View our ADHD policy here.

You can be assured that anything you discuss with any member of the surgery staff, whether doctor, nurse or receptionist, will remain confidential. Even if you are under 16, nothing will be said to anyone, including parents, other family members, care workers or teachers, without your permission. The only reason why we might want to consider passing on confidential information without your permission would be to protect either you or someone else from serious harm. In this situation, we would always try to discuss this with you first.

We make every effort to make the surgery accessible for disabled patients. There is access through the main door and we have a wheelchair available for use in surgery.

Hearing Difficulties

If you are experiencing hearing difficulties when being called in to see the doctor or nurse, please do let us know in order for us to set up an alert on your medical records and personally collect you from the waiting room. Alternatively, we do have the facility of a portable induction loop. If you would like to use this, please ask at reception for assistance.

View / Download our Easy Read Privacy Notice.

Privacy Notice

Easy Read Privacy Notice

How we use your information to provide you with healthcare

FAQs GDPR and My GP Patient Record

INFECTION CONTROL STATEMENT

It is vital to Dr Freeman and Partners to ensure that our patients receive excellent care in a place safe from the risk of infection. It is of the upmost importance to us to keep our patients safe and regular reviews of our infection control practices help us to maintain our high standards of care

The statement summarises:-

• Any infection transmission incidents and any action taken (these will have been reported in accordance with our Significant Event Procedure).
• Details of any infection control audits undertaken and actions undertaken.
• Details of any risk assessments undertaken for prevention and control of infection.
• Details of any staff training.
• Any review and update of policies, procedures and guidelines.

Infection Transmission Incidents (Significant Events)

Significant events (which may involve examples of good practice as well as challenging events) are investigated in detail to see what can be learnt and to indicate changes that might lead to future improvements.  All significant events are reviewed and discussed in the time in session and cascaded to all relevant staff.

COVID-19 being a significant event in 2020/21, which is ongoing. Dr Freeman and Partners are following all NHS England Guidance and Standard Operating Procedures for General Practice

As a result of any events, Dr Freeman and Partners:

• Continue with annual infection control updates for both clinical and non-clinical staff.
• Ensure infection control guidance remains accessible to all staff
• Training is recorded and monitored

Infection Prevention Audits and Actions

The Annual Infection Prevention and Control audit was completed Vicky Hindle Infection Control Leads in August 2022.

All staff had handwashing assessments for all staff, clinical and nonclinical and will be completed by August 31st 2022.

Cleaning Specifications

Dr Freeman and Partners have contracted cleaners which we closely monitor. Rooms are cleaned according to their usage/purpose and cleaned appropriately.

All equipment used by clinical staff is either single use or cleaned after patient usage. Cleaning logs are maintained

Risk Assessments

Risk assessments are carried out so that best practice can be established and then followed.

• Legionella (Water) Risk Assessments: The practice reviews its water safety risk assessment to ensure that the water supply does not pose a risk to patients, visitors or staff.
• Coli incidences
• Immunisation: As a practice we ensure that all our staff are up to date with their Hepatitis B immunisations and any occupational health vaccinations applicable to their role (i.e., MMR, Seasonal Flu, COVID-19). We take part in the National Immunisation campaigns for patients and offer vaccinations in surgery at PCN sites (COVID-19 Vaccinations only) and via home visits to our patient population.
• Curtains: Disposable curtains are used in clinical rooms and are changed every 12 months according to manufacturer instruction.

Training

All our staff complete an annual e-learning infection control update. The practice Infection Control lead and Practice Manger attends an annual Infection Control Update. Updates for 20/21 have been remote due to COVID-19 restrictions. Dates for 21/22 are been looked at to be able to attend.

Policies

All Infection Prevention Control related policies are in date. Policies relating to Infection Control are available to all staff and are reviewed and updated annually, and all are amended on an on-going basis as current advice, guidance and legislation changes.

Responsibility

It is the responsibility of each individual to be familiar with this Statement and their roles and responsibilities under this.

Responsibility for Review

The Infection Prevention and Control Lead and the Practice Manager are responsible for reviewing and producing the Annual Statement.

Hilary Farrar (Practice Manager)

Vicky Hindle (Lead Nurse)

V.Hindle 18/8/22

This practice is committed to preserving, as far as is practical, the security of data used by our information systems. This means that we will take all reasonable actions to;

Private Work Fees

Private Fees and Charges

DWP Support Letters

All members of the surgery primary care team are dedicated to a quality policy to achieve health services which meet the patient’s requirements.

Practice Leaflet

All new patients will be offered a copy of our practice leaflet and copies will be available at the reception desk.

Surgery Premises

Our surgery building will be welcoming, easy for patients to find their way around and appropriate to the needs of users, including the disabled.

Patients’ rights to General Medical Services

Patients have the rights to:

• Be registered with a named General Practitioner
• Change doctor if desired
• Be offered a health check on joining the practice
• Receive emergency care at any time from the practice
• Receive appropriate drugs and medicines
• Be referred for specialist or second opinion if they and the GP agrees
• Have the right to view their medical records, subject to the Acts and to know that those working for the NHS are under legal obligation to keep the contents confidential.

Changes to Procedures

When changes are introduced to practice procedures that affect patients, we will ensure that these are clearly explained, by means of the practice leaflet, website, waiting room notice board or individual leaflets, giving as much notice as practicable.

Repeat Prescriptions

To ensure the best possible knowledge of your personal health, these will be signed by one of your usual GP’s wherever possible. Repeat prescriptions can be ordered via the NHS APP, SystmOne on-line,  in person, or via the practice website (Please allow 3 working days notice)

Referrals

• Urgent referrals to other health and social care agencies will be made within one working day of the patient consultation. Where requested, our GPs will refer you to a private health provider.
• We will normally process non-urgent referrals within five working days of the patient consultation or the doctor’s decision to refer.

 Test Results

When a doctor or nurse arranges for a test to be taken the patient will be informed how to obtain the result.  Staff will advise you how long the results will take to be reported.  Please note we do not routinely inform patients if results are normal, however results can be reviewed on the NHS App.

Transfer of Medical Records

The Practice will endeavour to dispatch any medical record required by the Health Authority within seven working days and same day if the request is urgent.

Privacy and Confidentiality

We will respect our patients’ privacy, dignity and confidentiality at all times.

Appointments with a Clinician 

We operate on total triage.  This means all requests to the surgery will be reviewed by the triaging doctor.  The Doctor will triage the request and offer an appropriate appointment / signpost to a different service or request further information.  Clinically urgent requests will be offered an appointment on the same day.

We are happy to update you on any delay situation if you feel that you have been waiting too long.

Home Visits

Please see our Home Visits policy.  Please note due to demand on services we can only visit strictly housebound patients.

Practice Newsletter

We will publish an informative newsletter every season.

Out of Hours Emergencies

We will do everything possible to ensure that our system for contacting the duty doctor is easy to follow, reliable and effective.

Waiting Times

• Surgeries will normally start on time.
• Our aim is that patients will be seen within twenty minutes of their appointment time, and in the event of a delay we will offer an explanation.
• When a doctor is called away on an emergency we will inform the patients and give them an opportunity to book an alternative appointment, or if preferred, to be seen by another doctor.

With these rights come responsibilities and for the patients this means:

• Courtesy to the staff at all times – remember they are working under doctors’ orders.
• Responding in a positive way to questions asked by the reception staff.
• To attend appointments on time or give the practice adequate notice that they wish to cancel.   Someone else could use your appointment!
• An appointment is for one person only – where another member of the family needs to be seen or discussed, another appointment should be made and the Medical Record be made available.
• Patients should make every effort when consulting the surgery to make best use of nursing and medical time – home visits should be medically justifiable and not requested for social convenience.
• Patients are asked to give 72 hours notice for repeat prescriptions, this time is required to allow for accurate prescribing.
• Out-of-hours calls (e.g. evenings; nights & weekends) should only be requested if they are felt to be truly necessary.

Privacy Notice – Candidates Applying for Work

Table of contents

1     Introduction   2

1.1       Principles  2

1.2       Status  2

1.3       Training and support 2

2     Scope  2

2.1       Who it applies to  2

2.2       Why and how it applies to them   2

3     Definition of terms  3

3.1       Privacy notice  3

3.2       Data Protection Act 2018 (DPA18) 3

3.3       Information Commissioner’s Office (ICO) 3

3.4       UK General Data Protection Regulation (UK GDPR) 3

3.5       Data controller 3

3.6       Data subject 3

4     Compliance with regulations  3

4.1       UK GDPR  3

4.2       Article 5 compliance  4

4.3       Communicating privacy information  4

5     Further information   4

5.1       Privacy notice checklists  4

5.2       Privacy notice template  5

5.3       e-Learning  5

6     Summary  5

Annex A – Candidates applying for work privacy notice  6

1       Introduction

1.1      Principles

NHS Digital is a data controller and has a legal duty, in line with the UK General Data Protection Regulation (UK GDPR), to explain why it is using data and what data is being used. Similarly, Oulton Medical Centre has a duty to advise candidates applying for work of the purpose of personal data and the methods by which their personal data will be processed.

1.2      Status

The organisation aims to design and implement policies and procedures that meet the diverse needs of our service and workforce, ensuring that none are placed at a disadvantage over others, in accordance with the Equality Act 2010. Consideration has been given to the impact this policy might have with regard to the individual protected characteristics of those to whom it applies.

This document and any procedures contained within it are non-contractual and may be modified or withdrawn at any time. For the avoidance of doubt, it does not form part of your contract of employment.

1.3      Training and support

The organisation will provide guidance and support to help those to whom it applies to understand their rights and responsibilities under this policy. Additional support will be provided to managers and supervisors to enable them to deal more effectively with matters arising from this policy.

2       Scope

2.1      Who it applies to

This document applies to all candidates applying for work within Oulton Medical Centre

Furthermore, it applies to clinicians who may or may not be applying to be employed by the organisation but who will be working under the Additional Roles Reimbursement Scheme (ARRS).[1]

2.2      Why and how it applies to them

Every candidate should be aware of the candidate privacy notice and understand how information may be used and with whom the organisation will share that information.

The first principle of data protection is that personal data must be processed fairly and lawfully. Being transparent and providing accessible information to persons about how their personal data is used is a key element of the UK General Data Protection Regulation.

3       Definition of terms

3.1      Privacy notice

A statement that discloses some or all of the ways in which the organisation gathers, uses, discloses and manages a person’s data. It fulfils a legal requirement to protect a person’s privacy.

3.2      Data Protection Act 2018 (DPA18)[2]

The Data Protection Act (DPA18) will ensure continuity by putting in place the same data protection regime in UK law pre- and post-Brexit.

3.3      Information Commissioner’s Office (ICO)[3]

The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals

3.4      UK General Data Protection Regulation (UK GDPR)[4]

The UK GDPR replaced the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across Europe to protect and empower all EU citizens’ data privacy and to reshape the way in which organisations across the region approach data privacy. The UK GPDR came into effect in May 2018.

3.5      Data controller

The entity that determines the purposes, conditions and means of the processing of personal data

3.6      Data subject

A natural person whose personal data is processed by a controller or processor

4       Compliance with regulations

4.1      UK GDPR

In accordance with the UK GDPR, this organisation will ensure that information provided to subjects about how their data is processed will be:

• Concise, transparent, intelligible and easily accessible

• Written in clear and plain language, particularly if addressed to a child

• Free of charge

4.2      Article 5 compliance

In accordance with Article 5 of the UK GDPR, this organisation will ensure that any personal data is:

• Processed lawfully, fairly and in a transparent manner in relation to the data subject

• Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes

• Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed

• Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate having regard to the purposes for which it is processed, is erased or rectified without delay

• Kept in a form that permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed

• Processed in a manner that ensures the appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage by using appropriate technical or organisational measures

Article 5 also stipulates that the controller shall be responsible for, and be able to demonstrate compliance with, the above.

4.3      Communicating privacy information

At Oulton Medical Centre, the organisation’s candidates applying for work privacy notice is displayed on our website and in writing if requested.

We will:

• Inform candidates how their data will be used and for what purpose
• Allow candidates to opt out of sharing their data, should they so wish

5       Further information

5.1      Privacy notice checklists

The ICO has provided a privacy notice checklist that can be used to support the writing of the organisation’s privacy notice. The checklist can be found by following this link.

5.2      Privacy notice template

A privacy notice template can be found at Annex A.

It is recognised that the type and style of privacy notices may vary. However, this privacy notice template has been reviewed as appropriate by a current DATA PROTECTION OFFICER. It is acknowledged to be extensive and covers all eventualities that may occur around information governance.

5.3      e-Learning

Both General Data Protection Regulation (GDPR) and GDPR – The Perfect Practice e-Learning courses are available on the HUB

6       Summary

It is the responsibility of all candidates applying for work at Oulton Medical Centre to ensure that they understand what information is held about them and how this information may be used.

Furthermore, the organisation must adhere to the DPA18 and the UK GDPR to ensure compliance with extant legal rules and legislative acts.

Annex A – Candidates applying for work privacy notice

Introduction

At Oulton Medical Centre we have a legal duty to explain how we use any personal information we collect about you at the organisation. We collect records during the recruitment stage and then data is continued to be collected for any successful candidate. This is in both electronic and paper format.

This privacy notice applies to personal information processed by or on behalf of Oulton Medical Centre.  We are required to provide you with this privacy notice by law. It provides information on how we use the personal and healthcare information we collect, store and hold about you. If you have any questions about this privacy notice or are unclear about how we process or use your personal information or have any other issue regarding your personal and healthcare information, then please contact our data protection officer Louise  Whitworth.  Contact details:  wyicb-leeds.dpo@nhs.net

This notice explains:

• Who we are, how we use your information and our Data Protection Officer (DPO)
• What kind of personal information about you we process
• What the legal grounds are for our processing of your personal information (including when we share it with others)
• What you should do if your personal information changes
• How long your personal information is retained by us
• What your rights are under data protection laws

The UK General Data Protection Regulation (UK GDPR) became law on 24th May 2016. This is a single EU-wide regulation on the protection of confidential and sensitive information. It entered into force in the UK on the 25th May 2018, repealing the Data Protection Act (1998).

For the purpose of applicable data protection legislation (including but not limited to the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”), and the Data Protection Act 2018 (DPA2018) the organisation responsible for your personal data is [insert organisation name].

This notice describes how we collect, use and process your personal data and how, in doing so, we comply with our legal obligations to you. Your privacy is important to us and we are committed to protecting and safeguarding your data privacy rights. This privacy policy applies to the personal data collected from candidates applying for roles within the organisation.

How we use your information and the law

Oulton Medical Cenre will be what is known as the ‘controller’ of the personal data you provide to us. Upon applying for work with the organisation you will be asked to supply the following personal information:

• Name

• Address

• Telephone numbers

• Email address

• Date of birth

• Previous employment data

• Recruitment information such as your application form and CV, references, qualifications and membership of any professional bodies and details of your employment history, skills and experience

• Information about your current level of remuneration, including benefit entitlements

• Whether or not you have a disability for which the organisation needs to make reasonable adjustments during the recruitment process

• Information in relation to your right to work in the UK [as per the Rights to Work in the UK – guide to checking]

• Information from the Disclosure and Barring Service (DBS) in order to administer relevant checks and procedures

• Vaccination and immunisation status/information

The information that we ask you to provide to the organisation is required for the following reasons:

• In order for us to review your application

• In order for us to contact you with interview details

• To comply with appropriate employment law

• To ensure that we can provide any reasonable adjustments as necessary

The organisation may collect this information in a variety of ways, for example from application forms, CVs or resumes, obtained from your passport or other identity documents such as your driving licence and from forms completed by you or through interviews, meetings or other assessments including on-line tests.

This personal data might be provided to us by you, or someone else (such as a former employer’s reference, information from background check providers including criminal records checks permitted by law) or it could be created by us.

The organisation will seek information from third parties only once a job offer has been made to you and we will inform you that we are doing so.

Your personal data will be stored in a range of different places including in your application record, in the organisation’s HR management systems and in other IT systems (including the organisation’s email system).

Throughout the application process we will collect data and add this to your personnel file i.e., interview question answers, interview scores etc.

Special categories of personal data

Some special categories of personal data, such as information about health or medical conditions, is processed to carry out employment law obligations (such as those in relation to job applicants with disabilities).

For some roles, the organisation is obliged to seek information about criminal convictions and offences. Where we seek this information, we do so because it is necessary for us to carry out our obligations and exercise specific rights in relation to employment.

If your application is unsuccessful, the organisation may keep your personal data on file in case there are future job opportunities for which you may be considered. We will seek your consent to do this and you are free to withdraw your consent at any time.

How do we lawfully use your data?

We need to know your personal, sensitive and confidential data in order to employ you. Under the General Data Protection Regulation we will be lawfully using your information in accordance with:

• Article 6, (b) Necessary for performance of/entering into contract with you

• Article 9(2) (b) Necessary for controller to fulfil employment rights or obligations in employment

This notice applies to the personal data of our candidates applying for work at Oulton Medical Centre

How do we maintain the confidentiality of your record?

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

• Data Protection Act 2018
• The UK General Data Protection Regulations
• Human Rights Act 1998
• Common Law Duty of Confidentiality
• NHS Codes of Confidentiality, Information Security and Records Management

We will only ever use or pass on information about you to others who have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e., life or death situations) or where the law requires information to be passed on.

Our policy is to respect the privacy of our candidates and to maintain compliance with the UK General Data Protection Regulation (UK GDPR) and all UK specific Data Protection Requirements. Our policy is to ensure all personal data will be protected.

All employees and sub-contractors engaged by Oulton Medical Centre are asked to sign a confidentiality agreement. The organisation will, if required, sign a separate confidentiality agreement if the client deems it necessary. If a sub-contractor acts as a data processor for Oulton Medical Centre, an appropriate contract (art 24-28) will be established for the processing of your information.

Where do we store your information electronically?

All the personal data we process is processed by our organisation in the UK. However, for the purposes of IT hosting and maintenance this information may be located on servers within the European Union.

No third parties have access to your personal data unless the law allows them to do so and appropriate safeguards have been put in place.  We have a data protection regime in place to oversee the effective and secure processing of your personal and or special category (sensitive, confidential) data.

Who are our partner organisations?

We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations:

• Primary Care Networks
• Integrated Care Systems
• NHS Commissioning Support Units
• Clinical Commissioning Groups
• NHS England (NHSE) and NHS Digital (NHSD)
• Local authorities
• CQC
• Private sector providers providing employment services
• Other ‘data processors’ which you will be informed of

Sharing your personal data

Your information may be shared internally for the purpose of the recruitment exercise including with [members of the HR and recruitment team, interviewers in the recruitment process, managers in the business area with the vacancy and IT staff if access to the data is necessary for performance of their roles

The organisation will not share your personal data with third parties except those engaged for the purposes of the recruitment process or unless your application for employment is successful and we make you an offer of employment.  We will then share your data with former employers to obtain references for you, employment background check providers to obtain necessary background checks and the Disclosure and Barring Service to obtain necessary criminal record checks.

The organisation will not transfer your data to countries outside the European Economic Area.

You will be informed who your data will be shared with and in some cases asked for consent for this to happen when this is required.

We may also use external companies to process personal information such as for archiving purposes. These companies are bound by contractual agreements to ensure information is kept confidential and secure.  All employees and sub-contractors engaged by Oulton Medical Centre are asked to sign a confidentiality agreement. If a sub-contractor acts as a data processor for the organisation, an appropriate contract (art 24-28) will be established for the processing of your information.

Who is the data controller?

Oulton Medical is registered as a data controller under the Data Protection Act 2018. Our registration number is Z598614X and our registration can be viewed online in the public register at http://www.ico.gov.uk. This means we are responsible for handling your personal and healthcare information and collecting and storing it appropriately.

We may also process your information for a particular purpose and therefore we may also be data processors. The purposes for which we use your information are set out in this privacy notice.

How long do we keep your personal information?

We are required under UK law to keep your information and data for the full retention periods as specified by the NHS Records Management Code of Practice for health and social care and national archives requirements.

If your application is unsuccessful, the organisation will hold your personal data for a period of six months following the recruitment process. If you agree to allow the organisation to keep your personal data on file, for consideration for future job opportunities, we will hold your data for a further six months.  At the end of that period (or once you withdraw consent), your data will be deleted or destroyed.

If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your employment.

More information on records retention can be found online at: NHSX – Records Management Code of Practice 2020.

Storing DBS certificates

The correct storage of DBS certificate information is important. The code of practice requires that the information revealed is considered only for the purpose for which it was obtained and should be destroyed after six months.

How can you access, amend or move the personal data that you have given to us?

Even if we already hold your personal data, you still have various rights in relation to it. For further information about this, please contact the practice manager.   We will seek to deal with your request without undue delay and in any event in accordance with the requirements of any applicable laws. Please note that we may keep a record of your communications to help us resolve any issues which you raise.

• Right to object: If we are using your data because we deem it necessary for our legitimate interests to do so, and you do not agree, you have the right to object. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases). Generally, we will only disagree with you if certain limited conditions apply.

• Right to withdraw consent: Where we have obtained your consent to process your personal data for certain activities (for example for a research project), or consent to market to you, you may withdraw your consent at any time.

• Right to erasure: In certain situations (for example, where we have processed your data unlawfully), you have the right to request us to “erase” your personal data. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases) and will only disagree with you if certain limited conditions apply. If we do agree to your request, we will delete your data but will generally assume that you would prefer us to keep a note of your name on our register of individuals who would prefer not to be contacted. That way, we will minimise the chances of you being contacted in the future where your data is collected in unconnected circumstances. If you would prefer us not to do this, you are free to say so.

• Right of data portability: If you wish, you have the right to transfer your data from us to another data controller.

Your rights as a candidate applying for work

Data Subject Access Requests (DSAR): You have a right under the data protection legislation to request access to view or to obtain copies of what information this organisation holds about you and to have it amended should it be inaccurate. To request this, you need to do the following:

• Your request should be made to The Practice Manager, Oulton Medical Centre, Quarry Hill, Oulton, Leeds LS26 8SZ

• There is no charge to have a copy of the information held about you. However we may, in some limited and exceptional circumstances, have to make an administrative charge for any extra copies if the information requested is excessive, complex or repetitive

• We are required to provide you with information within one month. We would ask therefore that any requests you make are in writing and it is made clear to us what and how much information you require

• You will need to give adequate information (for example full name, address, date of birth and details of your request) so that your identity can be verified and your records located

What should you do if your personal information changes?

You should tell us so that we can update our records. Please contact the management team as soon as any of your details change, this is especially important for changes of address or contact details (such as your mobile phone number).

What to do if you have any questions

Should you have any questions about this privacy policy or the information we hold about you, you can:

1. Contact the organisation via email at: marshstreet@nhs.net

2. Write to the data protection officer at Oulton Medical Centre, Quarry Hill, Oulton, Leeds LS26 8SX
3. Ask to speak to the practice manager or the deputy practice manager

The data protection officer (DPO) for Oulton Medical Centre is Louise Whitworth

Objections or complaints

In the unlikely event that you are unhappy with any element of our data-processing methods, do please contact the practice manager at Oulton Medical Centre in the first instance. If you feel that we have not addressed your concern appropriately, you have the right to lodge a complaint with the ICO. For further details, visit ico.gov.uk and select “Raising a concern” or telephone: 0303 123 1113

The Information Commissioner’s Office is the regulator for the General Data Processing Regulations and offers independent advice and guidance on the law and personal data including your rights and how to access your personal information.

Changes to our privacy policy

We regularly review our employee privacy policy and any updates will be published to reflect the changes.

[1] Network DES Contract specification 2021/22

[2] Data Protection Act 2018

[3] ICO

[4] GDPR

Oulton Medical Centre Privacy Notice

We understand how important it is to keep your personal information safe and secure and we take this very seriously. We have taken steps to make sure your personal information is looked after in the best possible way and we review this regularly.

Please read this privacy notice (‘Privacy Notice’) carefully, as it contains important information about how we use the personal and healthcare information we collect on your behalf.

Our contact details as data controller

Name: Hilary Farrar Practice Manager

Address: Oulton Medical Centre Quarry Hill Leeds LS26 8SZ

Phone number: 0113 2822138

Email: oultonmedical.centre@nhs.net

We are the data controller for your information. A controller decides on why and how information is used and shared.

The practice is registered with the Information Commissioners Office as a Data Controller- our registration number is: Z598614X and you can view our registration here https://ico.org.uk/ESDWebPages/Search

Data Protection Officer contact details

Our Data Protection Officer is Blaine Williams and is responsible for monitoring our compliance with data protection requirements. You can contact them with queries or concerns relating to the use of your personal data at wyicb-leeds.dpo@nhs.net

Why we collect your information?

As a GP practice we are responsible for your day-to-day medical care and the purpose of this notice is to inform you of the type of information that we hold about you, how that information is used for your care, our legal basis for using the information, who we share this information with and how we keep it secure and confidential.

It covers information we collect directly from you (that you have either provided to us, or from consultations with staff members), or we collect from other organisations who manage your care (such as hospitals or community services).

We are required by law to maintain records about your health and treatment, or the care you have received within any NHS service.

These records help to ensure that you receive the best possible care. They may be paper or electronic and they may include:

• Basic details about you such as name, address, email address, NHS number, date of birth, next of kin, etc.
• Contact we have had with you such as appointments or clinic visits.
• Notes and reports about your health, treatment and care
• Details of diagnosis and treatment given
• Information about any allergies or health conditions.
• Results of x-rays, scans and laboratory tests.
• Relevant information from people who care for you and know you well such as health care professionals and relatives.
• For visitors to the practice basic information such as name and vehicle registration number

By providing the Practice with their contact details, patients are agreeing to the Practice using those channels to communicate with them about their healthcare, i.e. by letter (postal address), by voice mail or voice message (telephone or mobile number), by text message (mobile number) or by email (email address).

You can find more detailed information about how we your information for the following specific purposes here:

• Primary Care Networks
• For commissioning and healthcare planning
• Population Health Management
• Leeds Care Record
• Summary Care Record
• Research – Find out how health researchers use information.
• Safeguarding, life or death situations and other circumstances we are required to share information.

What information do we collect?

Personal information

We currently collect and use the following personal information:

• personal identifiers and contacts (for example, name and contact details)

More sensitive information

We process the following more sensitive data (including special category data):

• data concerning physical or mental health (for example, details about your appointments or diagnosis)
• data revealing racial or ethnic origin
• data concerning a person’s sex life
• data concerning a person’s sexual orientation
• genetic data (for example, details about a DNA sample taken from you as part of a genetic clinical service)
• data revealing religious or philosophical beliefs
• data relating to criminal or suspected criminal offences

How do we use your information and how do we get it?

As health professionals, we maintain records about you to direct, manage, and deliver the care you receive. By registering with the practice, your existing records will be transferred to us from your previous practice so that we can keep them up to date while you are our patient and if you do not have a previous medical record (a new-born child or coming from overseas, for example), we will create a medical record for you.

We take great care to ensure that your information is kept securely, that it is up to date, accurate and used appropriately. In the practice, individual staff will only look at what they need in order to carry out tasks such as booking appointments, making referrals, supporting your care, or to support the management of the services we provide.

The personal information we collect is provided directly from you for one of the following reasons:

• you have provided information to seek care – this is used directly for your care, and also to manage the services we provide, to clinically audit our services, investigate complaints, or to be used as evidence as part of an investigation into care
• if you have signed up to our newsletter / patient participation group, we will engage with you to seek you comments and views on the practice.
• If you have made a complaint we will need to collect information about the complaint which will include your personal information. We may also need to gain additional information from, or share information we have with, other healthcare providers and NHS organisations in order to process and investigate your complaint.

We also receive personal information about you from others, in the following scenarios:

• from other health and care organisations involved in your care so that we can provide you with care
• from family members or carers to support your care
• If you register with us from another practice, your historic GP notes are transferred to us from your old practice. This can happen electronically and your paper notes are transferred via an organisation called Primary Care Support England

The NHS care record guarantee

The Care Record Guarantee is our commitment that we will use records about you in ways that respect your rights and promote your health and wellbeing. Copies of the full document can be obtained from:

https://webarchive.nationalarchives.gov.uk/ukgwa/20130513181549/http:/www.nigb.nhs.uk/guarantee

Primary Care Networks:

All practices in the UK are members of a Primary Care Network (PCN), which is a group of practices who have chosen to work together and with local community, mental health, social care, pharmacy, hospital and voluntary services to provide care to their patients.

PCNs are built on the core of current primary care services and enable greater provision of proactive, personalised, coordinated and more integrated health and social care.

We are members of LS25/26 PCN along with Lofthouse Surgery, New Cross Surgery, Nova Scotia, Garforth Medical Centre, Kippax Hall Surgery and Gibson lane Surgery.

This arrangement means that practices within the same PCN may share data with other practices within the PCN, for the purpose of patient care (such as extended hours appointments and other services), Each practice within the PCN is part of a stringent data sharing agreement that means that all patient data shared is treated with the same obligations of confidentiality and data security.

For commissioning and healthcare planning purposes:

In some cases, for example when looking at population healthcare needs, some of your data may be shared (usually in such a way that you cannot be identified from it). The following organisations may use data in this way to inform policy or make decisions about general provision of healthcare, either locally or nationally.

• Leeds City Council: Public Health, Adult or Child Social Care Services
• West Yorkshire Integrated Care Board (or their approved data processors)
• NHS Digital (Formerly known as (HSCIC)
• The “Clinical Practice Research Datalink” (EMISWeb practices) or ResearchOne Database (SystmOne practices).
• Other data processors which you will be informed of as appropriate.

In order to comply with its legal obligations we may send data to NHS Digital when directed by the Secretary of State for Health under the Health and Social Care Act 2012.

This practice contributes to national clinical audits and will send the data which are required by NHS Digital when the law allows. This may include demographic data, such as date of birth, and information about your health which is recorded in coded form, for example, the clinical code for diabetes or high blood pressure.

Population Health Management:

Population Health Management (PHM) is about improving the physical and mental health of people.  It involves analysing data, in a format which does not identify individuals, and using the results to help making decisions on ways to prevent ill-health, improve care, reduce hospital admissions and help ensure that the most effective services are available for our patients.

The benefits of PHM are:

• to help frontline teams understand current health and care needs and predict what will be needed in the future.
• to identify specific groups of patients that are high risk and would benefit from direct interventions to improve their health and wellbeing.
• to improving the standard and quality of care.
• to prevent people needing hospital care unless necessary
• to support Working across different organisations in the health and care sector, to a positive difference to people’s lives. This can be supported by joining the data dots to tackle health inequalities we know exist across West Yorkshire.
• to identify gaps in services, as well as inform service redesigns.

We, and other healthcare providers like the hospital and community service providers, send information that relates to you to our data processor the North of England Commissioning Support Unit (NECS). NECS then pseudonymise this data, which means the information that could identify you is removed and is replaced with a pseudonym.  Information about the different health and care interventions you have had is then linked together so that it can be analysed without identifying you.

This pseudonymised data is then shared with West Yorkshire Integrated Care Board who will analyse the data to carry out commissioning and planning services and Population Health Management. Sometimes this analysis identifies individuals who might benefit from direct interventions to prevent illness. The results relating to patients registered at our practice are sent back to us so that we can assess who would benefit or require a particular healthcare intervention.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything.

If you do not want your data to be used in this way, you can opt-out of all planning and research initiatives through the national data opt-out service. Access this service online at www.nhs.uk/your-nhs-data-matters or by calling: 0300 303 5678.

Leeds Care Record

The Leeds Care Record (LCR) provides health and social care professionals directly involved in your care access to the most up to date information about you. It does this by sharing appropriate information from your medical and care records between health and social care services in Leeds.

At the moment, every health and social care organisation that you use has a different set of patient records for you. These records may duplicate information, or one record might hold information about your treatment, care and support that another one does not.

In Leeds, we have developed a virtual system called the Leeds Care Record. If you live in Leeds you will have a Leeds Care Record created for you. It is held on a secure computer system and includes some key health and social care information about you. The information is taken from other medical records you may have such as your GP record, hospital records or social care records.

If you do not want your information being shared on the LCR you can object to this, by contacting the LCR.

Summary Care Record

Your Summary Care Record (SCR) is a short summary of your GP medical records. It tells other health and care staff who care for you about the medicines you take and your allergies.

All patients registered with a GP have a SCR, unless they have chosen not to have one. Your SCR contains basic information about allergies and medications and any reactions that you have had to medication in the past.

Some patients, including many with long term health conditions, have previously agreed to have Additional Information shared as part of their Summary Care Record. This additional information includes information about significant medical history (past and present), reasons for medications, care plan information and immunisations.

The purpose of SCR is to improve the care that you receive, however, if you don’t want to have an SCR you have the option to opt out. If this is your preference please inform your GP or fill in an SCR patient consent preferences form and return it to your GP practice.

For research purposes

Research data is usually shared in a way that individual patients are non-identifiable.  Occasionally where research requires identifiable information you may be asked for your explicit consent to participate in specific research projects.  The surgery will always gain your consent before releasing any information for this purpose, unless the research has been granted a specific exemption from the Confidentiality Advisory Group of the Health Research Authority

Where specific information is asked for, such as under the National Diabetes audit, you will be given the choice to opt of the audit.

For safeguarding purposes, life or death situations or other circumstances when we are required to share information:

We may also disclose your information to others in exceptional circumstances (i.e. life or death situations) or in accordance with Dame Fiona Caldicott’s information sharing review (Information to share or not to share).

For example, your information may be shared in the following circumstances:

• When we have a duty to others e.g. in child protection cases
• Where we are required by law to share certain information such as the birth of a new baby, infectious diseases that may put you or others at risk or where a Court has decided we must.

Who do we share information with?

We share information about you with other health professionals to support your care, and in more limited ways for indirect care purposes:

• NHS Trusts and hospitals that are involved in your care.
• Community Care Teams
• Care homes
• Other General Practitioners (GPs) or Primary Care Networks (which are groups of GP Practices).
• Ambulance Services.
• Social Care Services.
• Education Services.
• Local Authorities.
• Voluntary and private sector providers working with or for the NHS. Such as Dentists, Pharmacies. Opticians & care homes

From time to time we may offer you referrals to other providers, specific to your own health needs not included in the list above. In these cases we will discuss the referral with you and advise you that we will be sharing your information (generally by referral) with those organisations.

We may also share information with the following types of organisations:

• third party data processors
  • IT system supplier (West Yorkshire ICB / Leeds City Council)
  • Software suppliers (SystmOne, EMIS)
  • Communication suppliers (telephony services, email, text messages)

In some circumstances we are legally obliged to share information. This includes:

• when required by NHS England to develop national IT and data services
• when registering births and deaths
• when reporting some infectious diseases
• when a court orders us to do so
• where a public inquiry requires the information
• Medical examiners

We will also share information if the public good outweighs your right to confidentiality. This could include:

• to detect, prevent or investigate crime
• where there are serious risks to the public or staff
• to protect children or vulnerable adults

We may also process your information in order to de-identify it, so that it can be used for purposes beyond your individual care whilst maintaining your confidentiality.  These purposes will include to comply with the law and for public interest reasons.

Is information transferred outside the UK?

As a GP surgery, we do not routinely send patient data outside of the UK / EU where the laws do not protect your privacy to the same extent as the law in the UK.

Our data is hosted in UK and is only available to our staff and technical support staff in the UK.

What is our lawful basis for using information?

Under UK GDPR the Practice are mandated to identify a legal basis to process your

personal information.

For personal data

• 6(1)(a) – Consent: this must be freely given, specific, informed and unambiguous.
• 6(1)(b) – Contract: between a person and a service, such as a service user and privately funded care home.
• 6(1)(c) – Legal obligation: the law requires us to do this, for example where NHS England or the courts use their powers to require the data. See this list for the most likely laws that apply when using and sharing information in health and care.
• 6(1)(d) – Vital interests: Life & Death
• 6(1)(e) – Public task: a public body, such as an NHS organisation or Care Quality Commission (CQC) registered social care organisation, is required to undertake particular activities by law. See this list for the most likely laws that apply when using and sharing information in health and care.

Special Category data (Sensitive Data including Health Records)

• 9(2)(a) – Explicit consent
• 9(2)(b) – Employment, social security and social protection (if authorised by law)
• 9(2)(c) – Vital interests – Life and Death
• 9(2)(e) – Made public by the data subject
• 9(2)(f) – Legal claims or judicial acts
• 9(2)(g) – Reasons of substantial public interest (with a basis in law)
• 9(2)(h) – Health or social care (with a basis in law)
• 9(2)(i) – Public health (with a basis in law)

Common law duty of confidentiality

In our use of health and care information, we satisfy the common law duty of confidentiality because:

• you have provided us with your consent (we have taken it as implied to provide you with care, or you have given it explicitly for other uses)
• we have support from the Secretary of State for Health and Care following an application to the Confidentiality Advisory Group (CAG) who are satisfied that it isn’t possible or practical to seek consent
• we have a legal requirement to collect, share and use the data
• for specific individual cases, we have assessed that the public interest to share the data overrides the public interest served by protecting the duty of confidentiality (for example sharing information with the police to support the detection or prevention of serious crime). This will always be considered on a case by case basis, with careful assessment of whether it is appropriate to share the particular information, balanced against the public interest in maintaining a confidential health service

How do we protect your personal information?

As a Practice, we are committed to protecting your privacy and will only process data in accordance with the General Data Protection Regulation (GDPR), the Data Protection Act 2018, the Common Law Duty of Confidentiality, professional codes of practice, the Human Rights Act 1998 and other appropriate legislation.

Everyone working for the Practice has a legal and contractual duty to keep information about you confidential. All our staff receive appropriate and ongoing training to ensure that they are aware of their personal responsibilities and their obligations to uphold confidentiality.

Staff are trained to ensure how to recognise and report any incident and the organisation has procedures for investigating, managing and learning lessons from any incidents that occur.

All identifiable information that we hold about you in an electronic format will be held securely and confidentially in secure hosted servers that pass stringent security standards.

Any companies or organisations we use we may use to process your data are also legally and contractually bound to operate under the same security and confidentiality requirements.

All identifiable information we hold about you within paper records is kept securely and confidentially in lockable cabinets with access restricted to appropriately authorised staff.

As an organisation we are required to provide annual evidence of our compliance with all applicable laws, regulations and standards through the Data Security and Protection toolkit.

Your information is securely stored for the time periods specified in the Records Management Code of Practice.

All records are retained and destroyed in accordance with the NHS Records Management Code of Practice.

The Practice does not keep patient records for longer than necessary and all records are destroyed confidentially once their retention period has been met, and the Practice has made the decision that the records are no longer required.

What are your data protection rights?

Under the GDPR all patients have certain rights in relation to the information which the practice holds about them. Not all of these will rights apply equally, as certain rights are not available depending on situation and the lawful basis used for the processing.

For reference these rights may not apply are where the lawful basis we use (as shown in the above table in the section on “lawful bases”) is:

• Processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller – in these cases the rights of erasure and portability will not apply.
• Legal Obligation – in these cases the rights of erasure, portability, objection, automated decision making and profiling will not apply.

Right to be informed

You have the right to be informed of how your data is being used. The propose of this document is to advise you of this right and how your data is being used by the practice

The right of access

You have the right of access You have the right to ask us for copies of your personal information, this is often referred to as a ‘Subject Access Request’. This right always applies. There are some exemptions, which means you may not always receive all the information we process.

You can make a subject access request by emailing oultonmedical.centre@nhs.net

The right to rectification

You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.

The right to erasure

You have the right to ask us to erase your personal information in certain circumstances- This will not generally apply in the matter of health care data

The right to restrict processing

You have the right to ask us to restrict the processing of your information in certain circumstances– You have to right to limit the way in which your data is processed if you are not happy with the way the data has been managed.

The right to object

You have the right to object to processing if you disagree with the way in which part of your data is processed you can object to this- please bear in mind that this may affect the medical services we are able to offer you

Rights in relation to automated decision making and profiling.

Your rights in relation to automated processing– Sometimes your information may be used to run automated calculations. These can be as simple as calculating your Body Mass Index or ideal weight but they can be more complex and used to calculate your probability of developing certain clinical conditions, and we will discuss these with you if they are a matter of concern.

No decisions about individual care are made solely on the outcomes of these tools, they are only used to help us assess your possible future health and care needs with you and we will discuss these with you.

The right to data portability

Your right to data portability you have the right to ask that we transfer the information you gave us from one organisation to another. The right only applies if we are processing information based on your consent or under a contract, and the processing is automated, so will only apply in very limited circumstances

National data opt-out

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service.  Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

• improving the quality and standards of care provided
• research into the development of new treatments
• preventing illness and diseases
• monitoring safety
• planning services

This may only take place when there is a clear lawful basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential health and care information is only used like this when allowed by law.

Whenever possible data used for research and planning is anonymised, so that you cannot be identified and your confidential information is not accessed.

You have a choice about whether you want your confidential information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters. On this web page you will:

• See what is meant by confidential patient information
• Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
• Find out more about the benefits of sharing data
• Understand more about who uses the data
• Find out how your data is protected
• Be able to access the system to view, set or change your opt-out setting
• Find the contact telephone number if you want to know any more or to set/change your opt-out by phone

See the situations where the opt-out will not apply

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Our organisation has reviewed the disclosures we make and is compliant with the national data opt-out policy.

OpenSAFELY COVID-19 Service

The NHS England OpenSAFELY COVID-19 Service is a secure, transparent, open-source software platform for analysis of electronic health data. The system provides access to de-identified (pseudonymised) personal data to support Approved Users (academics, analysts, and data scientists) to undertake approved projects for COVID-19 research, COVID-19 clinical audit, COVID-19 service evaluation and COVID-19 health surveillance purposes.

The purposes for processing are to identify medical conditions and medications that affect the risk or impact of COVID-19 infection on individuals; this will assist with identifying risk factors associated with poor patient outcomes as well as information to monitor and predict demand on health services.

Further information can be found on the NHS digital website.

Other ways we use your information

Call recording

All Telephone calls are routinely recorded for the following purposes:

• To make sure that staff act in compliance with procedures.
• To ensure quality control.
• Training, monitoring and service improvement
• To prevent crime, misuse and to protect staff and patients

SMS Text messaging

When attending the Practice for an appointment or a procedure you may be asked to confirm that the Practice has an accurate contact number and mobile telephone number for you. This can be used to provide appointment details via SMS text messages and automated calls to advise you of appointment times.

CCTV

We employ surveillance cameras (CCTV) on and around our practice in order to:

• protect staff, patients, visitors and Practice property
• apprehend and prosecute offenders, and provide evidence to take criminal or civil court action
• provide a deterrent effect and reduce unlawful activity
• help provide a safer environment for our staff
• monitor operational and safety related incidents
• help to provide improved services, for example by enabling staff to see patients and visitors requiring assistance

We will only retain surveillance data for a reasonable period or as long as is required by law. In certain circumstances (high profile investigations, serious or criminal incidents) we may need to disclose CCTV data for legal

How do I complain?

If you have any concerns about our use of your personal information, you can make a complaint to us at Oulton Medical Centre 0113 2822138 or email oultonmedical.centre@nhs.net

Following this, if you are still unhappy with how we have used your data, you can then complain to the ICO.

The ICO’s address is:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Helpline number: 0303 123 1113

ICO website: https://www.ico.org.uk

Date of last review

This privacy notice was reviewed and updated in April 2024.

IS PROUD TO BE A SAFE SURGERY FOR
EVERYONE IN OUR COMMUNITY
In recognition of the barriers to healthcare access faced by people in vulnerable
circumstances, including migrants, we commit to protecting the human right to health.
We will take steps to ensure that everyone in our community may fulfil their
entitlement to quality healthcare.
In partnership with Doctors of the World UK, we will ensure that our practice offers a
welcoming space for everyone who seeks to use our services.
Mindful of our duties to uphold equality and human rights law, we will implement
patient registration policies which do not discriminate based on race, gender, sexual
orientation, immigration status or any other characteristic.
Supported by the Safe Surgeries initiative, we will ensure that our staff understand
the specific barriers faced by migrants in vulnerable circumstances and that they are
empowered to mitigate these barriers, where possible.
We will ensure that a lack of identification or proof of address, immigration status or
language do not prevent patient registration.
As a member of the Safe Surgeries community, we will endeavour to support other
Safe Surgeries and, where appropriate, provide feedback to Doctors of the World UK
to support the development of the network.

Increasingly, patient medical data is shared e.g. between GP surgeries and District Nursing, in order to give clinicians access to the most up to date information when attending patients.

View our Weight Management policy here.

Zero Tolerance Policy 22-23