Privacy Policy

Privacy Notice

This privacy notice explains why the GP Practice collects information about you, and how that information may be used.

As data controllers, GPs have responsibilities which are regulated by law under the General Data Protection Regulations. This means ensuring that your personal confidential data (PCD) is handled in ways that are safe, transparent and what you would reasonably expect.

We may use advanced speech to text systems called Heidi and Accurx Scribe to help our clinicians with documentation and make the most of the appointment time. This has been approved by the data protection officer. Please feel free to contact us if you have any queries about it.

Your Personal data – what is it?

Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come in to such possession. The processing of personal data is governed by the General Data Protection Regulation (the ‘GDPR’).

Who are our partner organisations?

We may also have to share your information, subject to strict agreements on how it will be used. The following are examples of the types of organisations that we are likely to share information with:

  • NHS and specialist hospitals, Trusts
  • Independent Contractors such as dentists, opticians, pharmacists
  • Private and Voluntary Sector Providers
  • Ambulance Trusts
  • Clinical Commissioning Groups and NHS England
  • Social Care Services and Local Authorities
  • Education Services
  • Police, Fire and Rescue Services
  • Other ‘data processors’ during specific project work e.g. Diabetes UK

When do we ask for your consent to share your data?

There are times that we may want to use your information to contact you or offer you services, not directly about your healthcare. In these instances, we will always gain your consent to contact you.

There may be occasions where authorised research facilities would like you to take part on innovations, research, improving services or identifying trends, you will be asked to opt into such programmes if you are happy to do so.

At any stage where we would like to use your data for anything other than the specified purposes and where there is no lawful requirement for us to share or process your data, we will ensure that you can consent and opt out prior to any data processing taking place.

This information is not shared with third parties or used for any marketing and you can unsubscribe at any time via phone, email or by informing the practice.

In certain circumstances you may have the right to withdraw your consent to the processing of data. Please contact the practice in writing if you wish to withdraw your consent. In some circumstances we may need to store your data after your consent has been withdrawn to comply with a legislative requirement.

Third Party Processors

In order to deliver the best possible service, the practice will share data (where required) with other NHS bodies such as other GP practices and hospitals. In addition, the practice will use carefully selected third party service providers. When we use a third-party service provider to process data on our behalf then we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately. Examples of functions that may be carried out by third parties include:

Companies that provide IT services & support, including our core clinical systems; systems which manage patient facing services (such as our website and service accessible through the same); data hosting service providers; systems which facilitate appointment bookings or electronic prescription services; document management services etc.

Delivery services (for example if we were to arrange for delivery of any medicines to you).

Payment providers (if for example you were paying for a prescription or a service such as travel vaccinations).

Further details regarding specific third-party processors can be supplied on request to the practice.

Risk Stratification

Risk stratification is a process for identifying and managing patients who are at a higher risk of emergency hospital admission. Typically, this is because patients have a long-term condition such as COPD or cancer. NHS England encourages GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help prevent avoidable admissions.

Information about you is collected from several sources including NHS Trusts and from this GP Practice. A risk score is then arrived at through an analysis of your anonymous information using computer programmes. Your information is only provided back to your GP or member of your care team in an identifiable form. Risk stratification enables your GP to focus on the prevention of ill health and not just the treatment of sickness. If necessary, your GP may be able to offer you additional services.

If you do not wish to be included in the risk stratification process, then please get in touch with the Practice. Please note the purpose of risk stratification is to prevent and detect health issues therefore we will ask our Patients for their consent to be included in this.

Individual Risk Management at a GP practice level however is deemed to be part of your individual healthcare and is covered by our legal powers above.

Our data processors  for Risk Stratification is monitored by our Administration team.

Medicines Management

The practice may conduct Medicines Management Reviews of medications prescribed to its patients, to ensure patients receive the most appropriate, up-to-date and cost-effective treatments. The reviews are carried out by the Clinical Commissioning Group’s Medicines Management Team under a Data Processing contract with the Practice.

Population Health Management

Population Health Management is the use of data to help with planning and delivery of proactive care to address the needs of the population. It includes a number of techniques to identify local ‘at risk’ cohorts of patients, to design better care and support for people with ongoing health conditions and give a consistent service.

The benefits of Population Health Management are:

  • Using data-driven insights and evidence of best practice to inform targeted
  • interventions to improve the health & wellbeing of specific populations & cohorts
  • The wider determinants of health, not just health & care
  • Making informed judgements, not just relying on the analytics
  • Prioritising the use of collective resources to have the best impact
  • Acting together – the NHS, local authorities, public services, the VCS,
  • communities, activists & local people. Creating partnerships of equals
  • Achieving practical tangible improvements for people & communities

Information about you is collected from several sources including NHS Trusts and from this GP Practice. The identifying parts of your data are removed, and an analysis of your data is undertaken. This analysis may be undertaken by external organisations who are acting on behalf of your GP Practice and have a Data Processing contract with the Practice. This is then provided back to your GP as data controller in an identifiable form. As a result of population health management, your GP may be able to offer you additional services.

What is the legal basis for processing your personal data?

This GP Practice collects and holds data for the sole purpose of providing healthcare services to our patients and we will ensure that information is kept confidential. Under the UK GDPR the lawful bases for using your information are:

Article 6(1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

Article 9(2)(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.

We can disclose personal information if:

  • It is required by law
  • You consent – either implicitly for the sake of your own care or explicitly for other purposes
  • It is justified in the public interest

This privacy notice applies to the personal data of our patients and the data you have given us about your carers/family members.

Some of this information will be held centrally and used for statistical purposes. Where we hold data centrally, we take strict measures to ensure that individual patients cannot be identified.

How do we delete your data?

This will only happen following a review of the information at the end of its retention period. Where data has been identified for disposal, we have the following responsibilities:

  • To ensure that information held in manual form is destroyed using a cross-cut shredder or contracted to a reputable confidential waste company [name of shredding company used, if applicable] that complies with European Standard EN15713 and obtain certificates of destruction.
  • To ensure that electronic storage media used to store, or process information are destroyed or overwritten to national standards.

How long do we store your data for?

We are required under UK law to keep your information and data for the full retention periods as specified by the NHS Records management code of practice for health and social care and national archives requirements.

More information on records retention can be found in the NHS Records Management Code of Practice 2020.

Records Management Code of Practice – NHS Transformation Directorate

Sharing your personal data

We will normally ask you for your consent, but there are times when we may be required by law to share your information without your consent, for example:

  • Where there is a serious risk of harm or abuse to you or other people.
  • Safeguarding matters and investigations.
  • Where a serious crime, such as assault, is being investigated or where it could be prevented.
  • Notification of new births.
  • Where we encounter infectious diseases that may endanger the safety of others, such as meningitis or measles (but not HIV/AIDS).
  • Where a formal court order has been issued.
  • Where there is a legal requirement, for example if you had committed a Road Traffic Offence.

Sometimes information about you may be requested to be used for other purposes. These have been outlined below.

  1. Risk stratification
  2. Population Health Management
  3. Medicines Management
  4. Patient Communication
  5. Safeguarding
  6. Invoice Validation
  7. Research
  8. Third party processors

Where do we store your data?

All the personal data we process is processed by our staff in the UK however for the purposes of IT hosting and maintenance this information may be located on servers within the European Union.

No third parties have access to your personal data unless the law allows them to do so, and appropriate safeguards have been put in place such as a Data Processing agreement. We have a Data Protection regime in place to oversee the effective and secure processing of your personal and or special category data.

EMIS Web

The Practice uses a clinical system provided by a Data Processor called EMIS. Since June 2019, EMIS commenced storing your practice’s EMIS Web data in a highly secure, third party cloud hosted environment, namely Amazon Web Services (“AWS”).

The data will remain in the UK at all times and will be fully encrypted both in transit and at rest. In doing this there will be no change to the control of access to your data and the hosted service provider will not have any access to the decryption keys. AWS is one of the world’s largest cloud companies, already supporting numerous public sector clients (including the NHS), and it offers the very highest levels of security and support.

How do we process your personal data?

Health care professionals maintain records about your health and any treatment or care you have received within the NHS (e.g. NHS Hospital Trust, GP Surgery, Walk-in clinic, etc.). These records help to provide the best possible healthcare.

NHS health records may be processed electronically, on paper or a mixture of both, and a combination of working practices and technology are used to ensure that your information is kept confidential and secure. Records held by this GP Practice may include the following information:

  • Details about you, such as address, telephone numbers, DOB and next of kin
  • Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments, etc.
  • Notes and reports about your health
  • Details about your treatment and care
  • Results of investigations, such as laboratory tests, x-rays, etc.
  • Relevant information from other health professionals, relatives or those who care for you
  • Religious beliefs, ethnicity, sexuality etc (if required in a healthcare setting)

To ensure you receive the best possible care, your records are used to facilitate the care you receive, including contacting you. Information held about you may be used to help protect the health of the public and to help us manage the NHS and the services we provide. Limited information may be used within the GP practice for clinical audit to monitor the quality of the service we provided.

Who are we?

Wychall Lane Surgery is the data controller. This means it decides how your personal data is processed and for what purposes.

The Health and Social Care Act 2012 changed the way that personal confidential data is processed. Therefore, it is important that patients are made aware of, and understand these changes and that you have an opportunity to object if you so wish and that you know how to do so.

How do we maintain confidentiality of your records?

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

  • Data Protection Act 2018
  • The UK General Data Protection Regulations (UK GDPR)
  • Human Rights Act 1998
  • Common Law Duty of Confidentiality
  • Health and Social Care Act 2012
  • NHS Codes of Confidentiality, Information Security and Records Management
  • Information: To Share or Not to Share Review

All NHS staff, contractors and committee members receive appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures. Only a limited number of authorised staff has access to personal information where it is appropriate to their role and is strictly on a need-to-know basis. If a sub-contractor acts as a data processor for the Practice, an appropriate contract will be established for the processing of your information.

We maintain our duty of confidentiality to you always. We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), or where the law requires information to be passed on and/or in accordance with the Caldicott principle for information sharing (sharing information in the best interest of the patient).