PRACTICE PRIVACY NOTICE FOR PATIENTS
Coronavirus (COVID-19) pandemic and your information
The ICO recognises the unprecedented challenges the NHS and other health professionals are facing during the Coronavirus (COVID-19) pandemic.
The ICO also recognise that 'Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health.'
The Government have also taken action in respect of this and on 20th March 2020 the Secretary of State for Health and Social Care issued a Notice under Regulation 3(4) of The Health Service (Control of Patient Information) Regulations 2002 requiring organisations such as GP Practices to use your information to help GP Practices and other healthcare organisations to respond to and deal with the COVID-19 pandemic.
In order to look after your healthcare needs during this difficult time, we may urgently need to share your personal information, including medical records, with clinical and non clinical staff who belong to organisations that are permitted to use your information and need to use it to help deal with the Covid-19 pandemic. This could (amongst other measures) consist of either treating you or a member of your family and enable us and other healthcare organisations to monitor the disease, assess risk and manage the spread of the disease.
Please be assured that we will only share information and health data that is necessary to meet yours and public healthcare needs.
The Secretary of State for Health and Social Care has also stated that these measures are temporary and will expire on 30th September 2020 unless a further extension is required. Any further extension will be will be provided in writing and we will communicate the same to you.
Please also note that the data protection and electronic communication laws do not stop us from sending public health messages to you, either by phone, text or email as these messages are not direct marketing.
It may also be necessary, where the latest technology allows us to do so, to use your information and health data to facilitate digital consultations and diagnoses and we will always do this with your security in mind.
If you are concerned about how your information is being used, please contact our DPO using the contact details provided in this Privacy Notice.
Privacy notice - the Practice's commitment to Information Governance
How we use your information
This privacy notice explains why we as a Practice collect information about our patients and how we use that information.
Ling House Medical Centre manages patient information in accordance with existing laws and with guidance from organisations that govern the provision of healthcare in England such as the Department of Health and the General Medical Council.
We are committed to protecting your privacy and will only use information collected lawfully in accordance with:
- Data Protection Act 2018
- GDPR 2018
- Health and Social Care Act 2012
- Human Rights Act 1998
- Common Law Duty of Confidentiality
- NHS Codes of Confidentiality and Information Security
As data controllers, GPs have fair processing responsibilities under the Data Protection Act 2018 and GDPR 2018. In practice, this means ensuring that your personal confidential data (PCD) is handled clearly and transparently, and in a reasonably expected way.
The Health and Social Care Act 2012 changed the way that personal confidential data is processed, therefore it is important that our patients are aware of and understand these changes, and that you have an opportunity to object and know how to do so.
Further information about the way in which the NHS uses personal information and your rights in that respect can be found in:
An independent review of how information about patients is shared across the health and care system led by Dame Fiona Caldicott was conducted in 2012. The report, Information: To share or not to share? The Information Governance Review can be found at: www.gov.uk/government/publications/the-information-governance-review
NHS England - Better Data, Informed Commissioning, Driving Improved Outcomes: Clinical Data Sets (EXTERNAL PDF LINK) provides further information about the data flowing within the NHS to support commissioning.
Please visit the NHS Digital website for further information about their work. Information about their responsibility for collecting data from across the health and social care system can be found.
The Information Commissioner's Office is the Regulator for the Data Protection Act 2018 and offer independent advice and guidance on the law and personal data, including your rights and how to access your personal information. For further information please visit www.ico.org.uk
Privacy/ Fair Processing Notice
Security of information
Confidentiality affects everyone: Ling House Medical Centre collect’s, stores and uses large amounts of personal and sensitive personal data every day, such as medical records, personal records and computerised information. This data is used by many people in the course of their work.
We are committed to protecting your privacy and will only use information collected lawfully in accordance with the Data Protection Act 2018 (which is overseen by the Information Commissioner's Office), Human Rights Act, the Common Law Duty of Confidentiality, and the NHS Codes of Confidentiality and Security. Every staff member who works for an NHS organisation has a legal obligation to maintain the confidentiality of patient information, whether computerised or on paper.
All our staff, contractors and committee members receive appropriate and regular training to ensure they are aware of their personal responsibilities and have legal and contractual obligations to uphold confidentiality, enforceable through disciplinary procedures. Staff have access to personal information where it is appropriate to their role and is strictly on a need-to-know-basis.
We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), or where the law requires information to be passed on.
At Practice management level, we have appointed a Senior Information Risk Owner who is accountable for the management of all information assets and any associated risks and incidents, and a Caldicott Guardian who is responsible for the management of patient information and patient confidentiality.
Legal basis for the processing of your data
The General Data Protection Regulation (GDPR) 2018 requires the Practice to process:
Sensitive personal data (Health Records) under 9(2)(h) – “Necessary for the reasons of preventative or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services” and occasionally 9(2)(c) “when it is necessary to protect the vital interests of a person who is physically or legally incapable of giving consent”
Personal data under 6(1)(e) “Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Practice (Data Controller)” and 2 occasionally 6(1)(d) “ when it is necessary to protect the vital interests of a person who is physically or legally incapable of giving consent”
Why do we collect information about you?
All clinicians and health and social care professionals caring for you keep records about your health and any treatment and care you receive from the NHS. These records help to ensure that you receive the best possible care. They may be paper or electronic and they may include:
- Basic details about you such as name, address, email address, NHS number, date of birth, next of kin, etc.
- Contact we have had with you such as appointments or clinic visits.
- Notes and reports about your health, treatment and care – A&E visits, in patient spells or clinic appointments
- Details of diagnosis and treatment given
- Information about any allergies or health conditions.
- Results of x-rays, scans and laboratory tests.
- Relevant information from people who care for you and know you well such as health care professionals and relatives.
It is essential that your details are accurate and up to date. Always check that your personal details are correct when you visit us and please inform us of any changes to your contact detail as soon as possible. This reduces the risk of you not receiving important correspondence.
By providing the Practice with contact details, patients are agreeing to the Practice using those channels to communicate with them about their healthcare, i.e. by letter (postal address), by voice mail or voice message (telephone or mobile number), by text message (mobile number) or by email (email address).
How your personal information is used In general your records are used to direct, manage and deliver the care you receive to ensure that:
- The doctors, nurses and other health or social care professionals involved in your care have accurate and up to date information to assess your health and decide on the most appropriate care for you.
- Health or social care professionals have the information they need to be able to assess and improve the quality and type of care you receive.
- Your concerns can be properly investigated if a complaint is raised.
- Appropriate information is available if you see another clinician, or are referred to a specialist or another part of the NHS or social care.
The Care Record The Health Care Record is a shared system that allows Health or social care professionals to appropriately access the most up-to-date and accurate information about patients to deliver the best possible care.
The NHS Care Record Guarantee
The Care Record Guarantee is our commitment that we will use records about you in ways that respect your rights and promote your health and wellbeing. Copies of the full document can be obtained from:
Information governance for Summary Care Records (SCR) - NHS Digital
The Records Management Code of Practice
This Records Management Code of Practice for Health and Social Care 2016 is a guide for the NHS to use in relation to the practice of managing records. It is relevant to organisations who work within, or under contract to NHS organisations in England. This also includes public health functions in Local Authorities and Adult Social Care where there is joint care provided within the NHS.
The Code is based on current legal requirements and professional best practice. It will help organisations to implement the recommendations of the Mid Staffordshire NHS Foundation Practice Public Inquiry relating to records management and transparency.
How long health records are retained
All patient records are destroyed in accordance with the NHS Records Management Code of Practice retention schedules, which sets out the appropriate length of time each type of NHS records is retained.
The Practice does not keep patient records for longer than necessary and all records are destroyed confidentially once their retention period has been met, and the Practice has made the decision that the records are no longer required.
When do we share information about you?
We share information about you with others directly involved in your care; and also and also share more limited information for indirect care purposes, both of which are described below:
Everyone working within the NHS has a legal duty to keep information about you confidential. Similarly, anyone who receives information from us also has a legal duty to keep it confidential.
- Other NHS Practices and hospitals that are involved in your care.
- NHS Digital General Practitioners (GPs)
- Ambulance Trusts
- Social Care Services.
- Education Services.
- Local Authorities.
- Voluntary and private sector providers working with the NHS.
- NHS Trusts
- Specialist Trusts
- Independent Contractors such as dentist, opticians, pharmacists
- Private Sector Providers
- Voluntary Sector Providers
- Clinical Commissioning Group
- Social Care Services
- Local Authorities
- Education Services
- Fire and Rescue Services
- Prescription Agency Authority
- Care Quality Commission
- Department of Work and Pensions
- Coroner's Office
- Primary Care Support England
- Solicitors and insurance companies
We will not disclose your information to any other third parties without your permission unless there are exceptional circumstances, such as if the health and safety of others is at risk or if the law requires us to pass on information.
Indirect Care Purposes:
We also use information we hold about you to:
- Review the care we provide to ensure it is of the highest standard and quality
- Ensure our services can meet patient needs in the future
- Investigate patient queries, complaints and legal claims
- Ensure the hospital or practice receives payment for the care you receive
- Prepare statistics regarding NHS performance
- Audit NHS accounts and services
- Clinical audit
- Undertake heath research and development (with your consent – you may choose whether or not to be involved)
- Help train and educate healthcare professionals
Nationally there are strict controls on how your information is used for these purposes. These control whether your information has to be de-identified first and with whom we may share identifiable information. You can find out more about these purposes, which are also known as secondary uses, on the NHS England and NHS Digital’s websites:
When other people need information about you
Everyone working in Health and Social Care has a legal duty to keep information about you confidential and anyone who receives information from us is also under a legal duty to keep it confidential.
From time to time we may need to share information with other professionals and services concerned in your care. This may be for instance, when your healthcare professional needs to discuss your case with other professionals (who do not work for the Practice) in order to plan your care. We do this in order to provide the most appropriate treatment and support for you and your carers, or when the welfare of other people is involved. We will only share information in this way if we have your permission and it is considered necessary.
There may be other circumstances when we must share information with other agencies. In these rare circumstances we are not required to seek your consent.
Examples of this are:
- If there is a concern that you are putting yourself at risk of serious harm
- If there is a concern that you are putting another person at risk of serious harm
- If there is a concern that you are putting a child at risk of harm
- If we have been instructed to do so by a court
- If the information is essential for the investigation of a serious crime
- If you are subject to the Mental Health Act (1983), there are circumstances in which your ‘nearest relative’ must receive information even if you object
- If your information falls within a category that needs to be notified for public health or other legal reasons, e.g. Certain infectious diseases
Other ways in which we use your information Call recording Telephone calls to the Practice are routinely recorded for the following purposes:
- To make sure that staff act in compliance with Practice procedures.
- To ensure quality control.
- Training, monitoring and service improvement
- To prevent crime, misuse and to protect staff
Data subjects rights
Under the Data Protection Act 2018 - 6th Principle:
- a right of access to a copy of their personal data;
- a right to object to processing that is likely to cause or is causing damage or distress;
- a right to object to decisions being taken by automated means;
- a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed; and
- a right to claim compensation for damages caused by a breach of the Act
Under the General Data Protection Regulation (GDPR) 2018
- a right to confirmation that their personal data is being processed and access to a copy of that data which in most cases will be Free of Charge and will be available within 1 month (which can be extended to two months in some circumstances)
- Who that data has or will be disclosed to;
- The period of time the data will be stored for
- a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed;
- Data Portability – data provided electronically in a commonly used format The right to be forgotten and erasure of data does not apply to an individual’s health record or for public health purposes
- The right to lodge a complaint with a supervising authority (see Raising a concern page 7)
Your right to object
You have the right to restrict how and with whom we share information in your records that identifies you. If you object to us sharing your information we will record this explicitly within your records so that all healthcare professionals and staff involved with your care are aware of your decision. If you choose not to allow us to share your information with other health or social care professionals involved with your care, it may make the provision of treatment or care more difficult or unavailable.
Please discuss any concerns with the Clinician treating you so that you are aware of any potential impact. You can also change your mind at any time about a disclosure decision.
Refusing or withdrawing consent
The possible consequences of refusing consent will be fully explained to the patient at the time, and could include delays in receiving care.
In those instances where the legal basis for sharing of confidential personal information relies on the patient's explicit or implied consent, then the patient has the right at any time to refuse their consent to the information sharing, or to withdraw their consent previously given.
In instances where the legal basis for sharing information without consent relies on HRA CAG authorisation under Section 251 of the NHS Act 2006, then the patient has the right to register their objection to the disclosure, and the Practice is obliged to respect that objection.
In instances where the legal basis for sharing information relies on a statutory duty/power, then the patient cannot refuse or withdraw consent for the disclosure.
SMS text messaging
When attending the Practice for an appointment or a procedure you may be asked to confirm that the Practice has an accurate contact number and mobile telephone number for you. This can be used to provide appointment details via SMS text messages and automated calls to advise you of appointment times.
Surveillance Cameras (CCTV)
We employ surveillance cameras (CCTV) on and around our sites in order to:
- protect staff, patients, visitors and Practice property
- apprehend and prosecute offenders, and provide evidence to take criminal or civil court action
- provide a deterrent effect and reduce unlawful activity
- help provide a safer environment for our staff
- assist in traffic management and car parking schemes
- monitor operational and safety related incidents
- help to provide improved services, for example by enabling staff to see patients and visitors requiring assistance
- assist with the verification of claims
You have a right to make a Subject Access Request of surveillance information recorded of yourself and ask for a copy of it. Requests should be directed to the address below and you will need to provide further details as contained in the section ‘How you can access your records’. The details you provide must contain sufficient information to identify you and assist us in finding the images on our systems.
We reserve the right to withhold information where permissible by the General Data Protection Regulation (GDPR) 2018 and we will only retain surveillance data for a reasonable period or as long as is required by law. In certain circumstances (high profile investigations, serious or criminal incidents) we may need to disclose CCTV data for legal reasons. When this is done there is a requirement for the organisation that has received the images to adhere to the GDPR.
What are cookies?
Cookies are small text files which a website may put on your computer or mobile device when you first visit a site or page. The cookie will help the website to recognise your device the next time you visit.
Cookies do many things. For example they can help us to analyse how well our website is performing, or even allow us to recommend content we believe will be most relevant to you.
Certain cookies contain personal information. For example, if you click to "remember me" when logging in, a cookie will store your username. Most cookies won't collect information that identifies you. Instead, cookies will collect more general information such as how users arrive at and use our website, or a user's general location.
What cookies do we use?
We use Goole Analytics cookies in order to evaluate your use of the website and compile reports for us on activity on the website. You can learn about Google Analytics cookies by visiting this site: policies.google.com/privacy
Can you block our cookies?
Cookies help you to get the most from our website, so please remember that if you do choose to disable cookies, you may find that certain sections of our website do not work properly.
How do I disable cookies?
All recent versions of popular browsers give you a level of control over cookies. You can find out how to control cookies in your browser by visiting this site: www.aboutcookies.org.uk. Our website users cookies to optimise your experience. The 'Remember my details' feature on our online prescription form uses first party cookies on your computer to store your information. This information is only used to remember your details and is never passed to any third party (cookies must be enabled for this to work).
Access to personal information
You have a right under the Data Protection Act 2018 to access/view information the practice holds about you, and to have it amended or removed should it be inaccurate. This is known as 'the right of subject access'. If we do hold information about you we will:
- give you a description of it
- tell you why we are holding it
- tell you who it could be disclosed to
- let you have a copy of the information in an intelligible form
If you would like to make a 'subject access request', please contact the practice manager in writing. There may be a charge for this service. Any changes to this notice will be published on our website and on the practice notice board. The practice is registered as a data controller under the Data Protection Act 2018. This registration number is Z1334811 and can be viewed online in the public register at www.ico.org.uk
Change of Details
It is important that you tell the person treating you if any of your details such as your name or address have changed or if any of your details such as date of birth is incorrect in order for this to be amended. You have a responsibility to inform us of any changes so our records are accurate and up to date for you.
The Data Protection Act 2018 requires organisations to register a notification with the Information Commissioner to describe the purpose for which they process personal and sensitive information. This information is publicly available on the Information Commissioners Office website www.ico.org.uk. The practice is registered with the Information Commissioners Office (ICO).
How you can access your records
The GDPR 2018 gives you a right to access the information we hold about you on our records. Requests must be made in writing to the Access to Health Records Department. The Practice will provide your information to you within one month (this can be extended dependent on the complexity of the request) from receipt of your application:
- A completed application form, containing adequate supporting information (such as your full name, address, date of birth, NHS number, etc.) to enable us to verify your identity and locate your records.
- Information will be provided free of charge except where requests are unfounded or excessive, in particular repeat requests then the Practice may either charge a reasonable fee or refuse to act on the request.
Please write to:
The Access to Records Department, Ling House Medical Centre, 49 Scott Street, Keighley, BD21 2JH
The Data Controller responsible for keeping your information confidential is:
Ling House Medical Centre, 49 Scott Street, Keighley, BD21 2JH
Data Protection Officer
The Practice Data Protection Officer is Dal Sharry-Khan, BCA Data Protection Officer, Scorex House (West), 1 Bolton Road, Bradford, BD1 4AS
Raising a concern
Patients who have a concern about any aspect of their care or treatment at this Practice, or about the way their records have been managed, should contact the
Patient Advice & Liaison Service (PALS)
If you have any concerns about how we handle your information you have a right to complain to the Information Commissioners Office about it.
The GDPR 2018 requires organisations to lodge a notification with the Information Commissioner to describe the purposes for which they process personal information.
These details are publicly available from:
Information Commissioner’s Office
Water Lane Wilmslow
Telephone: 08456 306060
Freedom of Information
The Freedom of information Act 2000 provides any person with the right to obtain information held by the Practice, subject to a number of exemptions. If you would like to request some information from us, please visit the Freedom of information section of our website.
Please note: if your request is for information we hold about you (for example, your health record), please instead see above, under "How You Can Access Your Records".