminal records checks permitted by law) or it could be created by us.

The organisation will seek information from third parties only once a job offer has been made to you and we will inform you that we are doing so.

Your personal data will be stored in a range of different places including in your application record, in the organisation’s HR management systems and in other IT systems (including the organisation’s email system).

Throughout the application process we will collect data and add this to your personnel file i.e., interview question answers, interview scores etc.

Special categories of personal data

Some special categories of personal data, such as information about health or medical conditions, is processed to carry out employment law obligations (such as those in relation to job applicants with disabilities).

For some roles, the organisation is obliged to seek information about criminal convictions and offences. Where we seek this information, we do so because it is necessary for us to carry out our obligations and exercise specific rights in relation to employment.

If your application is unsuccessful, the organisation may keep your personal data on file in case there are future job opportunities for which you may be considered. We will seek your consent to do this and you are free to withdraw your consent at any time.

How do we lawfully use your data?

We need to know your personal, sensitive and confidential data in order to employ you. Under the General Data Protection Regulation we will be lawfully using your information in accordance with:

Article 6, (b) Necessary for performance of/entering into contract with you

Article 9(2) (b) Necessary for controller to fulfil employment rights or obligations in employment

This notice applies to the personal data of our candidates applying for work at Oulton Medical Centre

How do we maintain the confidentiality of your record?

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

We will only ever use or pass on information about you to others who have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e., life or death situations) or where the law requires information to be passed on.

Our policy is to respect the privacy of our candidates and to maintain compliance with the UK General Data Protection Regulation (UK GDPR) and all UK specific Data Protection Requirements. Our policy is to ensure all personal data will be protected.

All employees and sub-contractors engaged by Oulton Medical Centre are asked to sign a confidentiality agreement. The organisation will, if required, sign a separate confidentiality agreement if the client deems it necessary. If a sub-contractor acts as a data processor for Oulton Medical Centre, an appropriate contract (art 24-28) will be established for the processing of your information.

Where do we store your information electronically?

All the personal data we process is processed by our organisation in the UK. However, for the purposes of IT hosting and maintenance this information may be located on servers within the European Union.

No third parties have access to your personal data unless the law allows them to do so and appropriate safeguards have been put in place. We have a data protection regime in place to oversee the effective and secure processing of your personal and or special category (sensitive, confidential) data.

Who are our partner organisations?

We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations:

Primary Care Networks
Integrated Care Systems
NHS Commissioning Support Units
Clinical Commissioning Groups
NHS England (NHSE) and NHS Digital (NHSD)
Local authorities
CQC
Private sector providers providing employment services
Other ‘data processors’ which you will be informed of

Sharing your personal data

Your information may be shared internally for the purpose of the recruitment exercise including with [members of the HR and recruitment team, interviewers in the recruitment process, managers in the business area with the vacancy and IT staff if access to the data is necessary for performance of their roles

The organisation will not share your personal data with third parties except those engaged for the purposes of the recruitment process or unless your application for employment is successful and we make you an offer of employment. We will then share your data with former employers to obtain references for you, employment background check providers to obtain necessary background checks and the Disclosure and Barring Service to obtain necessary criminal record checks.

The organisation will not transfer your data to countries outside the European Economic Area.

You will be informed who your data will be shared with and in some cases asked for consent for this to happen when this is required.

We may also use external companies to process personal information such as for archiving purposes. These companies are bound by contractual agreements to ensure information is kept confidential and secure. All employees and sub-contractors engaged by Oulton Medical Centre are asked to sign a confidentiality agreement. If a sub-contractor acts as a data processor for the organisation, an appropriate contract (art 24-28) will be established for the processing of your information.

Who is the data controller?

Oulton Medical is registered as a data controller under the Data Protection Act 2018. Our registration number is Z598614X and our registration can be viewed online in the public register at http://www.ico.gov.uk. This means we are responsible for handling your personal and healthcare information and collecting and storing it appropriately.

We may also process your information for a particular purpose and therefore we may also be data processors. The purposes for which we use your information are set out in this privacy notice.

How long do we keep your personal information?

We are required under UK law to keep your information and data for the full retention periods as specified by the NHS Records Management Code of Practice for health and social care and national archives requirements.

If your application is unsuccessful, the organisation will hold your personal data for a period of six months following the recruitment process. If you agree to allow the organisation to keep your personal data on file, for consideration for future job opportunities, we will hold your data for a further six months. At the end of that period (or once you withdraw consent), your data will be deleted or destroyed.

If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your employment.

More information on records retention can be found online at: NHSX – Records Management Code of Practice 2020.

Storing DBS certificates

The correct storage of DBS certificate information is important. The code of practice requires that the information revealed is considered only for the purpose for which it was obtained and should be destroyed after six months.

How can you access, amend or move the personal data that you have given to us?

Even if we already hold your personal data, you still have various rights in relation to it. For further information about this, please contact the practice manager. We will seek to deal with your request without undue delay and in any event in accordance with the requirements of any applicable laws. Please note that we may keep a record of your communications to help us resolve any issues which you raise.

Right to object: If we are using your data because we deem it necessary for our legitimate interests to do so, and you do not agree, you have the right to object. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases). Generally, we will only disagree with you if certain limited conditions apply.

Right to withdraw consent: Where we have obtained your consent to process your personal data for certain activities (for example for a research project), or consent to market to you, you may withdraw your consent at any time.

Right to erasure: In certain situations (for example, where we have processed your data unlawfully), you have the right to request us to “erase” your personal data. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases) and will only disagree with you if certain limited conditions apply. If we do agree to your request, we will delete your data but will generally assume that you would prefer us to keep a note of your name on our register of individuals who would prefer not to be contacted. That way, we will minimise the chances of you being contacted in the future where your data is collected in unconnected circumstances. If you would prefer us not to do this, you are free to say so.

Right of data portability: If you wish, you have the right to transfer your data from us to another data controller.

Your rights as a candidate applying for work

Data Subject Access Requests (DSAR): You have a right under the data protection legislation to request access to view or to obtain copies of what information this organisation holds about you and to have it amended should it be inaccurate. To request this, you need to do the following:

Your request should be made to The Practice Manager, Oulton Medical Centre, Quarry Hill, Oulton, Leeds LS26 8SZ

There is no charge to have a copy of the information held about you. However we may, in some limited and exceptional circumstances, have to make an administrative charge for any extra copies if the information requested is excessive, complex or repetitive

We are required to provide you with information within one month. We would ask therefore that any requests you make are in writing and it is made clear to us what and how much information you require

You will need to give adequate information (for example full name, address, date of birth and details of your request) so that your identity can be verified and your records located

What should you do if your personal information changes?

You should tell us so that we can update our records. Please contact the management team as soon as any of your details change, this is especially important for changes of address or contact details (such as your mobile phone number).

What to do if you have any questions

Should you have any questions about this privacy policy or the information we hold about you, you can:

Contact the organisation via email at: marshstreet@nhs.net

Write to the data protection officer at Oulton Medical Centre, Quarry Hill, Oulton, Leeds LS26 8SX
Ask to speak to the practice manager or the deputy practice manager

The data protection officer (DPO) for Oulton Medical Centre is Louise Whitworth

Objections or complaints

In the unlikely event that you are unhappy with any element of our data-processing methods, do please contact the practice manager at Oulton Medical Centre in the first instance. If you feel that we have not addressed your concern appropriately, you have the right to lodge a complaint with the ICO. For further details, visit ico.gov.uk and select “Raising a concern” or telephone: 0303 123 1113

The Information Commissioner’s Office is the regulator for the General Data Processing Regulations and offers independent advice and guidance on the law and personal data including your rights and how to access your personal information.

Changes to our privacy policy

We regularly review our employee privacy policy and any updates will be published to reflect the changes.

[1] Network DES Contract specification 2021/22

[2] Data Protection Act 2018

[3] ICO

[4] GDPR

Infection Control

INFECTION CONTROL STATEMENT

It is vital to Dr Freeman and Partners to ensure that our patients receive excellent care in a place safe from the risk of infection. It is of the upmost importance to us to keep our patients safe and regular reviews of our infection control practices help us to maintain our high standards of care

The statement summarises:-

Any infection transmission incidents and any action taken (these will have been reported in accordance with our Significant Event Procedure).
Details of any infection control audits undertaken and actions undertaken.
Details of any risk assessments undertaken for prevention and control of infection.
Details of any staff training.
Any review and update of policies, procedures and guidelines.

Infection Transmission Incidents (Significant Events)

Significant events (which may involve examples of good practice as well as challenging events) are investigated in detail to see what can be learnt and to indicate changes that might lead to future improvements. All significant events are reviewed and discussed in the time in session and cascaded to all relevant staff.

COVID-19 being a significant event in 2020/21, which is ongoing. Dr Freeman and Partners are following all NHS England Guidance and Standard Operating Procedures for General Practice

As a result of any events, Dr Freeman and Partners:

Continue with annual infection control updates for both clinical and non-clinical staff.
Ensure infection control guidance remains accessible to all staff
Training is recorded and monitored

Infection Prevention Audits and Actions

The Annual Infection Prevention and Control audit was completed Vicky Hindle Infection Control Leads in August 2022.

All staff had handwashing assessments for all staff, clinical and nonclinical and will be completed by August 31st 2022.

Cleaning Specifications

Dr Freeman and Partners have contracted cleaners which we closely monitor. Rooms are cleaned according to their usage/purpose and cleaned appropriately.

All equipment used by clinical staff is either single use or cleaned after patient usage. Cleaning logs are maintained

Risk Assessments

Risk assessments are carried out so that best practice can be established and then followed.

Legionella (Water) Risk Assessments: The practice reviews its water safety risk assessment to ensure that the water supply does not pose a risk to patients, visitors or staff.
Coli incidences
Immunisation: As a practice we ensure that all our staff are up to date with their Hepatitis B immunisations and any occupational health vaccinations applicable to their role (i.e., MMR, Seasonal Flu, COVID-19). We take part in the National Immunisation campaigns for patients and offer vaccinations in surgery at PCN sites (COVID-19 Vaccinations only) and via home visits to our patient population.
Curtains: Disposable curtains are used in clinical rooms and are changed every 12 months according to manufacturer instruction.

Training

All our staff complete an annual e-learning infection control update. The practice Infection Control lead and Practice Manger attends an annual Infection Control Update. Updates for 20/21 have been remote due to COVID-19 restrictions. Dates for 21/22 are been looked at to be able to attend.

Policies

All Infection Prevention Control related policies are in date. Policies relating to Infection Control are available to all staff and are reviewed and updated annually, and all are amended on an on-going basis as current advice, guidance and legislation changes.

Responsibility

It is the responsibility of each individual to be familiar with this Statement and their roles and responsibilities under this.

Responsibility for Review

The Infection Prevention and Control Lead and the Practice Manager are responsible for reviewing and producing the Annual Statement.

Hilary Farrar (Practice Manager)

Vicky Hindle (Lead Nurse)

V.Hindle 18/8/22

Non NHS Services

Private Work Fees

Some services provided fall outside the scope of the NHS and therefore attract charges. Examples include the following:

Medicals for pre-employment, sports and driving requirements (HGV, PSV etc.)
Insurance claim forms
Prescriptions for taking medication abroad
Private sick notes

Our reception staff will be happy to advise you about appointment availability and applicable charges.

Private Fees and Charges

DWP Support Letters

Disabled Access

We make every effort to make the surgery accessible for disabled patients. There is access through the main door and we have a wheelchair available for use in surgery.

Hearing Difficulties

If you are experiencing hearing difficulties when being called in to see the doctor or nurse, please do let us know in order for us to set up an alert on your medical records and personally collect you from the waiting room. Alternatively, we do have the facility of a portable induction loop. If you would like to use this, please ask at reception for assistance.

Safe Surgeries Declaration

IS PROUD TO BE A SAFE SURGERY FOR
EVERYONE IN OUR COMMUNITY
In recognition of the barriers to healthcare access faced by people in vulnerable
circumstances, including migrants, we commit to protecting the human right to health.
We will take steps to ensure that everyone in our community may fulfil their
entitlement to quality healthcare.
In partnership with Doctors of the World UK, we will ensure that our practice offers a
welcoming space for everyone who seeks to use our services.
Mindful of our duties to uphold equality and human rights law, we will implement
patient registration policies which do not discriminate based on race, gender, sexual
orientation, immigration status or any other characteristic.
Supported by the Safe Surgeries initiative, we will ensure that our staff understand
the specific barriers faced by migrants in vulnerable circumstances and that they are
empowered to mitigate these barriers, where possible.
We will ensure that a lack of identification or proof of address, immigration status or
language do not prevent patient registration.
As a member of the Safe Surgeries community, we will endeavour to support other
Safe Surgeries and, where appropriate, provide feedback to Doctors of the World UK
to support the development of the network.

Training Practice

GPs in Training

Our practice is approved to train fully qualified doctors who wish to specialise in general practice. Our GP registrar will have had 2-4 years of experience as a qualified hospital doctor working in various specialities.

They consult patients on their own, under the mentorship of our trainer. Occasionally we ask permission to video a consultation. You will always be asked in advance and are given the option not to take part, and this will not affect your care in any way. No recording will be taken without your consent and the camera will be switched off on request.

These videos are used only for educational purposes with the doctor doing the consultation and are destroyed after use.

Medical Students

Medical students are sometimes attached to the practice for 2 – 3 weeks as part of their training. If you do not wish a student to be present during your consultation, please inform the receptionist.

Violence Policy

The Practice staff shall always show due respect and courtesy when dealing with patients and their representatives. We respectfully request that patients and their representatives do the same when dealing with members of the practice team.

The NHS operate a zero tolerance policy with regard to violence and abuse and the practice has the right to remove violent patients from the list with immediate effect in order to safeguard practice staff, patients and other persons.

No form of aggression (whether verbal or physical in nature) will be tolerated – any instances of such behaviour on the practice premises may result in the perpetrator being reported to the Police and removed from the practice’s List of Registered Patients.

Violence in this context includes actual or threatened physical violence or verbal abuse which leads to fear for a person’s safety. In this situation we will notify the patient in writing of their removal from the list and record in the patient’s medical records the fact of the removal and the circumstances leading to it.