GDPR and Privacy

How we use your personal information 

This fair processing & Privacy notice explains why the practice collects information about you and how that information may be used. 

The health care professionals who provide you with care maintain records about your health and any treatment or care you have received previously (e.g. Hospital, GP Surgery, Walk-in clinic, etc.). These records help to provide you with the best possible healthcare. 

NHS health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. Records which this GP Practice holds about you may include the following information; 

  • Details about you, such as your address, legal representative, emergency contact details
  • Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments, etc.
  • Notes and reports about your health
  • Details about your treatment and care
  • Results of investigations such as laboratory tests, x-rays etc.
  • Relevant information from other health professionals, relatives or those who care for you

Your records will be retained in accordance with the NHS Code of Practice for Records Management

To ensure you receive the best possible care, your records are used to facilitate the care you receive. Information held about you may be used to help protect the health of the public and to help us manage the NHS. Information may be used within the GP practice for clinical audit to monitor the quality of the service provided.

Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified.

Sometimes your information may be requested to be used for research purposes – the surgery will always gain your consent before releasing the information for this purpose. 

GDPR

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 became law on 25th May 2018. The GDPR is a single EU-wide regulation on the protection of confidential and sensitive information, the DPA 2018 deals with elements of UK law that differ from the European Regulation. These came into force in the UK on the 25th May 2018, repealing the previous Data Protection Act (1998).

For the purpose of applicable data protection legislation (including but not limited to the General Data Protection Regulation (Regulation (EU) 2016/679) (the "GDPR"), and the Data Protection Act 2018 the practice responsible for your personal data is Millgate Healthcare Partnership.

This Notice describes how we collect, use and process your personal data, and how, in doing so, we comply with our legal obligations to you. Your privacy is important to us, and we are committed to protecting and safeguarding your data privacy rights.

How do we maintain the confidentiality of your records? 

Millgate Healthcare Partnership will be what is known as the ‘Controller’ of the personal data you provide to us. 

We collect basic personal data about you which includes special types of information and location-based information.  This includes name, address, medical conditions, contact details such as email and mobile number etc. 

We will collect sensitive confidential data known as “special category personal data”, in the form of health information, religious belief (if required in a healthcare setting) ethnicity, and sex during the services we provide to you and or linked to your healthcare through other health providers or third parties.

We are committed to protecting your privacy and will only use information collected lawfully in accordance with: 

  • Data Protection Act 1998
  • The General Data Protection Regulations 2016
  • Human Rights Act 1998
  • Common Law Duty of Confidentiality
  • Health and Social Care Act 2012
  • NHS Codes of Confidentiality and Information Security
  • Information: To Share or Not to Share Review 

Every member of staff who works for the Practice or another NHS organisation has a legal obligation to keep information about you confidential. 

We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any 3rd party without your permission unless there are exceptional circumstances (i.e. life or death situations), where the law requires information to be passed on, for example, Child/Adult Protection and serious criminal activity, and / or in accordance with the information sharing principle following Dame Fiona Caldicott’s information sharing review (Information to share or not to share) where “the duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles. 

Our practice policy is to respect the privacy of our patients, their families and our staff and to maintain compliance with the General Data Protection Regulations

(GDPR) and all UK specific Data Protection Requirements. Our policy is to ensure all personal data related to our patients will be protected. 

All employees and sub-contractors engaged by our practice are asked to sign a confidentiality agreement. The practice will, if required, sign a separate confidentiality agreement if the client deems it necessary. 

In certain circumstances, you may have the right to withdraw your consent to the processing of data. Please contact the Data Protection Officer in writing if you wish to withdraw your consent.  If some circumstances we may need to store your data after your consent has been withdrawn to comply with a legislative requirement.

Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified. Sometimes your information may be requested to be used for research purposes – the surgery will always gain your consent before releasing the information for this purpose in an identifiable format.   In some circumstances, you can opt-out of the surgery sharing any of your information for research purposes.

Why do we need your information?

The health care professionals who provide you with care maintain records about your health and any treatment or care you have received previously (e.g. NHS Trust, GP Surgery, Walk-in clinic, etc.). These records help to provide you with the best possible healthcare.   

NHS health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. Records which the Practice hold about you may include the following information: 

  • Details about you, such as your address, carer, legal representative, emergency contact details
  • Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments, etc.
  • Notes and reports about your health
  • Details about your treatment and care
  • Results of investigations such as laboratory tests, x-rays etc
  • Relevant information from other health professionals, relatives or those who care for you
  • Contact details (including email address, mobile telephone number and home telephone number) 

To ensure you receive the best possible care, your records are used to facilitate the care you receive, including contacting you. Information held about you may be used to help protect the health of the public and to help us manage the NHS and the services we provide. Information may be used within the GP practice for clinical audit to monitor the quality of the service provided.

How do we lawfully use your data?

We need to know your personal, sensitive and confidential data in order to provide you with Healthcare services as a General Practice, under the General Data Protection Regulation we will be lawfully using your information in accordance with: 

Article 6, e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;”  

Article 9, (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems  

This Fair Processing Notice applies to the personal data of our patients and the data you have given us about your carers/family members

Risk Stratification

Risk stratification data tools are increasingly being used in the NHS to help determine a person’s risk of suffering a condition, preventing an unplanned or (re)admission and identifying a need for preventive intervention. Information about you is collected from several sources including NHS Trusts and from this GP Practice. A risk score is then arrived at through an analysis of your de-identified information is only provided back to your GP as data controller in an identifiable form. Risk stratification enables your GP to focus on preventing ill health and not just the treatment of sickness. If necessary, your GP may be able to offer you additional services. Please note that you have the right to opt-out of your data being used in this way. 

Medicines Management

The Practice may conduct Medicines Management Reviews of medications prescribed to its patients. This service performs a review of prescribed medications to ensure patients receive the most appropriate, up to date and cost-effective treatments. 

Patient Communication

The Practice will use your name, contact details and email address to inform you of NHS services or provide you with information about your health to manage your healthcare, or information about the management of the NHS service. There may be occasions where authorised research facilities would like you to take part in research in regard to your particular health issues, to try to improve your health, your contact details may be used to invite you to receive further information about such research opportunities.

Safeguarding

The Practice is dedicated to ensuring that the principles and duties of safeguarding adults and children are holistically, consistently and conscientiously applied with the wellbeing of all, at the heart of what we do.  

Our legal basis for processing For the General Data Protection Regulation (GDPR) purposes is: 

Article 6(1)(e) ‘…exercise of official authority…’.  

For the processing of special categories data, the basis is: 

Article 9(2)(b) – ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…’

Research

Clinical Practice Research Datalink (CPRD) collects de-identified patient data from a network of GP practices across the UK. Primary care data are linked to a range of other health-related data to provide a longitudinal, representative UK population health dataset. You can opt-out of your information being used for research purposes at any time (see below), full details can be found here

The legal basis for processing this information

CPRD do not hold or process personal data on patients; however, NHS Digital (formally the Health and Social Care Centre) may process ‘personal data’ for us as an accredited ‘safe haven’ or ‘trusted third-party’ within the NHS when linking GP data with data from other sources. The legal bases for processing this data are:

  • Medicines and medical device monitoring: Article 6(e) and Article 9(2)(i) - public interest in the area of public health
  • Medical research and statistics: Article 6(e) and Article 9(2)(j) - public interest and scientific research purposes 

Any data CPRD hold or pass on to bona fide researchers, except for clinical research studies, will have been anonymised in accordance with the Information Commissioner’s Office Anonymisation Code of Practice. We will hold data indefinitely for the benefit of future research, but studies will normally only hold the data we release to them for twelve months.

Categories of personal data

The data collected by Practice staff in the event of a safeguarding situation will be as much personal information as is necessary or possible to obtain in order to handle the situation. In addition to some basic demographics and contact details, we will also process details of what the safeguarding concern is. This is likely to be special category information (such as health information).

Sources of the data

The Practice will either receive or collect information when someone contacts the organisation with safeguarding concerns, or we believe there may be safeguarding concerns and make enquiries to relevant providers.

Recipients of the data

The information is used by the Practice when handling a safeguarding incident or concern. We may share information accordingly to ensure duty of care and

investigation as required with other partners such as local authorities, the police or healthcare professionals (i.e. their GP or mental health team).

Third-Party Processors

In order to deliver the best possible service, the practice will share data (where required) with other NHS bodies such as other GP practices and hospitals. In addition, the practice will use carefully selected third-party service providers. When we use a third-party service provider to process data on our behalf then we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately. Examples of functions that may be carried out by third parties include: 

Companies that provide IT services & support, including our core clinical systems; systems which manage patient-facing services (such as our website and service accessible through the same); data hosting service providers; systems which facilitate appointment bookings or electronic prescription services; document management services etc.

Delivery services (for example if we were to arrange for delivery of any medicines to you)

Payment providers (if for example, you were paying for a prescription or a service such as travel vaccinations)

 All the personal data we process is processed by our staff in the UK however for the purposes of IT hosting and maintenance this information may be located on servers within the European Union.  

No third parties have access to your personal data unless the law allows them to do so and appropriate safeguards have been put in place Such as a Data Processor as above).  We have a Data Protection regime in place to oversee the effective and secure processing of your personal and or special category (sensitive, confidential) data.  

The Practice uses a clinical system provided by a Data Processor called EMIS, with effect from 10th June 2019, EMIS will start storing your practice’s EMIS Web data in a highly secure, third party cloud-hosted environment, namely Amazon Web Services (“AWS”).  

Delivery of the services is subject to the terms of the GP Systems of Choice Framework (GPSoC) which is managed by NHS Digital on behalf of the Secretary of State for Health. A new GP IT Futures framework, the first framework from the new Digital Care Services model, will replace the contractual framework GP System of Choice (GPSoC), to supply IT systems and services to GP practices and associated organisations in England. Find out more here

The GPSoC services are provided pursuant to a framework agreement as between NHS Digital and EMIS Health (with services then being purchased at a CCG level on our behalf as a service recipient).

Under the terms of the GPSoC framework, NHS Digital essentially acts for and on our behalf in terms of approving the appointment of processors to the framework and, once they are appointed, the use of any sub-contractors (and so sub-processors). We understand that EMIS Health has engaged with NHS Digital in order to secure a variation to the framework agreement to provide for the appointment of AWS as an approved material sub-contractor. 

EMIS Health has notified the relevant GP practices, including ourselves, so that we have an opportunity to raise any concerns with regard to the proposed change but as this change is a universal technical/operational change it is more appropriate for such matters to take place at a framework level (which is why the GPSOC Framework Agreement is structured as it is). 

In any event, the guidance issued by the ICO would suggest that this is a move which the processor is entitled to drive on its own behalf provided that it remains within the scope of the relevant contract (i.e. in its Controller/Processor detailed guidance the ICO states “In certain circumstances, and where allowed for in the contract, a processor may have the freedom to use its technical knowledge to decide how to carry out certain activities on the controller’s behalf.”). 

The data will remain in the UK at all times and will be fully encrypted both in transit and at rest. In doing this, there will be no change to the control of access to your data and the hosted service provider will not have any access to the decryption keys. AWS is one of the world’s largest cloud companies, already supporting numerous public sector clients (including the NHS), and it offers the very highest levels of security and support.

Who are our partner organisations?

We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations or receive information from the following organisations:

  • NHS Trusts / Foundation Trusts
  • GP’s
  • NHS Commissioning Support Units
  • Independent Contractors such as dentists, opticians, pharmacists
  • Private Sector Providers
  • Voluntary Sector Providers
  • Ambulance Trusts
  • Clinical Commissioning Groups
  • Social Care Services
  • NHS Digital
  • Local Authorities
  • Education Services
  • Fire and Rescue Services
  • Police & Judicial Services
  • Other ‘data processors’ which you will be informed of

You will be informed who your data will be shared with and in some cases asked for explicit consent for this happen when this is required. We may also use external companies to process personal information, such as for archiving purposes.  These companies are bound by contractual agreements to ensure information is kept confidential and secure. This practice operates a Clinical Computer System on which NHS Staff record information securely.  This information can then be shared with other clinicians so that everyone caring for you is fully informed about your medical history; including allergies and medication, to provide around the clock safe care, unless you have asked us not to, we will make information available to trusted organisations.  Wherever possible, their staff will ask your consent before your information is viewed. 

We consider patient consent as being the key factor in dealing with your health information. 

How long will we store your information for?

We are required under UK law to keep your information and data for the full retention periods as specified by the NHS Records management code of practice for health and social care and national archives requirements.

More information on records retention can be found online here  

Access to personal information 

You have a right under the Data Protection Act to request access to view or to obtain copies of what information the surgery holds about you and to have it amended should it be inaccurate.  In order to request this, you need to do the following: 

  • Your request must be made in writing to the GP - for information from the hospital you should write directly to them
  • We are required to respond to you within 30 days
  • You will need to give adequate information (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified and your records located 

Objections/Complaints 

NHS Digital

You have the right to object to information being shared with NHS Digital for reasons other than your own direct care. This is called a ‘Type 1’ objection – you can ask your practice to apply this code to your record. Please note: The ‘Type 1’ objection, however, will no longer be available after 2020.

This means you will not be able to object to your data being shared with NHS Digital when it is legally required under the Health and Social Care Act 2012. 

The national data opt-out model provides you with an easy way of opting-out of identifiable data being used for health service planning and research purposes, including when it is shared by NHS Digital for these reasons.

To opt-out or to find out more about your opt-out choices please go to NHS Digital’s website

All Other Information

Should you have any concerns about how your information is managed at the GP, please contact the Practice Manager.  If you are still unhappy following a review by the GP practice, you can then complain to the Information Commissioners Office (ICO) via their website (www.ico.org.uk

Change of Details  

It is important that you tell the person treating you if any of your details such as your name or address have changed or if any of your details such as date of birth is incorrect in order for this to be amended.  You have a responsibility to inform us of any changes so that our records are accurate and up to date for you.

Notification 

The Data Protection Act 1998 requires organisations to register a notification with the Information Commissioner to describe the purposes for which they process personal and sensitive information.   This information is publicly available on the Information Commissioners Office website www.ico.org.uk  The practice is registered with the Information Commissioners Office (ICO).

Who is the Data Controller and Data Protection Officer? 

Our Data Controller and Caldecott Guardian, responsible for keeping your information secure and confidential is:

  • Dr Asad Ali

Our Data Protection Officer is: