Below are full copies of newly published versions of Policies and privacy notices for easy accessibility
Bartlett Group Practice General Privacy Notice
HOW WE USE YOUR PERSONAL INFORMATION
This fair processing notice explains why the GP practice collects information about you and how that information may be used.
The health care professionals who provide you with care maintain records about your health and any treatment or care you have received previously (e.g. NHS Trust, GP Surgery, Walk-in clinic, etc.). These records help to provide you with the best possible healthcare.
NHS health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. Records which this GP Practice hold about you may include the following information;
- Details about you, such as your address, carer, legal representative, emergency contact details
- Any contact the surgery has had with you, such as appointments, clinic visits, emergency
- Notes and reports about your health
- Details about your treatment and care
- Results of investigations such as laboratory tests, x-rays etc
- Relevant information from other health professionals, relatives or those who care for you
To ensure you receive the best possible care, your records are used to facilitate the care you receive. Information held about you may be used to help protect the health of the public and to help us manage the NHS. Information may be used within the GP practice for clinical audit to monitor the quality of the service provided.
Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified.
Sometimes your information may be requested to be used for research purposes – the surgery will always gain your consent before releasing the information for this purpose
The Practice may conduct Medicines Management Reviews of medications prescribed to its patients. This service performs a review of prescribed medications to ensure patients receive the most appropriate, up to date and cost effective treatments. This service is provided to practices within Surrey Heath Clinical Commissioning Group.
HOW DO WE MAINTAIN THE CONFIDENTIALITY OF YOUR RECORDS?
We are committed to protecting your privacy and will only use information collected lawfully in accordance with:
- Data Protection Act 2018
- Human Rights Act 1998
- Common Law Duty of Confidentiality
- Health and Social Care Act 2012
- NHS Codes of Confidentiality, Information Security and Records Management
- Information: To Share or Not to Share Review
Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential.
We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), where the law requires information to be passed on and / or in accordance with the new information sharing principle following Dame Fiona Caldicott’s information sharing review (Information to share or not to share) where “The duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles. They should be supported by the policies of their employers, regulators and professional bodies.
WHO ARE OUR PARTNER ORGANISATIONS?
We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations;
- NHS Trusts / Foundation Trusts
- Care Quality Commission
- NHS Digital
- NHS Commissioning Support Units
- Independent Contractors such as dentists, opticians, pharmacists
- Private Sector Providers
- Voluntary Sector Providers
- Ambulance Trusts
- Clinical Commissioning Groups
- Social Care Services
- Health and Social Care Information Centre (HSCIC)
- Local Authorities
- Education Services
- Fire and Rescue Services
- Police & Judicial Services
- Phyllis Tuckwell Hospice
- South Central Ambulance Service (NHS111)
- Surrey Heath Community Providers (GP Federation)
- Surrey heath Primary Care Network
- UK Biobank
- PRIMIS / PINCER (University of Nottingham)
SUPPORTING FRAILTY IDENTIFICATION AND MANAGEMENT
The Community Frailty Practitioner (commissioned by the local CCG and hosted by Surrey County Council) works with practices to identify people who may be living with frailty to provide proactive assessment and support to maximise and maintain a person’s health, wellbeing and independence. The Community Frailty Practitioner will work alongside healthcare professionals involved to offer support and recommendations as part of an agreed plan
The practice is working with UK Biobank, an approved research organisation and important resource for health research. It is funded by the Wellcome Trust charity and the government’s Medical Research Council (MRC) and supported by the NHS. UK Biobank is working closely with the GP systems suppliers, including EMIS Health (EMIS Web), to manage the extract of primary care data from UK Biobank participants in a secure, scalable and sustainable way
The extract only involves patients registered at the practice that have explicitly consented to participate in the UK Biobank study.
The information extracted from the health records of consented participants will comprise data regarding the patient’s health and well-being and interactions with their GP Practice. The type of information includes:
- Appointment dates and attended status
- Coded diagnoses, symptoms, observations, referrals and associated dates
- Prescriptions and dates prescribed
- Lab test results and date the test was performed
- Immunisation records
The PRIMIS project involves the processing of data from the GP Practice clinical information system.The data relates to the national PINCER Indicator set, comprising of a series of prescribing safety indicators used to identify patients at risk of potentially hazardous prescribing. Pharmacists, specifically trained to deliver the intervention, review the data outputs at the GP Practice. Practice aggregate data is then transferred to PRIMIS for inclusion in the CHART Online data storage facility, enabling comparative views of submitted data via the web. All patient level data remains within the GP practice with only practice summative data being submitted to the CHART Online national comparative database.
This practice is supporting vital health and care planning and research by sharing your data with NHS Digital. For more information about this see the GP Practice Privacy Notice for General Practice Data for Planning and Research
GENERAL PRACTICE EXTRACTION SERVICE DATA FOR PANDEMIC PLANNING & RESEARCH (COVID-19)
Purpose : Patients personal confidential data will be extracted and shared with NHS Digital in order to support vital health and care planning and research. Further information can be found here
Patients may opt out of having their Personal identifiable data shared for Planning or Research by applying a National Data Opt Out or a Type 1 Opt Out. Details of how to Opt Out can be found on our Privacy Notice. For the National Data Opt Out patients are required to register their preference below.
For Type 1 Opt Out, which means that no personal confidential data will be shared outside of the practice for this purpose, patients can complete the form within the link and return it to their registered practice for action by the 1st Sept 2021. https://nhs-prod.global.ssl.fastly.net/binaries/content/assets/website-assets/data-and-information/data-collections/general-practice-data-for-planning-and-research/type-1-opt-out-form.docx
Legal Basis : The legal basis for this activity can be found at this link : General Practice Data for Planning and Research: NHS Digital Transparency Notice - NHS Digital
Processor : NHS Digital
General Practice Extraction Service (GPES)
- At risk patients data collection Version 3
- Covid-19 Planning and Research data
- CVDPREVENT Audit
- Physical Health Checks for people with Severe Mental Illness
Purpose – GP practices are required by law to provide data extraction of their patients personal confidential information for various purposes by NHS Digital. The objective of this data collection is on an ongoing basis to identify patients registered at General Practices who fit within a certain criteria, in order to monitor and either provide direct care, or prevent serious harm to those patients.
Below is a list of the purposes for the data extraction, by using the link you can find out the detail behind each data extraction and how your information will be used to inform this essential work:
- At risk patients including severely clinically vulnerable
- Covid-19 Planning and Research data, to control and prevent the risk of Covid-19
- NHS England has directed NHS Digital to collect and analyse data in connection with Cardiovascular Disease Prevention Audit
- GPES Physical Health Checks for people with Severe Mental Illness (PHSMI) data collection.
Legal Basis - All GP Practices in England are legally required to share data with NHS Digital for this purpose under section 259(1)(a) and (5) of the 2012 Act
Further detailed legal basis can be found in each link.
Any objections to this data collection should be made directly to NHS Digital. firstname.lastname@example.org
Processor – NHS Digital or NHS X
THIRD PARTY PROCESSORS
In order to deliver the best possible service, the practice will share data (where required) with other NHS bodies such as other GP practices and hospitals. In addition the practice will use carefully selected third party service providers. When we use a third party service provider to process data on our behalf then we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately. Examples of functions that may be carried out by third parties includes:
- Companies that provide IT services & support, including our core clinical systems; systems which manage patient facing services (such as our website and service accessible through the same); data hosting service providers; systems which facilitate appointment bookings or electronic prescription services; document management services etc.
- Payment providers (if for example you were paying for a prescription or a service such as travel vaccinations).
Further details regarding specific third party processors can be supplied on request.
Other ‘data processors’ which you will be informed of
MJOG – SMS provider
Docmail – Auto Mail provider
AccuRX – Instant SMS provider
E-consult – Online Appointment System
EMIS – Clinical System
Lumiradx – Anti-coagulation Service
Docman – Document Management Service
Purpose: Patients personal confidential data is shared with the anticoagulation service system in order to provide monitoring for patients on anticoagulation medication. Only those patients referred into the service will have their data shared.
Legal Basis: under UK GDPR the processing of this data will be for direct care of the patient.
Article 6 1 (e) Public Task
Article 9 2 (h) Health data
You will be informed who your data will be shared with and in some cases asked for explicit consent for this happen when this is required.
In regards to AccuRx and the issue of storing images, you should be aware that any photos that you send will be stored as part of the transmission process on secure AccuRx servers.
We may also use external companies to process personal information, such as for archiving purposes. These companies are bound by contractual agreements to ensure information is kept confidential and secure.
NATIONAL DATA OPT-OUT
The national data opt-out was introduced on 25 May 2018, enabling patients to opt-out from the use of their data for research or planning purposes, in line with the recommendations of the National Data Guardian in her Review of Data Security, Consent and Opt-Outs.
By 2020 all health and care organisations are required to apply national data opt-outs where confidential patient information is used for research and planning purposes. NHS Digital has been applying national data opt-outs since 25 May 2018. Public Health England has been applying national data opt-outs since September 2018.
The national data opt-out replaces the previous ‘type 2’ opt-out, which required NHS Digital not to share a patient’s confidential patient information for purposes beyond their individual care. Any patient that had a type 2 opt-out recorded on or before 11 October 2018 has had it automatically converted to a national data opt-out. Those aged 13 or over were sent a letter giving them more information and a leaflet explaining the national data opt-out. For more information go to National data opt out programme
To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters.
On this web page you will:
- See what is meant by confidential patient information
- Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
- Find out more about the benefits of sharing data
- Understand more about who uses the data
- Find out how your data is protected
- Be able to access the system to view, set or change your opt-out setting
- Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
- See the situations where the opt-out will not apply
DATA PROCESSING ACTIVITIES FOR RISK STRATIFICATION
Risk stratification data tools are increasingly being used in the NHS to help determine a person’s risk of suffering a particular condition, preventing an unplanned or (re)admission and identifying a need for preventive intervention. Information about you is collected from a number of sources including NHS Trusts and from this GP Practice. A risk score is then arrived at through an analysis of your de-identified information using software managed by South, Central & West Commissioning Support Unit, and is only provided back to your GP as data controller in an identifiable form.
Risk stratification enables your GP to focus on preventing ill health and not just the treatment of sickness. If necessary your GP may be able to offer you additional services.
Please note that you have the right to opt out of your data being used in this way.
Risk stratification tools are used to analyse the overall health of a population using data which is anonymised in line with the Information Commissioner's Office (ICO) Anonymisation Code of Practice. The combined CCGs Secondary Use Service (SUS) data and GP data which contains an identifier (usually NHS number) is made available to clinicians with a legitimate relationship with their patients to enable them to identify which patients should be offered targeted preventative support to reduce those risks.
The CCG has commissioned NHS South, Central and West Commissioning Support Unit (SCWCSU) to provide the risk stratification software solution on behalf of itself and its GP practices.
This processing takes place under contract following the below steps:
- NHS Digital has a legal obligation to obtain data from providers of NHS care such as the local hospital, community hospital & GP Practices. This data is then sent to the SCWCSU DSCRO and amended so that only your NHS number could identify you. The data is then provided to SCWCSU for processing in the risk stratification software.
- The GP practice enables an organisation called Graphnet Healthcare, to extract data from your records which again, is only identifiable by your NHS Number. This data will only be extracted and provided to SCWCSU for those patients that have not objected to Risk Stratification or where no other type of objection to information sharing has been recorded on your record. The data, containing the same verified NHS numbers, are sent via secure transfer, directly to SCWCSU by Graphnet.
- SCWCSU then link both sets of data using their risk stratification software. An algorithm is run on the data to generate a risk score for each Patient. The CCG is able to see data only after your NHS number has been removed and replaced by a pseudonymised reference. Your GP will be able to see the data with your NHS number in it so that it can identify if you require further support from them to manage your healthcare needs.
The risk scores are only made available to authorized users within the GP Practice where you are registered via a secure portal managed by SCWCSU.
If you do not wish information about you to be included in the risk stratification programme please contact your GP Practice. They can add a code to your records that will stop your information from being used for this purpose.
Further information about risk stratification is available from: https//www.england.nhs.uk/ourwork/tsd/ig/risk-stratification/
Type of Data – Identifiable/Pseudonymised/Anonymised/Aggregate Data
GDPR Art. 6(1) (e) and Art.9 (2) (h). The use of identifiable data by CCGs and GPs for risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority (approval reference (CAG 7-04)(a)/2013)) and this approval has been extended to the end of September 2022 NHS England Risk Stratification which gives us a statutory legal basis under Section 251 of the NHS Act 2006 to process data for risk stratification purposes which sets aside the duty of confidentiality. We are committed to conducting risk stratification effectively, in ways that are consistent with the laws that protect your confidentiality.
CCGs and GPs use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help and prevent avoidable admissions. Typically this is because patients have a long term condition such as Chronic Obstructive Pulmonary Disease. NHS England encourages CCGs and GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help and prevent avoidable admissions.
Knowledge of the risk profile of our population will help the CCG to commission appropriate preventative services and to promote quality improvement in collaboration with our GP practices.
ACCESS TO PERSONAL INFORMATION
You have a right under the Data Protection Act 1998 to request access to view or to obtain copies of what information the surgery holds about you and to have it amended should it be inaccurate. In order to request this, you need to do the following:
- Your request must be made in writing to the GP – for information from the hospital you should write direct to them
- There may be a charge to have a printed copy of the information held about you
- We are required to respond to you within 30 days
- You will need to give adequate information (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified and your records located
OBJECTIONS / COMPLAINTS
Should you have any concerns about how your information is managed by the Practice, please contact the Practice Manager at email@example.com If you are still unhappy following a review by the Practice, you can then complain to the Information Commissioners Office (ICO) via their website (www.ico.gov.uk). Telephone: 0303 123 1113 (local rate) or 01625 545 745
If you are happy for your data to be extracted and used for the purposes described in this privacy notice then you do not need to do anything. If you have any concerns about how your data is shared then please contact the practice.
Currently awaiting details from our system suppliers. Detail to follow.
CHANGE OF DETAILS
It is important that you tell the person treating you if any of your details such as your name or address have changed or if any of your details such as date of birth is incorrect in order for this to be amended. You have a responsibility to inform us of any changes so our records are accurate and up to date for you.
The Data Protection Act 2018 requires organisations to register a notification with the Information Commissioner to describe the purposes for which they process personal and sensitive information.
This information is publicly available on the Information Commissioners Office website www.ico.org.uk
The practice is registered with the Information Commissioners Office (ICO).
WHO IS THE DATA PROTECTION OFFICER - Laura Taw (GP IG Manager and Data Protection Officer (DPO) for GP Practices within Surrey Heath) has been designated as the Data Protection Officer for the Practice - Email: GP-IGEnquiries.firstname.lastname@example.org
WHO IS THE DATA CONTROLLER?
The Data Controller, responsible for keeping your information secure and confidential is: Bartlett Group Practice