All Polices

Privacy Policy

Oulton Medical Centre Privacy Notice

 

We understand how important it is to keep your personal information safe and secure and we take this very seriously. We have taken steps to make sure your personal information is looked after in the best possible way and we review this regularly.

 

Please read this privacy notice (‘Privacy Notice’) carefully, as it contains important information about how we use the personal and healthcare information we collect on your behalf.

 

Our contact details as data controller

 

Name: Oulton Medical Centre

 

Address: Quarry Hill, Oulton, Leeds LS26 8SZ

 

Phone number: 0113 2822138

 

Email: oultonmedical.centre@nhs.net

 

We are the data controller for your information. A controller decides on why and how information is used and shared.

 

The practice is registered with the Information Commissioners Office as a Data Controller- our registration number is: Z598614X and you can view our registration here https://ico.org.uk

 

Data Protection Officer contact details [if applicable

 

Our Data Protection Officer is Aaron Linden and is responsible for monitoring our compliance with data protection requirements. You can contact them with queries or concerns relating to the use of your personal data at wyicb-leeds.dpo@nhs.net.

 

Why we collect your information?

 

As a GP practice we are responsible for your day-to-day medical care and the purpose of this notice is to inform you of the type of information that we hold about you, how that information is used for your care, our legal basis for using the information, who we share this information with and how we keep it secure and confidential.

 

It covers information we collect directly from you (that you have either provided to us, or from consultations with staff members), or we collect from other organisations who manage your care (such as hospitals or community services).

 

We are required by law to maintain records about your health and treatment, or the care you have received within any NHS service.

 

These records help to ensure that you receive the best possible care. They may be paper or electronic and they may include:

 

  • Basic details about you such as name, address, email address, NHS number, date of birth, next of kin, etc.
  • Contact we have had with you such as appointments or clinic visits.
  • Notes and reports about your health, treatment and care
  • Details of diagnosis and treatment given
  • Information about any allergies or health conditions.
  • Results of x-rays, scans and laboratory tests.
  • Relevant information from people who care for you and know you well such as health care professionals and relatives.
  • For visitors to the practice basic information such as name and vehicle registration number

 

By providing the Practice with their contact details, patients are agreeing to the Practice using those channels to communicate with them about their healthcare, i.e. by letter (postal address), by voice mail or voice message (telephone or mobile number), by text message (mobile number) or by email (email address).

 

You can find more detailed information about how we your information for the following specific purposes here:

 

  • Primary Care Networks
  • For commissioning and healthcare planning
  • Population Health Management
  • Leeds Care Record
  • Summary Care Record
  • Research – Find out how health researchers use information.
  • Safeguarding, life or death situations and other circumstances we are required to share information.

 

What information do we collect?

 

Personal information

 

We currently collect and use the following personal information:

 

  • personal identifiers and contacts (for example, name and contact details)

 

More sensitive information

 

We process the following more sensitive data (including special category data):

 

  • data concerning physical or mental health (for example, details about your appointments or diagnosis)
  • data revealing racial or ethnic origin
  • data concerning a person’s sex life
  • data concerning a person’s sexual orientation
  • genetic data (for example, details about a DNA sample taken from you as part of a genetic clinical service)
  • data revealing religious or philosophical beliefs
  • data relating to criminal or suspected criminal offences

 

 

How do we use your information and how do we get it?

 

As health professionals, we maintain records about you to direct, manage, and deliver the care you receive. By registering with the practice, your existing records will be transferred to us from your previous practice so that we can keep them up to date while you are our patient and if you do not have a previous medical record (a new-born child or coming from overseas, for example), we will create a medical record for you.

 

We take great care to ensure that your information is kept securely, that it is up to date, accurate and used appropriately. In the practice, individual staff will only look at what they need in order to carry out tasks such as booking appointments, making referrals, supporting your care, or to support the management of the services we provide.

 

The personal information we collect is provided directly from you for one of the following reasons:

 

  • you have provided information to seek care – this is used directly for your care, and also to manage the services we provide, to clinically audit our services, investigate complaints, or to be used as evidence as part of an investigation into care

 

  • if you have signed up to our newsletter / patient participation group, we will engage with you to seek you comments and views on the practice.

 

  • If you have made a complaint we will need to collect information about the complaint which will include your personal information. We may also need to gain additional information from, or share information we have with, other healthcare providers and NHS organisations in order to process and investigate your complaint.

 

We also receive personal information about you from others, in the following scenarios:

 

  • from other health and care organisations involved in your care so that we can provide you with care

 

  • from family members or carers to support your care

 

 

The NHS care record guarantee

 

The Care Record Guarantee is our commitment that we will use records about you in ways that respect your rights and promote your health and wellbeing. Copies of the full document can be obtained from:

 

https://webarchive.nationalarchives.gov.uk/ukgwa/20130513181549/http:/www.nigb.nhs.uk/guarantee

 

 

Primary Care Networks:

All practices in the UK are members of a Primary Care Network (PCN), which is a group of practices who have chosen to work together and with local community, mental health, social care, pharmacy, hospital and voluntary services to provide care to their patients.

PCNs are built on the core of current primary care services and enable greater provision of proactive, personalised, coordinated and more integrated health and social care.

We are members of LS25/26 PCN along with Garforth Medical Centre, Lofthouse Surgery, Nova Scotia Medical Centre, Kippax Hall Surgery, Gibson Lane Surgery and Moorfield House, Rothwell & Garforth Surgery.

This arrangement means that practices within the same PCN may share data with other practices within the PCN, for the purpose of patient care (such as extended hours appointments and other services), Each practice within the PCN is part of a stringent data sharing agreement that means that all patient data shared is treated with the same obligations of confidentiality and data security.

 

For commissioning and healthcare planning purposes:

In some cases, for example when looking at population healthcare needs, some of your data may be shared (usually in such a way that you cannot be identified from it). The following organisations may use data in this way to inform policy or make decisions about general provision of healthcare, either locally or nationally.

 

In order to comply with its legal obligations we may send data to NHS Digital when directed by the Secretary of State for Health under the Health and Social Care Act 2012.

 

This practice contributes to national clinical audits and will send the data which are required by NHS Digital when the law allows. This may include demographic data, such as date of birth, and information about your health which is recorded in coded form, for example, the clinical code for diabetes or high blood pressure.

 

Population Health Management:

Population Health Management (PHM) is about improving the physical and mental health of people.  It involves analysing data, in a format which does not identify individuals, and using the results to help making decisions on ways to prevent ill-health, improve care, reduce hospital admissions and help ensure that the most effective services are available for our patients.

 

The benefits of PHM are:

  • to help frontline teams understand current health and care needs and predict what will be needed in the future.
  • to identify specific groups of patients that are high risk and would benefit from direct interventions to improve their health and wellbeing.
  • to improving the standard and quality of care.
  • to prevent people needing hospital care unless necessary
  • to support Working across different organisations in the health and care sector, to a positive difference to people’s lives. This can be supported by joining the data dots to tackle health inequalities we know exist across West Yorkshire.
  • to identify gaps in services, as well as inform service redesigns.

 

We, and other healthcare providers like the hospital and community service providers, send information that relates to you to our data processor the North of England Commissioning Support Unit (NECS). NECS then pseudonymise this data, which means the information that could identify you is removed and is replaced with a pseudonym.  Information about the different health and care interventions you have had is then linked together so that it can be analysed without identifying you.

 

This pseudonymised data is then shared with West Yorkshire Integrated Care Board who will analyse the data to carry out commissioning and planning services and Population Health Management. Sometimes this analysis identifies individuals who might benefit from direct interventions to prevent illness. The results relating to patients registered at our practice are sent back to us so that we can assess who would benefit or require a particular healthcare intervention.

 

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything.

 

If you do not want your data to be used in this way, you can opt-out of all planning and research initiatives through the national data opt-out service. Access this service online at www.nhs.uk/your-nhs-data-matters or by calling: 0300 303 5678.

 

Leeds Care Record

The Leeds Care Record (LCR) provides health and social care professionals directly involved in your care access to the most up to date information about you. It does this by sharing appropriate information from your medical and care records between health and social care services in Leeds.

 

At the moment, every health and social care organisation that you use has a different set of patient records for you. These records may duplicate information, or one record might hold information about your treatment, care and support that another one does not.

 

In Leeds, we have developed a virtual system called the Leeds Care Record. If you live in Leeds you will have a Leeds Care Record created for you. It is held on a secure computer system and includes some key health and social care information about you. The information is taken from other medical records you may have such as your GP record, hospital records or social care records.

 

If you do not want your information being shared on the LCR you can object to this, by contacting the LCR.

 

Summary Care Record

Your Summary Care Record (SCR) is a short summary of your GP medical records. It tells other health and care staff who care for you about the medicines you take and your allergies.

 

All patients registered with a GP have a SCR, unless they have chosen not to have one. Your SCR contains basic information about allergies and medications and any reactions that you have had to medication in the past.

 

Some patients, including many with long term health conditions, have previously agreed to have Additional Information shared as part of their Summary Care Record. This additional information includes information about significant medical history (past and present), reasons for medications, care plan information and immunisations.

 

The purpose of SCR is to improve the care that you receive, however, if you don’t want to have an SCR you have the option to opt out. If this is your preference please inform your GP or fill in an SCR patient consent preferences form and return it to your GP practice.

 

For research purposes

Research data is usually shared in a way that individual patients are non-identifiable.  Occasionally where research requires identifiable information you may be asked for your explicit consent to participate in specific research projects.  The surgery will always gain your consent before releasing any information for this purpose, unless the research has been granted a specific exemption from the Confidentiality Advisory Group of the Health Research Authority

 

Where specific information is asked for, such as under the National Diabetes audit, you will be given the choice to opt of the audit.

For safeguarding purposes, life or death situations or other circumstances when we are required to share information:

 

The Practice is dedicated to ensuring that the principles and duties of safeguarding adults and children are holistically, consistently and conscientiously applied with the wellbeing of all, at the heart of what we do.

We may also disclose your information to others in exceptional circumstances (i.e. life or death situations) or in accordance with Dame Fiona Caldicott’s information sharing review (Information to share or not to share).

For example, your information may be shared in the following circumstances:

  • When we have a duty to others e.g. in child protection cases
  • Where we are required by law to share certain information such as the birth of a new baby, infectious diseases that may put you or others at risk or where a Court has decided we must.

Who do we share information with?

 

We share information about you with other health professionals to support your care, and in more limited ways for indirect care purposes:

  • NHS Trusts and hospitals that are involved in your care.
  • Community Care Teams
  • West Yorkshire ICB
  • Care homes
  • Other General Practitioners (GPs) or Primary Care Networks (which are groups of GP Practices).
  • Ambulance Services.
  • Social Care Services.
  • Education Services.
  • Local Authorities.
  • Police and Judicial Services
  • Fire and Rescue Services
  • NHS England and NHS Digital
  • Voluntary and private sector providers working with or for the NHS. Such as Dentists, Pharmacies. Opticians & care homes
  • Other ‘data processors’

 

Sometimes we may provide information about you in an anonymised form. Such information is used to analyse population-level heath issues and helps the NHS to plan better services. If we share information for these purposes, then none of the information will identify you as an individual and cannot be traced back to you.

 

From time to time we may offer you referrals to other providers, specific to your own health needs not included in the list above. In these cases we will discuss the referral with you and advise you that we will be sharing your information (generally by referral) with those organisations.

 

We may also share information with the following types of organisations:

 

  • third party data processors
    • IT system supplier (West Yorkshire ICB / Leeds City Council)
    • Software suppliers (SystmOne, EMIS)
    • Communication suppliers (telephony services, email, text messages)

 

In some circumstances we are legally obliged to share information. This includes:

 

  • when required by NHS England to develop national IT and data services
  • when registering births and deaths
  • when reporting some infectious diseases
  • when a court orders us to do so
  • where a public inquiry requires the information
  • Medical examiners

 

We will also share information if the public good outweighs your right to confidentiality. This could include:

 

  • to detect, prevent or investigate crime
  • where there are serious risks to the public or staff
  • to protect children or vulnerable adults

 

We may also process your information in order to de-identify it, so that it can be used for purposes beyond your individual care whilst maintaining your confidentiality.  These purposes will include to comply with the law and for public interest reasons.

 

Is information transferred outside the UK?

 

As a GP surgery, we do not routinely send patient data outside of the UK / EU where the laws do not protect your privacy to the same extent as the law in the UK.

 

Our data is hosted in UK and is only available to our staff and technical support staff in the UK. We will never sell any information about you.

 

No third parties have access to your personal data unless the law allows them to do so and appropriate safeguards have been put in place.

 

What is our lawful basis for using information?

 

Under UK GDPR the Practice are mandated to identify a legal basis to process your

personal information.

 

For personal data

  • 6(1)(a) – Consent: this must be freely given, specific, informed and unambiguous.
  • 6(1)(b) – Contract: between a person and a service, such as a service user and privately funded care home.
  • 6(1)(c) – Legal obligation: the law requires us to do this, for example where NHS England or the courts use their powers to require the data. See this list for the most likely laws that apply when using and sharing information in health and care.
  • 6(1)(d) – Vital interests: Life & Death
  • 6(1)(e) – Public task: a public body, such as an NHS organisation or Care Quality Commission (CQC) registered social care organisation, is required to undertake particular activities by law. See this list for the most likely laws that apply when using and sharing information in health and care.

 

Special Category data (Sensitive Data including Health Records)

  • 9(2)(a) – Explicit consent
  • 9(2)(b) – Employment, social security and social protection (if authorised by law)
  • 9(2)(c) – Vital interests – Life and Death
  • 9(2)(e) – Made public by the data subject
  • 9(2)(f) – Legal claims or judicial acts
  • 9(2)(g) – Reasons of substantial public interest (with a basis in law)
  • 9(2)(h) – Health or social care (with a basis in law)
  • 9(2)(i) – Public health (with a basis in law)

Everyone working for the NHS has a legal and contractual duty to keep information about you confidential.

 

Common law duty of confidentiality

 

In our use of health and care information, we satisfy the common law duty of confidentiality because:

 

  • you have provided us with your consent (we have taken it as implied to provide you with care, or you have given it explicitly for other uses)
  • we have support from the Secretary of State for Health and Care following an application to the Confidentiality Advisory Group (CAG) who are satisfied that it isn’t possible or practical to seek consent
  • we have a legal requirement to collect, share and use the data
  • for specific individual cases, we have assessed that the public interest to share the data overrides the public interest served by protecting the duty of confidentiality (for example sharing information with the police to support the detection or prevention of serious crime). This will always be considered on a case by case basis, with careful assessment of whether it is appropriate to share the particular information, balanced against the public interest in maintaining a confidential health service

 

How do we protect your personal information?

 

As a Practice, we are committed to protecting your privacy and will only process data in accordance with the General Data Protection Regulation (GDPR), the Data Protection Act 2018, the Common Law Duty of Confidentiality, professional codes of practice, the Human Rights Act 1998 and other appropriate legislation.

 

Everyone working for the Practice has a legal and contractual duty to keep information about you confidential. All our staff receive appropriate and ongoing training to ensure that they are aware of their personal responsibilities and their obligations to uphold confidentiality.

 

Staff are trained to ensure how to recognise and report any incident and the organisation has procedures for investigating, managing and learning lessons from any incidents that occur.

 

All identifiable information that we hold about you in an electronic format will be held securely and confidentially in secure hosted servers that pass stringent security standards.

 

Any companies or organisations we use we may use to process your data are also legally and contractually bound to operate under the same security and confidentiality requirements.

 

All identifiable information we hold about you within paper records is kept securely and confidentially in lockable cabinets with access restricted to appropriately authorised staff.

 

As an organisation we are required to provide annual evidence of our compliance with all applicable laws, regulations and standards through the Data Security and Protection toolkit.

 

Your information is securely stored for the time periods specified in the Records Management Code of Practice.

 

All records are retained and destroyed in accordance with the NHS Records Management Code of Practice.

 

The Practice does not keep patient records for longer than necessary and all records are destroyed confidentially once their retention period has been met, and the Practice has made the decision that the records are no longer required.

 

What are your data protection rights?

 

Under the GDPR all patients have certain rights in relation to the information which the practice holds about them. Not all of these will rights apply equally, as certain rights are not available depending on situation and the lawful basis used for the processing.

 

For reference these rights may not apply are where the lawful basis we use (as shown in the above table in the section on “lawful bases”) is:

 

  • Processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller – in these cases the rights of erasure and portability will not apply.
  • Legal Obligation – in these cases the rights of erasure, portability, objection, automated decision making and profiling will not apply.

 

Right to be informed

You have the right to be informed of how your data is being used. The propose of this document is to advise you of this right and how your data is being used by the practice

The right of access

You have the right of access You have the right to ask us for copies of your personal information, this is often referred to as a ‘Subject Access Request’. This right always applies. There are some exemptions, which means you may not always receive all the information we process.

 

You can make a subject access request by emailing oultonmedical.centre@nhs.net.

The right to rectification

You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.

The right to erasure

You have the right to ask us to erase your personal information in certain circumstances- This will not generally apply in the matter of health care data

The right to restrict processing

You have the right to ask us to restrict the processing of your information in certain circumstances– You have to right to limit the way in which your data is processed if you are not happy with the way the data has been managed.

The right to object

You have the right to object to processing if you disagree with the way in which part of your data is processed you can object to this- please bear in mind that this may affect the medical services we are able to offer you

Rights in relation to automated decision making and profiling.

Your rights in relation to automated processing– Sometimes your information may be used to run automated calculations. These can be as simple as calculating your Body Mass Index or ideal weight but they can be more complex and used to calculate your probability of developing certain clinical conditions, and we will discuss these with you if they are a matter of concern.

 

No decisions about individual care are made solely on the outcomes of these tools, they are only used to help us assess your possible future health and care needs with you and we will discuss these with you.

The right to data portability

Your right to data portability you have the right to ask that we transfer the information you gave us from one organisation to another. The right only applies if we are processing information based on your consent or under a contract, and the processing is automated, so will only apply in very limited circumstances

 

National data opt-out

 

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service.  Collecting this information helps to ensure you get the best possible care and treatment.

 

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

 

  • improving the quality and standards of care provided
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services

 

This may only take place when there is a clear lawful basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential health and care information is only used like this when allowed by law.

 

Whenever possible data used for research and planning is anonymised, so that you cannot be identified and your confidential information is not accessed.

 

You have a choice about whether you want your confidential information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential information will still be used to support your individual care.

 

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters. On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone

See the situations where the opt-out will not apply

 

You can change your mind about your choice at any time.

 

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

 

Our organisation has reviewed the disclosures we make and is compliant with the national data opt-out policy.

 

What should I do if my personal information changes?

You should tell us so that we can update our records please contact the Practice Manager as soon as any of your details change, this is especially important for changes of address or contact details (such as your mobile phone number), the Practice will from time to time ask you to confirm that the information we currently hold is accurate and up-to-date.

 

How do I complain?

 

If you have any concerns about our use of your personal information, you can make a complaint to us at–  oultonmedical.centre@nhs.net.

 

Following this, if you are still unhappy with how we have used your data, you can then complain to the ICO.

 

The ICO’s address is:

 

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

 

Helpline number: 0303 123 1113

 

ICO website: https://www.ico.org.uk

 

Date of last review

 

This privacy notice was reviewed and updated in January 2025.

 

Other ways we use your information –

 

Call recording

All Telephone calls are routinely recorded for the following purposes:

  • To ensure quality control.
  • Training, monitoring and service improvement
  • To prevent crime, misuse and to protect staff and patients

 

Telephone recordings are kept in a password protected file and only Management and GP partners will have access to listen to recordings and they are listened to in a secure environment. All recordings are automatically erased from the file after 3 months.

 

SMS Text messaging

We may contact you using SMS texting to your mobile phone in the event that we need to notify you about appointments and other services that we provide to you involving your direct care, therefore you must ensure that we have your up to date details. This is to ensure we can be confident that we are actually contacting you and not another person.

 

As this is operated on an ‘opt out’ basis we will assume that you give us permission to contact you via SMS if you have provided us with your mobile telephone number. Please let us know if you wish to opt out of this SMS service. We may also contact you using the email address you have provided to us. Please ensure that we have your up to date details.

 

CCTV

CCTV is installed on our practice premises covering both the external area of the building and the internal area excluding consulting rooms in order to:

  • protect staff, patients, visitors and Practice property
  • apprehend and prosecute offenders, and provide evidence to take criminal or civil court action
  • provide a deterrent effect and reduce unlawful activity
  • help provide a safer environment for our staff
  • monitor operational and safety related incidents
  • help to provide improved services, for example by enabling staff to see patients and visitors requiring assistance

We will only retain surveillance data for 30 days at which point they are automatically deleted.

 

Medical Examiners

Following the death of any patients of Oulton Medical Centre we are now obliged to inform Leeds NHS Trust, Medical Examiner Service.

 

Medical examiner offices at acute trusts now provide independent scrutiny of non-coronial deaths occurring in acute hospitals. The role of these offices is now being extended to also cover deaths occurring in the community.

 

Medical examiner offices are led by medical examiners, senior doctors from a range of specialties including general practice, who provide independent scrutiny of deaths not taken at the outset for coroner investigation. They put the bereaved at the centre of processes after the death of a patient by giving families and next of kin an opportunity to ask questions and raise concerns. Medical examiners carry out a proportionate review of medical records and liaise with doctors completing the Medical Certificate of Cause of Death (MCCD).

 

The Practice will share any patient information with the service upon request.

 

Medicines Management

The Practice may conduct Medicines Management reviews of medications prescribed to its patients under a processing arrangement with the Medicines Management Team at West Yorkshire ICB. This service performs a review of prescribed medications to ensure patients receive the most appropriate, up to date and cost-effective treatments. Sometimes a third-party data processor is used to carry out these reviews on behalf of the practice. The third-party will need to sign up to very robust data processing agreements and other clear arrangements in place to ensure your data is always protected and used for those purposes only.

 

Extended Access

We provide extended access services to our patients which means you can access medical services outside of our normal working hours. In order to provide you with this service, we have formal arrangements in place with the ICBs and with other practices whereby certain key “hub” practices offer this service on our behalf for you as a patient to access outside of our opening hours. This means, those key “hub” practices will have to have access to your medical record to be able to offer you the service. Please note to ensure that those practices comply with the law and to protect the use of your information, we have very robust data sharing agreements and other clear arrangements in place to ensure your data is always protected and used for those purposes only.

 

GP Connect Service

The GP Connect service allows authorised clinical staff at NHS 111 to seamlessly access our practice’s clinical system and book directly on behalf of a patient. This means that should you call NHS 111 and the clinician believes you need an appointment with your GP Practice, the clinician will access available appointment slots only (through GP Connect) and book you in. This will save you time as you will not need to contact the Practice direct for an appointment.

 

The Practice will not be sharing any of your data and the Practice will only allow NHS 111 to see available appointment slots. They will not even have access to your record. However, NHS 111 will share any relevant data with us, but you will be made aware of this. This will help your GP in knowing what treatment / service / help you may require.

 

Please note if you no longer require the appointment or need to change the date and time for any reason you will need to speak to one of our reception staff and not NHS 111.

 

IGPR

We use a data processor, iGPR Technologies Limited (“iGPR”), to assist us with responding to report requests relating to your patient data, such as subject access requests that you submit to us (or that someone acting on your behalf submits to us) and report requests that insurers submit to us under the Access to Medical Records Act 1988 in relation to a life insurance policy that you hold or that you are applying for.

 

iGPR manages the reporting process for us by reviewing and responding to requests in accordance with our instructions and all applicable laws, including UK data protection laws.

 

The instructions we issue to iGPR include general instructions on responding to requests and specific instructions on issues that will require further consultation with the GP responsible for your care.

 

Heidi Health

We use a data processor Heidi Health, an AI-powered medical scribe, to enhance the quality and efficiency of consultations. Heidi Health transcribes patient interactions in real-time and uses this to generate clinical notes, fill out documents, dictate letters for GPs to review, and other administrative tasks, ensuring accuracy and up-to-date information. You will be asked for consent before using Heidi AI in a consultation, and you can withdraw consent at any time. Heidi Health will help us improve accuracy in medical records, increase efficiency by automating the transcription process, and enhance patient care by allowing GPs to focus more on interactions rather than note-taking.

 

Heidi Health adheres to stringent NHS standards, including the DSPT and DTAC, ensuring that personal information is handled securely and confidentially. Transcriptions and summaries are deleted once saved to patient records and are kept for no longer than one day. For more information, please see the Heidi Health website.

IT Policy

This practice is committed to preserving, as far as is practical, the security of data used by our information systems. This means that we will take all reasonable actions to;

Maintain the Confidentiality of all data within the practice by:

  • Ensuring that only authorised persons can gain access to our systems
  • Not disclosing information to anyone who has no right to see it

Maintain the integrity of all data within the practice by:

  • Taking care over input
  • Ensuring that all changes are reported and monitored
  • Checking that the correct record is on the screen before updating
  • Reporting all apparent errors and ensuring that they are resolved

Maintain the availability of all data by:

  • Ensuring that all equipment is protected from intruders
  • Ensuring that backups are taken at regular, predetermined intervals
  • Ensuring that contingency is provided for possible failure or equipment theft and that any such contingency plans are tested and kept up to date

Additionally we will take all reasonable measures to comply with our legal responsibilities under:

 

Personal Data

The following IT systems are in use at the practice:

  • Referral Management (using NHS numbers in referrals)
  • Electronic Appointment Booking (the facility to book routine appointments online and, similarly, to cancel appointments
  • Online booking of repeat prescriptions
  • Summary Care Record (uploading details of your current medication and allergies to the national “spine” so that these are available for doctors involved in your care elsewhere)
  • GP to GP transfers (the electronic transfer of records from practice to practice when you re-register
  • Patient Access to records (the facility to view your medical records online).

If you are not already registered for online access and would like to be please complete our online form.

If you would like access to your medical records enabled or would like to opt out of the local or national summary care record, please contact reception.

 

Chaperone Policy

 

We will always respect your privacy, dignity and your religious and cultural beliefs particularly when intimate examinations are advisable – these will only be carried out with your express agreement and you will be offered a chaperone to attend the examination if you so wish.

You may also request a chaperone when making the appointment or on arrival at the surgery (please let the receptionist know) or at any time during the consultation.

Disabled Access

 

We make every effort to make the surgery accessible for disabled patients. There is access through the main door and we have a wheelchair available for use in surgery.

Hearing Difficulties

If you are experiencing hearing difficulties when being called in to see the doctor or nurse, please do let us know in order for us to set up an alert on your medical records and personally collect you from the waiting room. Alternatively, we do have the facility of a portable induction loop. If you would like to use this, please ask at reception for assistance.

Data Protection

 

In order to provide the right level of care, we are required to hold personal information about you on our computer systems and in paper records to help us to look after your health needs, and your doctor is responsible for their accuracy and safe-keeping. Please help to keep your record up to date by informing us of any changes to your circumstances.

Confidentiality and Personal Information

Doctors and staff in the practice have access to your medical records to enable them to do their jobs. From time to time information may be shared with others involved in your care if it is necessary. Anyone with access to your record is properly trained in confidentiality issues and is governed by both legal and contractual duty to keep your details private.

All information about you is held securely and appropriate safeguards are in place to prevent accidental loss.

In some circumstances we may be required by law to release your details to statutory or other official bodies, for example if a court order is presented, or in the case of public health issues. In other circumstance you may be required to give written consent before information is released – such as for medical reports for insurance, solicitors etc.

To ensure your privacy, we will not disclose information over the telephone or fax unless we are sure that we are talking to you. Information will not be disclosed to family, friends or spouses unless we have prior written consent, and we do not, leave messages with others.

You have a right to see your records if you wish. Please ask at reception if you would like further details about our patient information leaflet. An appointment may be required. In some circumstances a fee may be payable.

Confidentiality

You can be assured that anything you discuss with any member of the surgery staff, whether doctor, nurse or receptionist, will remain confidential. Even if you are under 16, nothing will be said to anyone, including parents, other family members, care workers or teachers, without your permission. The only reason why we might want to consider passing on confidential information without your permission would be to protect either you or someone else from serious harm. In this situation, we would always try to discuss this with you first.

If you have any worries or queries about confidentiality, please ask a member of staff.

If you would like to discuss matters of a confidential nature, either with our receptionists or a member of the dispensary team, we have a side room available in reception for this purpose.

Missed Appointments Policy

A large number of appointments each month are wasted through patients failing to attend without informing the surgery in advance. It has therefore become necessary to implement the following policy:

If patients repeatedly fail to attend appointments you may be removed from our practice list and required to find an alternative GP surgery.

If you cannot attend your appointment for any reason please let us know as soon as possible, giving at least 24 hours notice. We recognise that this isn’t always possible and something may happen at the last minute, however, we ask that patients do their best to inform us where possible. This means we can then offer the appointment to someone else who may be in great need of it.

Equally, if you find that you regularly struggle to attend your appointments for whatever reason, please let us know so we can discuss a possible solution. If patients repeatedly fail to attend appointments without informing us, we will write to you and if we do not see any improvement with future booked appointments, regrettably, you may be asked to find an alternative GP practice.

Coronavirus (COVID-19) Response Transparency Notice

28th Sep 2020

Transparency Notice

Purposes for which we may process your data

The health and social care system is taking action to manage and mitigate the spread and impact of the current outbreak of coronavirus (COVID-19).

Action to be taken requires the collection, analysis and sharing of information, including confidential patient information where necessary and lawful, amongst health organisations and other appropriate bodies. This is due to the urgent need to protect public health and respond to the COVID-19 outbreak. This notice describes how we may use your information to protect you and others during the COVID-19 outbreak.

To support the healthcare response to COVID-19, NHS Digital has been directed by the Secretary of State for Health and Social Care (the Secretary of State) and NHS England under the COVID-19 Directions to:

  • establish information systems to collect and analyse data in connection with COVID-19; and
  • develop and operate IT systems to deliver services in connection with COVID-19

COVID-19 Public Health Directions 2020

 

COVID-19 Public Health Directions 2020

A Direction given by the Secretary of State for Health and Social Care requiring NHS Digital to establish and operate information systems to collect and analyse data in connection with COVID-19, and develop and operate information and communication systems to deliver services in connection with COVID-19.

COVID-19 Public Health NHS England Directions 2020

Directions given by NHS England requiring NHS Digital to establish and operate information systems to collect analysis data in connection with COVID-19 and develop and operate information and communication systems to deliver services in connection with COVID-19.

We may also be requested by the NHS in Scotland, Wales and Northern Ireland to collect, analyse and disseminate data for them, including information about residents of these countries.

Examples of some of the purposes for which NHS Digital may process personal data under the COVID-19 Directions and in response to these requests may include processing personal data for the purposes of:

  • understanding COVID-19 and risks to public health, trends in COVID-19 and such risks, and controlling and preventing the spread of COVID-19 and such risks
  • identifying and understanding information about patients or potential patients with, or at risk of COVID-19, information about incidents of patient exposure to COVID-19 and the management of patients with or at risk of COVID-19 including: locating, contacting, screening, flagging and monitoring such patients and collecting information about and providing services in relation to testing, diagnosis, self-isolation, fitness to work, treatment, medical and social interventions and recovery from COVID-19
  • understanding information about patient access to health services and adult social care services as a direct or indirect result of COVID-19, and the availability and capacity of those services
  • monitoring and managing the response to COVID-19 by health and social care bodies and the Government including providing information to the public about COVID-19 and its effectiveness and information about capacity, medicines, equipment, supplies, services and the workforce within the health services and adult social care services
  • delivering services to patients, clinicians, the health services and adult social care services workforce and the public about and in connection with COVID-19, including the provision of information, fit notes and the provision of health care and adult social care services
  • research and planning in relation to COVID-19

Examples of some of the specific work we have done and how we have used data for COVID-19 purposes:

Coronavirus (COVID-19) response information governance hub

Find out how NHS Digital is using your data in its work to support the government response to coronavirus (COVID-19).

The controller of your personal data

Under the General Data Protection Regulation 2016 (GDPR), NHS Digital is the controller of your personal data where we are directed or requested to process personal data for COVID-19 purposes. We are also a joint controller with the person who has directed or requested us to do this work. This may be the Secretary of State for Health and Social Care, NHS England or an NHS body in Scotland, Northern Ireland or Wales.

Where we share data, NHS Digital is usually the sole controller, unless we have been directed to share the data by the Secretary of State or NHS England, in which case we will be joint controllers.

Our legal basis under GDPR

Where we are directed to process personal data for COVID-19 purposes, this is a legal obligation and we are allowed to do this under Article 6 (1)(c) of GPDR.

Where we process personal data as part of our statutory functions, including where requested by other bodies, for example. by the NHS in Scotland, Wales or Northern Ireland, this is part of our public task. We are allowed to do this under Article 6(1)(e) of GDPR.

Where we need to process health data and other special categories of personal data, we will only do this where it is necessary as part of our statutory functions. Under GPDR we are allowed to do this where it is necessary for substantial public interest reasons (Article 9(2)(g)), where it is necessary for healthcare purposes (Article 9(2)(h)), where it is necessary for public health purposes (Article 9(2)(i)) or where it is necessary for scientific research or statistical purposes (Article 9(2)(j)).

We are also allowed to share your personal data under GDPR where it is necessary for us to do so for one of the purposes explained above.

More information can be found in the Who we share your data with section.

Types of personal data we process

The types of personal data we may process in response to COVID-19 include:

  • demographic data – your name, date of birth, sex, NHS number and your contact details such as your address, telephone numbers and email address
  • health information – information relating to your health and the care you have been provided – this may include information about medical conditions, treatments, prescription information, care episodes, hospital admission and discharge information, test results, including tests relating to COVID-19, information on whether you are self-isolating
  • information collected as part of our online services which we need to help maintain the security and performance of our website and also to help us understand how our services are used so that we can make improvements. This may include information such as your IP address, technical log events, the type of browser you’re using and the actions you took when using these services

We will only process the minimum data necessary to achieve our purposes.

How we obtain your personal data

Collecting personal data from you directly

We may collect personal data from you directly, in which case we will tell you at the time the purposes for which we will use your data in a privacy or transparency notice.

Examples of where we have done this for COVID-19 purposes are the Isolation Note Service and the service to Get text messages from the NHS about coronavirus. We will not collect more information than we require, and we will ensure that any personal data collected is treated with the appropriate safeguards.

Collecting personal data from other organisations

We may also collect personal data from other organisations, including health and social care organisations, for example from Public Health England, NHS Trusts, GP Practices, Local Authorities, NHS England, the Department of Health and Social Care and other government departments.

Usually we do this by issuing the organisation with a Data Provision Notice. This requires or requests those organisations to provide us with data where this is necessary for us to perform our functions under the Health and Social Care Act 2012.

Examples of our Data Provision Notices:

Data Provision Notices (DPNs)

When we receive a Direction or Request to collect data, we issue a Data Provision Notice (DPN). It provides details about the data collection, including: purpose, benefits, frequency and method of collection.

Who we share your data with

The health and social care system is facing significant pressures due to the COVID-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.

The Health Service (Control of Patient Information) Regulations 2002 allow confidential patient information to be used and shared appropriately and lawfully in a public health emergency and are being used during this outbreak.

Using these regulations, the Secretary of State has issued legal notices requiring NHS Digital, NHS England and Improvement, Arms-Length Bodies (such as Public Health England), local authorities, health organisations and GPs to share confidential patient information to respond to the COVID-19 outbreak. Any information used or shared during the COVID-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use patient information.

Details of legal notices requiring organisations to share information

Coronavirus (COVID-19): notification to organisations to share information

Notification to healthcare organisations, GPs, local authorities and arm’s length bodies that they should share information to support efforts against coronavirus (COVID-19).

NHS Digital also has a number of legal powers under the Health and Social Care Act 2012 to share data with organisations where it is necessary for particular purposes.

We may, therefore, share your personal data using these powers, or under the legal notice mentioned above, with other health and care organisations for the purposes of your individual care and treatment or for planning, commissioning and research purposes.

We may also share your personal data with approved researchers, including for the purposes of carrying out clinical trials. We will only share your data with other organisations where this is lawful and and in line with data protection law.

Types of organisations we may share your data with

The types of organisations we may share your data with include:

  • the Department of Health and Social Care and other government departments, as part of the government response to coronavirus
  • NHS England
  • Public Health England
  • GPs
  • Clinical Commissioning Groups
  • Local Authorities
  • other NHS, health, or social care organisations
  • NHS bodies in Scotland, Wales and Northern Ireland
  • research bodies, such as universities and hospitals

We may also share your information with organisations who process personal data for us on our behalf. They are called Processors. Where we use Processors we have contracts in place with them which means that they can only process your personal data on our instructions. Our Processors are also required to comply with stringent security requirements when processing your personal data on our behalf.

We will also publish data we have obtained for COVID-19 purposes which is anonymous, so that no individuals can be identified from that data. This will enable NHS and other organisations to use this anonymous data for statistical analysis and for planning, commissioning and research purposes as part of the response to coronavirus.

Examples of data we have published as part of our response to COVID-19

NHS Digital response to coronavirus (COVID-19)

How we are supporting health and care as part of the government response to coronavirus (COVID-19).

How long we keep your personal data for

We will only retain your personal data for as long as is necessary for the purposes for which we obtained it and in accordance with the following:

Records Management Code of Practice for Health and Social Care 2016

Records Management Code of Practice for Health and Social Care 2016

What health and care organisations and their staff have to do to manage records correctly.

NHS Digital’s Records Management Policy

NHS Digital Records and Document Management Policy

Other organisations with whom we share your personal data have obligations to keep it for no longer than is necessary for the purposes for which we have shared your personal data. Information about this will be provided in their transparency or privacy notices which are published on their websites.

Where we store the data

NHS Digital only stores and processes your personal data within the United Kingdom.

Fully anonymous data, for example, statistical data, which does not allow you to be identified, may be stored and processed outside of the UK. Some of our Processors may process your personal data outside of the UK. If they do we will always ensure that the transfer outside of the UK complies with data protection laws.

Your rights over your personal data and further information

To read more about the health and care information NHS Digital collects, our legal basis for collecting this information, and what choices and rights you have, see How we look after your health and care information and our General transparency notice.

We may make changes to this transparency notice. If we do, the date at the top of the notice will also change. Any changes to this notice will apply immediately from the date of any change.