Confidentiality, Your Information & Privacy Notice
Staines Health Group – PRIVACY NOTICE
How we use your information
This document explains why we collect your information and how that information may be used.
Your personal data is handled in ways that are transparent and that you would reasonably expect. The Health and Social Care Act 2012 and General Data Protection Regulations 2018 (GDPR) has altered the way that your personal confidential data are processed. Consequently, you must be aware and understand these changes and that you have the opportunity to object and understand how to exercise that right.
Health care professionals who provide you with care are required by law to maintain records about your health and any treatment or care you have received within any NHS organisation. These records help to provide you with the best possible healthcare.
NHS health records may be processed electronically, on paper or a mixture of both, and through established working procedures and best practice coupled with technology we ensure your personal data is kept confidential and secure. Records held by us may include the following:
- Your personal data, such as address and next of kin;
- Your history with us, such as appointments, vaccinations, clinic visits, etc;
- Notes and reports about your health;
- Details about your treatment and care;
- Results of investigations and referrals such as blood tests, x-rays, etc; and
- Relevant information from other health professionals, relatives or carers.
We obtain and hold data for the sole purpose of providing healthcare services to our patients and we will ensure that the information is kept confidential. We can disclose your personal information if:
(a) It is required by law;
(b) You consent – either implicitly or for the sake of your own care or explicitly for other purposes; and
(c) It is justified in the public interest
Some of this information is held centrally and used for statistical purposes. Where we hold data centrally, we take strict measures to ensure that individual patients cannot be identified. Sometimes your information may be requested to be used for research purposes – the Practice will always endeavor to gain your consent before releasing the information.
You may choose to withdraw your consent to personal data being used in this way. If we are to participate in a new data-sharing project we will make patients aware by displaying prominent notices in the Practice and on our website at least four weeks before the scheme is due to start. Instructions will be provided to explain how to ‘opt out’ of each new scheme.
A patient can object to their personal information being shared with other health care providers but if this limits the treatment that you can receive then the doctor will explain this to you at the time.
We are required by Articles in the General Data Protection Regulations to provide with you the information in the following 9 subsections.
|1) Data Controller contact details
||Staines Health Group, Burges Way, Knowle Green, Staines, Middlesex, TW18 1XD
|2) Data Protection Officer contact details
||To be confirmed
|3) Purpose of the processing
||Direct Care is care delivered to the individual alone, most of which is provided in the surgery. After a patient agrees to a referral for direct care elsewhere, such as a referral to a specialist in a hospital, necessary and relevant information about the patient, their circumstances and their problem will need to be shared with the other healthcare workers, such as specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.
|4) Lawful basis for processing
The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:
Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”
We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”*
|5) Recipient or categories of recipients of the processed data
||The data will be shared with Health and care professionals and support staff in this surgery and at hospitals, diagnostic and treatment centres who contribute to your personal care.
|6) Rights to object
||You have the right to object to some or all the information being processed under Article 21. Please contact the Data Controller or the practice. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance
|7) Right to access and correct
||You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
|8) Retention period
The data will be retained in line with the law and national guidance. https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016 or speak to the practice.
|9) Right to Complain.
You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/
or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)
* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.
The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.
In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.
Risk Stratification is a process that helps your family doctor (GP) to help you manage your health. By using selected information from your health records, a secure NHS computer system will look at any recent treatments you have had in hospital or in the surgery and any existing health conditions that you have. This will alert your doctor to the likelihood of a possible deterioration in your health. The clinical team at the surgery will use the information to help you get early care and treatment where it is needed. North West Surrey CCG supports GP Practices with this work. NHS security systems will protect your health information and patient confidentiality at all times.
Please note that you have the right to opt out of Risk Stratification.
Should you have any concerns about how your information is managed, or wish to opt out of any data collection at the Practice, please contact the practice, or your healthcare professional to discuss how the disclosure of your personal information can be limited. Patients have the right to change their minds and reverse a previous decision. Please contact the practice, if you change your mind regarding any previous choice.
Under contractual obligation the NHS may use limited information about individual patients when validating invoices received for your healthcare, to ensure that the invoice is accurate and genuine. This will be performed in a secure environment and will be carried out by a limited number of authorised CSU staff. These activities and all identifiable information will remain with the Controlled Environment for Finance (CEfF) approved by NHS England. Where possible we will strive to use the NHS number as a quasi-identifier to preserve your confidentiality.
We may process your information to ensure that you benefit from good quality medicines and so you may make choice related to better health. This work is always done with your Clinician in the practice. We sometimes ask other partners to support in identification of groups of patients which would benefit from a clinical review. For example in the project Stroke Prevention in Atrial Fibrillation we have support from Interface Clinical Services. We will make it very clear when a piece of work involving processing your information is being undertaken however when we believe you could be at a higher risk of ill health by not acting quickly your Clinician will act in your best interest and may allow your data to be processed. This is to ensure so you can receive the care you may need as soon as possible.
Our partner organisations
We may need to share your information, subject to agreement on how it will be used, with the following organisations:
- NHS Trusts
- Health & Social Care Information Centre (HSCIC)
- Specialist Trusts
- Independent Contractors such as dentists, opticians, pharmacists
- Private Sector Providers
- Voluntary Sector Providers
- Ambulance Trusts
- Clinical Commissioning Groups
- Commissioning Support Units
- Social Care Services
- Local Authorities
- Education Services
- Fire and Rescue Services
- Other ‘data processors’
Access to personal information held about you
Under the GDPR 2018, you have a right to access/view information we hold about you, and to have it amended or removed should it be inaccurate. If we do hold information about you we will:
- give you a description of it;
- tell you why we are holding it;
- tell you who it could be disclosed to; and
- let you have a copy of the information in an intelligible form.
If you would like to make a ‘subject access request’, please contact the Practice Manager in writing.
Any changes to this notice will be published on our website and in a prominent area at the Practice.
We are registered as a data controller under the Data Protection Act 1998. The registration can be viewed online in the public register at:
How we keep your personal information confidential
We are committed to protecting your privacy and will only use information collected lawfully in accordance with the Data Protection Act 1998 (which is overseen by the Information Commissioner’s Office), Human Rights Act, the Common Law Duty of Confidentiality, and the NHS Codes of Confidentiality and Security.
All our staff, contractors and committee members operate in accordance with the requirements of the NHS Constitution and NHS Care Record Guarantee.
All of our staff also receive appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable where appropriate through disciplinary procedures. Only a limited number of authorised staff have access to personal information where it is appropriate to their role and is strictly on a need-to-know basis.
We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if others involved in your care have a genuine need for it, and even then we will only pass on the minimum necessary personal data.
When someone visits our website we collect standard internet log information and details of behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. We collect this information in a way which does not identify anyone. We collect identifiable information from visitors to our website who register in order to receive particular services or to receive further information on specific topics. This information is held securely and only used for the purposes provided.
We do not make any other attempt to find out the identities of those visiting our website. We will not associate any data gathered from this site with any personally identifying information from any source. If we do want to collect personally identifiable information through our website, we will make it clear when we collect the personal information and will explain what we intend to do with it.
Links to other websites
This Fair Processing Notice does not cover the links within this site linking to other websites. We encourage you to read the Fair Processing Notices on the other websites you visit.
The practice complaints leaflet gives details of the procedure and is available from reception. For further information contact the Practice Manager.
Further information in relation to the use of personal data within the NHS can be found at:
NHS Constitution (26 March 2013) http://www.nhs.uk/choiceintheNHS/Rightsandpledges/NHSConstitution/Pages/Overview.aspx
NHS Care Record Guarantee (Version 5, January 2011) http://systems.hscic.gov.uk/rasmartcards/strategy/nhscrg
Care.data programme: http://www.england.nhs.uk/ourwork/tsd/care-data/gp-guidance/
The HSCIC Guide to Confidentiality has more information on the rules around information sharing : http://www.hscic.gov.uk/confguideorg
An independent review of information about patient data across the health and social care system was led by Dame Fiona Caldicott and conducted in 2013. The report, Information: To share or not to share? The Information Governance Review, can be found at:
The NHS Commissioning Board – NHS England – Better Data, Informed Commissioning, Driving Improved Outcomes: Clinical Data Sets provides further information about the data flowing within the NHS to support Commissioning and can be found at:
Please visit the Health and Social Care Information Centre’s website for further information about their work. Information about their responsibility for collecting data from across the health and social care system can be found at: http://www.hscic.gov.uk/collectingdata
The Information Commissioner’s Office is the Regulator for the Data Protection Act 1998 and offer independent advice and guidance on the law and personal data, including your rights and how to access your personal information. For further information please visit the Information Commissioner’s Office web site: http://www.ico.gov.uk
Changes to this Fair Processing Notice
We keep our Fair Processing Notice under regular review. This Fair Processing Notice was last updated on 15/05/18.