Privacy

Privacy notice

As data controllers, GPs have fair processing responsibilities under the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). This means ensuring that your personal confidential data (PCD) is handled in ways that are safe, transparent and what you would reasonably expect. Please find documents and links below.

Subject Access Requests

Our practice has decided to outsource our medical reporting work to an NHS Digital accredited company called MediData.

MediData will be processing your medical report via eMR and providing online access via their secure encrypted portal.

If you wish to contact MediData directly, please email mdmc@medi2data.com or call on 03333 055774.

Patient Information

Our practice has decided to outsource our medical reporting to MediData, who will process your
medical report using their system, eMR.

What is eMR/MediData?

MediData is a NHS Digital accredited company who have developed a digital system called eMR, which enables GP practices to create digital, GDPR compliant medical reports. eMR helps GP Surgeries with data security, speed and efficiency eMR also helps you to easily see your medical data, stay in control of it and decide who you want to share it with.

MediData has worked hard to develop their NHS GP IT Futures accredited technology, eMR, which interfaces with our GP practice’s system to extract your medical record. This means you can receive a full copy of that information securely and share it with others as you wish, keeping your data safe.

If you wish to speak to a member of the MediData team regarding your medical report, or any concerns you may have regarding your data, please contact the MediData directly on:

Phone – 0333 3055 774
Email – connect@medi2data.com

Social media policy

Highgate Medical Centre uses the following social media platforms to communicate with patients, the public and the media:

Please note that we are unable to offer medical advice or diagnoses on Facebook. If you, a friend or family members are feeling unwell, please call either the surgery or NHS111.

Highgate Medical Centre has a Facebook account

(www.facebook.com/highgatemedicalcentre) which is managed by the Practice Manager on behalf of the Practice.

We also have a twitter account @DoctorMayur

Availability

Our social media accounts are daily except at weekends and public holidays. Occasionally we may cover events outside of these hours live on our social media platforms.

From time to time social media services such as Facebook may be

• Alerts about new content on our digital channels, for example, news, publications, videos on YouTube, blog posts or health campaigns
• sharing content from organisations we follow, such as other NHS organisations, the emergency services and public sector organisations
• Information on public health topics and campaigns
• Occasional live coverage of events

Liking us on Facebook

If you ‘like’ our page we will not automatically ‘like’ you back.

Being followed or liked by Highgate Medical Centre does not imply endorsement of any kind.

If we need to direct message you or you direct message us, we will follow your profile and may unfollow it afterwards.

We will never direct message you on Facebook.

Content

We may use some scheduling tools to help us ensure content is spread across the week. We will update our Facebook page at least once a week.

By sharing other social media users’ content, our organisation does not endorse the information or others’ views of that organisation or individual.

We aim to share information which adds to any debate or topic we are involved in. Our social media content will cover some or all of the following:

Talking with us online

We read all comments to and about us on social media platforms and ensure that any emerging themes or helpful suggestions are passed to relevant people in the organisation.

Please do not leave any defamatory comments. Any defamatory comments will be reported to Facebook.

When/if we reply to comments it may include us asking you to contact us in order to give you a full response outside of the character limits on some social media services.

Any comments need to be sent directly to the practice

Other ways of contacting us are detailed in the contact us section of our website http://www.highgatemedicalcentre.co.uk

Care Quality Commission

Please note the National Data Opt Out does not apply to this sharing of information. For further information please see: https://www.nhs.uk/your-nhs-data-matters/

Date created: 22^ND January 2022

Last updated: N/A

For Employees

Please note the National Data Opt Out does not apply to this sharing of information. For further information please see: https://www.nhs.uk/your-nhs-data-matters/

Date created: 22^nd January 2022

Last updated: N/A

Emergencies

* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

Please note the National Data Opt Out does not apply to this sharing of information. For further information please see: https://www.nhs.uk/your-nhs-data-matters/

Date created: 22^nd January 2022

Last updated: N/A

Direct Care, (routine care and referrals)

* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

Please note the National Data Opt Out does not apply to this sharing of information. For further information please see: https://www.nhs.uk/your-nhs-data-matters/

Date created: 22^nd January 2022

Last updated: N/A

NHS Digital

Privacy Notice – Sharing Information with NHS Digital

Please note the National Data Opt Out does not apply to this sharing of information. For further information please see: https://www.nhs.uk/your-nhs-data-matters/

Date created: 22^nd January 2022

Last updated: N/A

Public Health Privacy Notice

Please note the National Data Opt Out does not apply to this sharing of information. For further information please see: https://www.nhs.uk/your-nhs-data-matters/

Date created: 22^nd January 2022

Last updated: N/A

Commisioning, Planning, risk stratification, patient identification

* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

Please note the National Data Opt Out does not apply to this sharing of information. For further information please see: https://www.nhs.uk/your-nhs-data-matters/

Date created: 22^nd January 2022

Last updated: N/A

Safeguarding

* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

Please note the National Data Opt Out does not apply to this sharing of information. For further information please see: https://www.nhs.uk/your-nhs-data-matters/

Date created: 22^nd January 2022

Last updated: N/A

Call Recording

Please note the National Data Opt Out does not apply to this sharing of information. For further information please see: https://www.nhs.uk/your-nhs-data-matters/

Date created: 22^nd January 2022

Last updated: N/A

For staff Vaccination Information   

Please note that the COVID-19 vaccination effort is fast-moving and this privacy notice is subject to change.

Children’s privacy notice

We help people with their health and social care.

We decide how your personal data is used to help you.

We are registered with the Information Commissioner’s Office (ICO).

This means we can use information about the people we work with under the UK Data Protection Act 2018.

Our registration number is
Z5007672

What is personal data?

Personal Information is information about you or other people

• Your name
• Your address
• Your telephone number
• Your date of birth
• Your ethnicity
• Contact details for your family and carers
• If you are married
• Your job
• Your religion
• Your email address
• Where you were born
• If you are using the NHS as an overseas visitor
• What name you want to be called
• Information about your health
• If you have a protection order that affects your health, wellbeing and human rights (safeguarding status)

Why do we collect personal information about you?

We need to keep information about your health, treatment and care.

This is so we can give you good treatment and care.

What do we use your personal information for?

• We won’t tell people your name unless we really have to.
• We give your information to other people who are treating you.
• To remind you about your appointments
• To review our service to make it better
• To share your information with the people who are paying for your care. These people are called commissioners.
• To send reports to organisations such as the Department of Health
• To train healthcare staff
• If there is a complaint
• If the law says we need to report something that has happened.

Who do we share information with and why?

• We use it to make sure all the people involved in your care know what treatment you are getting.
• We need to tell you how personal information will be used. We need to have a legal reason for using your information without asking you first.
• We might need to give your information to other organisations.
• We might share personal information with other NHS Organisations to help them give you healthcare.

This would be NHS England, Public Health England and other NHS Trusts, General Practitioners (GPs), Ambulance Services, Primary Care Agencies.  This may also include those other organisations that help the NHS to look after your health.

We might share personal information with organisations like Social Services or private care homes to help them give you support.

Sometimes special permission will be given to use information that uses your name without your consent. This may be for medical research or checking quality of care. This permission is given by the Secretary of State for Health on advice from the National Information Governance Board for Health and Social Care under strict conditions.

Sometimes, we might need to share your information because it is the law. We will tell you when we do this.

• To find out if fraud is happening.
• If there is a court order.
• If the Care Quality Commission need it for an inspection.
• If the Police need to investigate a crime.

Where do we get information about you?

• From you
• From your previous doctor (if you have one)
• From hospital

How do we keep information about you?

We keep your information on paper and in a file.

We also keep your information in an electronic patient record system, on the computer.

The NHS Records Management Code of Practice for Health and Social Care 2016 and National Archives Requirements tells us to do this

The law tells us how to keep your information. These laws include the Data Protection Act 2018, the GDPR 2016, and the Common Law Duty of Confidentiality.
We keep information about you for as long as we need to do make your health better
You can read more about this online using this link (NHS Record Management code of practice): https://www.nhsx.nhs.uk/information-governance/guidance/records-management-code/records-management-code-of-practice-2021/

We have to:

Keep your records up to date, complete, and accurate, about the care we give you.

Keep records about you confidential and secure.

We will make sure we keep your information safe, using computer passwords for electronic information, and locks for paper information.

Give you information in a way you can understand.

What are your rights?

• You can ask to see the information we have about you
• You can ask us to change any information that is wrong
• You can tell us not to share your personal information (unless we need to because of the law)
• You can ask us to give the records we have about you to another organisation.

For more information you can contact the Practice Manager or Data Protection officer: Umar Sabat, umar.sabat@ig-health.co.uk

If you are not happy with how we use your personal information you can contact the Information Commissioner’s Office.
https://ico.org.uk

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate numberFax: 01625 524 510
Email: casework@ico.org.uk

Easy read privacy policy

Easy Read Version

This Policy is about what happens to the information that the Practice collects about you whenever you come to see us. It also tells you how we make sure it is kept safe.

What do we collect?

We collect information about you such as:

• Your name
• Why you are coming to see us
• Your birthday and the year you were born
• Your address
• The name of the person who will generally bring you to your appointments
• The reason that you are coming to see us
• Detailed clinical information/experiences about you
• What we do to care for you

Why do we collect it?

The Practices main purpose is to deliver healthcare to the community. We collect the data we need to care for you in the best way. We ask for your address so that we know where we can contact you. We ask for your date of birth as your age may be important to your care.

Each time you come to see us we will record things electronically that you tell us, things that we tell you and any medicines or exercises we give you. That way, we can look back at what we have done for you to make sure we are treating you in the best way.

What do we do with it?

We keep the information we collect electronically and on paper. All of this information together is called your Health Record and will be held on our secure system.

Anyone involved in caring for you at the Practice can see what has been collected. This way we can all make the right decisions about your care with all the information you have given us.

Who we share it with

We will share the information we record about you where it is clinically appropriate and will benefit your care and treatment. That way key people involved in your care are kept up to date on what we are doing for you.

If you tell us something that makes us worried about your safety or the safety of someone else you know, we might have to share this with other people outside of the Practice – even if you don’t want us to. This is part of our job to keep you and others safe.

Keeping your records safe

Everyone working in the Practice understands that they need to keep your information safe. This is called keeping your information confidential or protecting your privacy. They have training every year to remind them of this. We tell them that they are only allowed to look at your information if they are involved in  your  care  or  required to support your care, for example by booking an appointment for you.  They understand that they must keep any information safe, especially the information that identifies you; this might be your name or address and anything you come to see us about. We are not allowed to give any of this type of information to anyone who shouldn’t see it. This includes talking to them about it.

We teach future Doctors and Nurses

Students sometimes spend time with us at the Practice. This is so that we can teach them how to look after patients and their families. They are also told how to keep the information we collect safe.

Checking we are doing our best

All Practices are checked by organisations to make sure they are treating and caring for patients and families in the best way they can. They also ensure that we are keeping records safe and secure.

Am I able to see the information you collect about me?

Yes! You can request this directly from the Practice. We will check you are who you say are so that we are not sharing your information with anyone who shouldn’t see it.

If I think some of my information is wrong can I do anything about it?

Yes! You can contact any member of the Practice who will speak to our Data Protection Officer. We may need to contact you further to discuss this.

If I’m unhappy with the way you’ve used some of my information can I do anything?

Let us know if your still unhappy you can contact the Information Commissioners Office at the below address

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Tel:     01625 545745

Email: https://ico.org.uk/

We hope this leaflet tells you what you need to know about the information we collect about you.

Caldicott Guardian and Data Protection Officer

The Caldicott Guardian and the Data Protection Officer for the Practice are responsible for ensuring that information about you is processed in a confidential, legal and appropriate manner.

If you have any concerns about the use of your information you can contact these individuals at the address below:

Data Protection Officer

Umar Sabat – Umar.sabat@ig-health.co.uk

Overarching privacy policy

Data Protection Privacy Notice for Patients

Introduction

For the purpose of applicable data protection legislation including the General Data Protection Regulation (EU 2016/679) and the Data Protection Act 2018, the GP practice responsible for your personal data is Highgate Medical Centre

We, Highgate Medical Centre, will be known as the ‘Controller’ of the personal data you provide to us.

Your privacy is important to us, and we are committed to protecting and safeguarding your data privacy rights.

This Privacy Notice applies to personal information processed by or on behalf of the Practice. It applies to the personal data of our patients and to the data you have given us about your carers/family members. It covers the following topics:

• Why do we need your data?
• What data do we collect about you?
• What is the legal basis for using your data?
• How do we store your data?
• How do we maintain the confidentiality of your data?
• How long do we keep your data?
• What are your data protection rights?
• Who do we share your data with?
• Are there other projects where your data may be shared?
• When is your consent not required?
• How can you access or change your data?
• What should you do if your personal information changes?
• Changes to our privacy policy
• Our Data Protection Officer
• How to contact the appropriate authorities

Why do we need your data?

As your General Practice, we need to know your personal, sensitive and confidential data in order to provide you with appropriate healthcare services. Your records are used to facilitate the care you receive, and to ensure you receive the best possible healthcare.

Information may be used within the GP practice for clinical audit, to monitor the quality of the service provided.

What data do we collect about you?

Personal data: We collect basic personal data about you which does not include any special types of information or location-based information.  This includes your name, postal address and contact details such as email address and telephone number.

By providing the Practice with your contact details, you are agreeing to the Practice using those channels to communicate with you about your healthcare, i.e. by letter (postal address), by voice-mail or voice-message (telephone or mobile number), by text message (mobile number) or by email (email address). If you are unhappy or have a concern about our using any of the above channels, please let us know.

Special Category personal data: We also collect confidential data linked to your healthcare which is known as “special category personal data”, in the form of health information, religious belief (if required in a healthcare context) ethnicity and gender. This is obtained during the services we provide to you and through other health providers or third parties who have provided you with treatment or care, e.g. NHS Trusts, other GP surgeries, Walk-in clinics etc.

Records which the Practice holds about you may include the following information:

• Details about you, such as your address, carer, legal representative, emergency contact details
• Any contact the Practice has had with you, such as appointments, clinic visits, emergency appointments etc.
• Notes and reports about your health
• Details about your treatment and care
• Results of investigations such as laboratory tests, x-rays etc
• Relevant information from other health professionals, relatives or those who care for you

NHS records may be electronic, on paper, or a mixture of both.

Use of CCTV: Closed circuit television is utilised to protect the safety of our patients, staff and members of the public. To maintain privacy and dignity, CCTV is not in place where examinations or procedures are being undertaken. The Practice remains the data controller of this data and any disclosures or requests should be made to the Practice Manager.

What is the legal basis for using your data?

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

• Data Protection Act 2018
• The General Data Protection Regulations 2016
• Human Rights Act 1998
• Common Law Duty of Confidentiality
• Health and Social Care Act 2012
• NHS Codes of Confidentiality, Information Security and Records Management

Under the General Data Protection Regulation we will lawfully be using your information in accordance with:

Article 6 (e) – “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”

Article 9 (h) – “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems”

For the processing of special categories data, the basis is:

Article 9 (2) (b) – “processing is necessary for the purposes of carrying out the obligations            and exercising specific rights of the controller or of the data subject in the field of employment   and social security and social protection law”

These articles apply to the processing of information and the sharing of it with others for specific purposes.

How do we store your data?

We have a Data Protection regime in place to oversee the effective and secure processing of your personal and special category (sensitive, confidential) data. No third parties have access to your personal data unless the law allows them to do so and appropriate safeguards have been put in place.

All the personal data we use is processed by our staff in the UK. However, for the purposes of IT hosting and maintenance this information may be located on servers within the European Union.

In certain circumstances you may have the right to withdraw your consent to the processing of data. These circumstances will be explained in subsequent sections of this document.

In some circumstances we may need to store your data after your consent has been withdrawn, in order to comply with a legislative requirement.

How do we maintain the confidentiality of your data?

Our Practice policy is to respect the privacy of our patients, their families and our staff and to maintain compliance with the General Data Protection Regulations (GDPR) and all UK specific Data Protection requirements. Our policy is to ensure all personal data related to our patients will be protected.

We use a combination of working practices and technology to ensure that your information is kept confidential and secure.

Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential.

All employees and sub-contractors engaged by our Practice are asked to sign a confidentiality agreement. The Practice will, if required, sign a separate confidentiality agreement if the client deems it necessary.  If a sub-contractor acts as a data processor for Highgate Medical Centre an appropriate contract will be established for the processing of your information.

Some of this information will be held centrally and used for statistical purposes. Where this happens, we take strict measures to ensure that individual patients cannot be identified.

Sometimes your information may be requested to be used for research purposes. The Practice will always gain your consent before releasing the information for this purpose in an identifiable format.   In some circumstances you can Opt-out of the Practice sharing any of your information for research purposes.

How long do we keep your data?

We are required under UK law to keep your information and data for the full retention periods as specified by the NHS Records Management Code of Practice for Health and Social Care and in accordance with National Archives requirements.

More information on records retention can be found online at: https://www.nhsx.nhs.uk/information-governance/guidance/records-management-code/

What are your data protection rights?

If we already hold your personal data, you have certain rights in relation to it.

Right to object: If we are using your data because we deem it necessary for our legitimate interests to do so, and you do not agree, you have the right to object. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases). Generally, we will only disagree with you if certain limited conditions apply.

Right to withdraw consent: Where we have obtained your consent to process your personal data for certain activities (for example a research project), or consent to market to you, you may withdraw your consent at any time.

Right to erasure: In certain situations (for example, where we have processed your data unlawfully), you have the right to request us to erase your personal data. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases) and will only disagree with you if certain limited conditions apply.

Right of data portability: If you wish, you have the right to transfer your data from us to another data controller. We will help with this with a GP to GP data transfer and transfer of your hard copy notes.

National Data Opt-Out: The National Data Opt-Out is a service introduced on 25 May 2018 that allows people to opt out of their confidential patient information being used for research and planning purposes. The National Data Opt-Out replaces the previous Type 2 Opt-Out, which required NHS Digital not to share a patient’s confidential patient information for purposes beyond their individual care. Any patient who had a Type 2 Opt-Out has had it automatically converted to a National Data Opt-Out from 25 May 2018 and has received a letter giving them more information and a leaflet explaining the new service. If a patient wants to change their choice, they can use the new service to do this. You can find out more from the Practice or by visiting:

https://www.nhs.uk/your-nhs-data-matters/

If you wish to raise a query or request relating to any of the above, please contact us. We will seek to deal with it without undue delay, and in any event in accordance with the requirements of any applicable laws. Please note that we may keep a record of your communications to help us resolve any issues which you raise.

Who do we share your data with?

We consider patient consent as being the key factor in dealing with your health information.

To provide around-the-clock safe care, we will make information available to trusted organisations for specific purposes unless you have asked us not to. We refer to these organisations to Data Processors.

To support your care and improve the sharing of relevant information to our partner organisations when they are involved in looking after you, we will share information to other systems. The general principle is that information is passed to these systems unless you request that this does not happen, but that system users should ask for your consent before viewing your record.

Our partner organisations are:

• NHS Trusts / Foundation Trusts
• GPs
• NHS Commissioning Support Units
• Independent Contractors such as dentists, opticians, pharmacists
• Private Sector Providers
• Voluntary Sector Providers
• Ambulance Trusts
• Clinical Commissioning Groups
• Social Care Services
• NHS England (NHSE) and NHS Digital (NHSD)
• Multi Agency Safeguarding Hub (MASH)
• Local Authorities
• Education Services
• Fire and Rescue Services
• Police and Judicial Services
• Voluntary Sector Providers
• Private Sector Providers
• Other ‘data processors’ which you will be informed of

You will be informed who your data will be shared with, and in cases where your consent is required you will be asked for it.

Below are some examples of when we would wish to share your information with trusted partners.

Primary Care Networks: We are a member of Soar Valley Primary Care Network. This means we work closely with a number of local practices and care organisations for the purpose of direct patient care. They will only be allowed to access your information if it is to support your healthcare needs. If you have any concerns about how your information may be accessed within our primary care network, we would encourage you to speak or write to us.

Extended Access: We provide extended access services to our patients which means you can access medical services outside of our normal working hours. In order to provide you with this service, we have formal arrangements in place with the Clinical Commissioning Group and with other practices whereby certain key “hub” practices offer this service on our behalf for you as a patient to access outside our opening hours. Those key “hub” practices will need to have access to your medical record to be able to offer you the service. We have robust data sharing agreements and other clear arrangements in place to ensure your data is always protected and used for those purposes only.

Medicines Management: The Practice may conduct Medicines Management Reviews of medications prescribed to its patients. This service performs a review of prescribed medications to ensure patients receive the most appropriate, up-to-date and cost-effective treatments. Our local NHS Clinical Commissioning Group employs specialist pharmacists and they may at times need to access your records to support and assist us with prescribing. This reason for this is to help us manage your care and treatment.

Individual Funding Requests: An Individual Funding Request is a request made on your behalf, with your consent, by a clinician, for the funding of specialised healthcare which falls outside the range of services and treatments that CCG has agreed to commission for the local population. An Individual Funding Request is considered when a case can be set out by a patient’s clinician that there are exceptional clinical circumstances which make the patient’s case different from other patients with the same condition who are at the same stage of their disease, or when the request is for a treatment that is regarded as new or experimental and where there are no other similar patients who would benefit from this treatment. A detailed response, including the criteria considered in arriving at the decision, will be provided to the patient’s clinician.

Are there other projects where your data may be shared?

GP Data Sharing Project with NHS East Midlands Ambulance Service: The Practice is working with the local ambulance service trust, NHS East Midlands Ambulance Service, to share your healthcare information for the purposes of your care and treatment. They can only access your information if it is for care purposes. If you have any concerns, please speak to the Practice.

Local Research: We regularly work with local health and academic organisations to conduct research studies with the aim of improving care for the general population. We will always ask for your permission to take part, except in situations where we can demonstrate that your information has been anonymised (where you cannot be identified) and your privacy is protected. In these situations we are not required to seek consent from individuals.

Risk Stratification: Risk stratification data tools are increasingly being used in the NHS to help determine a person’s risk of suffering a condition, preventing an unplanned admission or re-admission and identifying a need for preventive intervention. Information about you is collected from a number of sources including NHS Trusts and from this GP practice. A risk score arrived at through an analysis of your de-identified information is provided back to your GP practice as data controller in an identifiable form. Risk stratification enables your GP to focus on preventing ill health and not just the treatment of sickness. If necessary, your GP may be able to offer you additional services. Please note that you have the right to opt out of your data being used in this way.

Other research projects: With your consent we would also like to use your name, contact details and email address to inform you of services that may benefit you. There may be occasions when authorised research facilities would like to invite you to participate in research, innovations, identifying trends or improving services. At any stage where we would like to use your data for anything other than the specified purposes and where there is no lawful requirement for us to share or process your data, we will ensure that you have the ability to consent or to opt out prior to any data processing taking place. This information is not shared with third parties or used for any marketing and you can unsubscribe at any time via phone, email or by informing the Practice.

When is your consent not required?

We will only ever use or pass on information about you to others involved in your care if they have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances.

There are certain circumstances where we are required by law to disclose information, for example:

• where there is a serious risk of harm or abuse to you or other people
• where a serious crime, such as assault, is being investigated or where it could be prevented
• notification of new births
• where we encounter infectious diseases that may endanger the safety of others, such as meningitis or measles (but not HIV/AIDS)
• where a formal court order has been issued
• where there is a legal requirement, for example if you had committed a Road Traffic Offence

We are also required to act in accordance with Principle 7 of the Caldicott Review (Revised version 2013) which states: “The duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott Principles.

How can you access or change your data?

You have a right under the Data Protection legislation to request access to view or to obtain copies of the information the Practice holds about you and to have it amended should it be inaccurate.

Your request should be made to the Practice and we have a form (SAR – Subject Access Request) which you will need to complete. We are required to respond to you within one calendar month.

For information from the hospital you should write direct to them. You will need to give adequate information (full name, address, date of birth, NHS number and details of your request) so that your identity can be verified and your records located.

There is no charge to receive a copy of the information held about you.

What should you do if your personal information changes?

Please contact the Practice Manager as soon as any of your details change. This is especially important for changes of address or contact details (such as your mobile phone number).

The Practice will from time to time ask you to confirm that the information we currently hold is accurate and up-to-date.

Changes to our privacy policy

It is important to point out that we may amend this Privacy Notice from time to time.

Our Data Protection Officer

The Practice has appointed Umar Sabat as its Data Protection Officer.

He can be contacted on the following e-mail address:

umar.sabat@ig-health.co.uk

If you have any concerns about how your data is shared, or if you would like to know more about your rights in respect of the personal data we hold about you, then please contact the Practice Data Protection Officer.

How to contact the appropriate authorities

If you have any concerns about how your information is managed at your GP Practice, please contact the GP Practice Manager or the Data Protection Officer in the first instance.

If you are still unhappy following a review by the GP Practice, you have a right to lodge a complaint with the UK supervisory authority, the Information Commissioner’s Office (ICO), at the following address:

Information Commissioner

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Tel:     01625 545745

Email: https://ico.org.uk/

Care Quality Commission

Please note the National Data Opt Out does not apply to this sharing of information. For further information please see: https://www.nhs.uk/your-nhs-data-matters/

Date created: 22^ND January 2022

Last updated: N/A

How Highgate Medical Centre uses your information to provide you with healthcare

This practice keeps medical records confidential and complies with the General Data Protection Regulation.

We hold your medical record so that we can provide you with safe care and treatment.

We will also use your information so that this practice can check and review the quality of the care we provide. This helps us to improve our services to you.

We will share relevant information from your medical record with other health or social care staff or organisations when they provide you with care. For example, your GP will share information when they refer you to a specialist in a hospital. Or your GP will send details about your prescription to your chosen pharmacy.

For more information on how we share your information with organisations who are directly involved in your care can be found here: www.highgatemedicalcentre.co.uk

Healthcare staff working in A&E and out of hours care will also have access to your information. For example, it is important that staff who are treating you in an emergency know if you have any allergic reactions. This will involve the use of your Summary Care Record .

For more information see:

https://digital.nhs.uk/summary-care-records or alternatively speak to your practice.

You have the right to object to information being shared for your own care. Please speak to the practice if you wish to object. You also have the right to have any mistakes or errors corrected.

Other important information about how your information is used to provide you with healthcare

Registering for NHS care

• All patients who receive NHS care are registered on a national database.
• This database holds your name, address, date of birth and NHS Number but it does
  not hold information about the care you receive.
• The database is held by NHS Digital a national organisation which has legal
  responsibilities to collect NHS data.
• More information can be found at: https://digital.nhs.uk or the phone number for
  general enquires at is 0300 303 5678

Identifying patients who might be at risk of certain diseases

• Your medical records will be searched by a computer programme so that we can identify patients who might be at high risk from certain diseases such as heart disease or unplanned admissions to hospital.
• This means we can offer patients additional care or support as early as possible.
• This process will involve linking information from your GP record with information from other health or social care services you have used.
• Information which identifies you will only be seen by this practice.
• More information can be found at: www.highgatemedicalcentre.co.uk or speak to
  the practice.

Safeguarding

• Sometimes we need to share information so that other people, including healthcare
  staff, children or others with safeguarding needs, are protected from risk of harm.
• These circumstances are rare.
• We do not need your consent or agreement to do this.
• Please see our local policies for more information:
  https://lrsb.org.uk
• We are required by law to provide you with the following information about how we handle your
  information.

Data Controller contact details
Highgate Medical Centre, 5 Storer Close, Sileby, Loughborough LE12 7UD

Data Protection Officer contact details

To be confirmed

Purpose of the processing

• To give direct health or social care to individual patients.
• For example, when a patient agrees to a referral for direct care, such as to a hospital, relevant information about the patient will be shared with the other healthcare staff to enable them to give appropriate advice, investigations, treatments and/or care.
• To check and review the quality of care. (This is called audit and clinical governance).

Lawful basis for processing

These purposes are supported under the following sections of the GDPR:

Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and

Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”

Healthcare staff will also respect and comply with their obligations under the common law duty of confidence.

Recipient or categories of recipients of the processed data

The data will be shared with:

• healthcare professionals and staff in this surgery;
• local hospitals;
• out of hours services;
• diagnostic and treatment centres;
• or other organisations involved in the provision of direct care
  to individual patients.
• West Leicestershire Clinical Commissioning Group

Rights to object

• You have the right to object to information being shared between those who are providing you with direct care.
• This may affect the care you receive – please speak to the practice.
• You are not able to object to your name, address and other demographic information being sent to NHS Digital.
• This is necessary if you wish to be registered to receive NHS care.
• You are not able to object when information is legitimately shared for safeguarding reasons.
• In appropriate circumstances it is a legal and professional requirement to share information for safeguarding reasons. This is to protect people from harm.
• The information will be shared with the local safeguarding service : https://lrsb.org.uk

Right to access and correct

You have the right to access your medical record and have any errors or mistakes corrected. Please speak to a member of staff or look at our ‘subject access request’ policy on the practice website – www.highgatemedicalcentre.co.uk

We are not aware of any circumstances in which you will have the right to delete correct information from your medical record; although you are free to obtain your own legal advice if you believe there is no lawful purpose for which we hold the information and contact us if you hold a different view.

Retention period GP medical records will be kept in line with the law and national guidance.

Information on how long records are kept can be found at:
https://digital.nhs.uk/article/1202/Records-Management-Code-ofPractice-for-Health-and-Social-Care-2016 or speak to the practice.

Right to complain

You have the right to complain to the Information Commissioner’s
Office.

If you wish to complain follow this link https://ico.org.uk/global/contact-us/ or call the helpline 0303 123 1113

Data we get from other organisations

We receive information about your health from other organisations who are involved in providing you with health and social care. For example, if you go to hospital for treatment or an operation the hospital will send us a letter to let us know what happens. This means your GP medical record is kept up-to date when you receive care from other parts of the health service.

How your information is used for medical research and to measure the quality of care

Medical research

Highgate Medical Centre shares information from medical records:

• to support medical research when the law allows us to do so, for example to learn
  more about why people get ill and what treatments might work best;
• we will also use your medical records to carry out research within the practice.

This is important because:

• the use of information from GP medical records is very useful in developing new treatments and medicines;
• medical researchers use information from medical records to help answer important questions about illnesses and disease so that improvements can be made to the care and treatment patients receive.

We share information with the following medical research organisations with your explicit consent or when the law allows: Primary Care Research Network, NHS England and NHS Digital.

You have the right to object to your identifiable information being used or shared for medical research purposes. Please speak to the practice if you wish to object

Checking the quality of care – national clinical audits

Highgate Medical Centre contributes to national clinical audits so that healthcare can be checked and reviewed.

• Information from medical records can help doctors and other healthcare workers
  measure and check the quality of care which is provided to you.
• The results of the checks or audits can show where hospitals are doing well and where
  they need to improve.
• The results of the checks or audits are used to recommend improvements to patient
  care.
• Data are sent to NHS Digital a national body with legal responsibilities to collect data.
• The data will include information about you, such as your NHS Number and date of
  birth and information about your health which is recorded in coded form – for
  example the code for diabetes or high blood pressure.
• We will only share your information for national clinical audits or checking purposes
  when the law allows.
• For more information about national clinical audits see the Healthcare Quality
  Improvements Partnership website: https://www.hqip.org.uk/ or phone 020 7997
  7370.
• You have the right to object to your identifiable information being shared for national
  clinical audits. Please contact the practice if you wish to object.

We are required by law to provide you with the following information about how we share your
information for medical research purposes.

Data Controller contact details
Highgate Medical Centre, 5 Storer Close, Sileby, Loughborough LE12
7UD

Data Protection Officer contact details
To be confirmed

Purpose of the processing

Medical research and to check the quality of care which is given to patients (this is called national clinical audit).

Lawful basis for processing

The following sections of the GDPR mean that we can use medical records for research and to check the quality of care (national clinical audits)

Article 6(1)(e) – ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’.

For medical research: there are two possible Article 9 conditions.

Article 9(2)(a) – ‘the data subject has given explicit consent…’

OR

Article 9(2)(j) – ‘processing is necessary for… scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member States law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject’.

To check the quality of care (clinical audit):

Article 9(2)(h) – ‘processing is necessary for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and services…’

Recipient or categories of recipients of the processed data

For medical research the data will be shared with Primary Care research Network, NHS England and NHS Digital

For national clinical audits which check the quality of care the data will be shared with NHS Digital.

Rights to object and the national data opt-out

You have a right to object under the GDPR and the right to ‘opt-out’ under the national data opt-out model. The national data opt-out model provides an easy way for you to opt-out of: information that identifies you being used or shared for medical research purposes and quality checking or audit purposes.

Please contact the practice if you wish to opt-out.

Right to access and correct

• You have the right to access your medical record and have any errors or mistakes corrected. Please speak to a member of staff or look at our ‘subject access request’ policy on the practice website – www.highgatemedicalcentre.co.uk
• We are not aware of any circumstances in which you will have the right to delete correct information from your medical record; although you are free to obtain your own legal advice if you believe there is no lawful purpose for which we hold the information and contact us if you hold a different view.

Retention period GP medical records will be kept in line with the law and national guidance. Information on how long records are kept can be found at: https://digital.nhs.uk/article/1202/Records Management-Code-ofPractice-for-Health-and-Social-Care-2016 or speak to the practice.

Right to complain

You have the right to complain to the Information Commissioner’s Office. If you wish to complain follow this link https://ico.org.uk/global/contact-us/ or call the helpline 0303 1231113

National screening programmes

• The NHS provides national screening programmes so that certain diseases can be detected at an early stage.
• These screening programmes include bowel cancer, breast cancer, cervical cancer, aortic aneurysms and a diabetic eye screening service.
• The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme.
• More information can be found at: https://www.gov.uk/topic/populationscreening-programmes or speak to the practice.

We are required by law to provide you with the following information about how we handle your
information in relation to our legal obligations to share data.

Data Controller contact details

Highgate Medical Centre
5 Storer Close, Sileby, Loughborough LE12 7UD

Data Protection Officer contact details
To be confirmed

Purpose of the processing

• The NHS provides several national health screening programmes to detect diseases or conditions early such as cervical and breast cancer, aortic aneurysm and diabetes.
• The information is shared so that the correct people are invited for screening. This means those who are most at risk can be offered treatment.

Lawful basis for processing

The following sections of the GDPR allow us to contact patients for screening.

Article 6(1)(e) – ‘processing is necessary…in the exercise of official authority vested in the controller…’’

Article 9(2)(h) – ‘processing is necessary for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and services…’

Recipient or categories of recipients of the processed data

The data will be shared with bowel cancer, breast cancer, cervical cancer, aortic aneurysms and diabetic eye screening services

Rights to object

For national screening programmes: you can opt so that you no longer receive an invitation to a screening programme.

See: https://www.gov.uk/government/publications/opting-out-of-thenhs-population-screening programmes

Or speak to your practice.

Right to access and correct

• You have the right to access your medical record and have any errors or mistakes corrected. Please speak to a member of staff or look at our ‘subject access request’ policy on the practice website – www.highgatemedicalcentre.co.uk
• We are not aware of any circumstances in which you will have the right to delete correct information from your medical record; although you are free to obtain your own legal advice if you believe there is no lawful purpose for which we hold the information and contact us if you hold a different view.

Retention period GP medical records will be kept in line with the law and national guidance.

Information on how long records can be kept can be found at:
https://digital.nhs.uk/article/1202/Records-Management-Code-ofPractice-for-Health-and-Social-Care-2016 or speak to the practice.

Right to complain

You have the right to complain to the Information Commissioner’s Office. If you wish to complain follow this link https://ico.org.uk/global/contact-us/ or call the helpline 0303 123 1113

Data we get from other organisations

We receive information about your health from other organisations who are involved in providing you with health and social care. For example, if you go to hospital for treatment or an operation the hospital will send us a letter to let us know what happens. This means your GP medical record is kept up-to date when you receive care from other parts of the health service.

How your information is shared so that this practice can meet legal requirements

The law requires Highgate Medical Centre to share information from your medical records in certain circumstances. Information is shared so that the NHS or Public Health England can, for example:

• plan and manage services;
• check that the care being provided is safe;
• prevent infectious diseases from spreading.

We will share information with NHS Digital, the Care Quality Commission and local health protection team (or Public Health England) when the law requires us to do so. Please see below for more information.

We must also share your information if a court of law orders us to do so. NHS Digital

• NHS Digital is a national body which has legal responsibilities to collect information about health and social care services.
• It collects information from across the NHS in England and provides reports on how the NHS is performing. These reports help to plan and improve services to patients.
• This practice must comply with the law and will send data to NHS Digital, for example, when it is told to do so by the Secretary of State for Health or NHS England under the Health and Social Care Act 2012.
• More information about NHS Digital and how it uses information can be found at: https://digital.nhs.uk/home

Public Health

The law requires us to share data for public health reasons, for example to prevent the spread of infectious diseases or other diseases which threaten the health of the population.

• We will report the relevant information to local health protection team or Public Health England.
• For more information about Public Health England and disease reporting see: https://www.gov.uk/guidance/notifiable-diseases-and-causative-organisms-howto-report

Care Quality Commission (CQC)

• The CQC regulates health and social care services to ensure that safe care is provided.
• The law says that we must report certain serious events to the CQC, for example, when patient safety has been put at risk.
• For more information about the CQC see: http://www.cqc.org.uk/

We are required by law to provide you with the following information about how we handle your information and our legal obligations to share data.

Data Controller contact details
To be confirmed

Data Protection Officer
contact details

Highgate Medical Centre 5 Storer Close, Sileby, Loughborough LE12
7UD

Purpose of the processing

Compliance with legal obligations or court order.

Lawful basis for processing

The following sections of the GDPR mean that we can share information when the law tells us to.

Article 6(1)(c) – ‘processing is necessary for compliance with a legal obligation to which the controller is subject…’

Article 9(2)(h) – ‘processing is necessary for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and services…’

Recipient or categories of recipients of the processed data

• The data will be shared with NHS Digital.
• The data will be shared with the Care Quality Commission. [Or equivalent body]
• The data will be shared with our local health protection team or Public Health England.
• The data will be shared with the court if ordered.

Rights to object and the national data opt-out

There are very limited rights to object when the law requires information to be shared but government policy allows some rights of objection as set out below.

NHS Digital

You have the right to object to information being shared with

NHS Digital for reasons other than your own direct care.

• This is called a ‘Type 1’ objection – you can ask your practice to apply this code to your record.
• Please note: The ‘Type 1’ objection, however, will no longer be available after 2020.
• This means you will not be able to object to your data being shared with NHS Digital when it is legally required under the Health and Social Care Act 2012.

Public health

Legally information must be shared under public health legislation. This means that you are unable to object.

Care Quality Commission

Legally information must be shared when the Care Quality Commission needs it for their regulatory functions. This means that you are unable to object.

Court order

Your information must be shared if it ordered by a court. This means that you are unable to object.

Right to access and correct

You have the right to access your medical record and have any errors or mistakes corrected. Please speak to a member of staff or look at our ‘subject access request’ policy on the practice website – www.highgatemedicalcentre.co.uk

We are not aware of any circumstances in which you will have the right to delete correct information from your medical record; although you are free to obtain your own legal advice if you believe there is no lawful purpose for which we hold the information and contact us if you hold a different view.

Retention period GP medical records will be kept in line with the law and national guidance. Information on how long records are kept can be found at: https://digital.nhs.uk/article/1202/Records-Management-Code-ofPractice-for-Health-and-Social-Care-2016 or speak to the practice.

Right to complain

You have the right to complain to the Information Commissioner’s Office. If you wish to complain follow this link https://ico.org.uk/global/contact-us/ or call the helpline 0303 123 1113