DATA PROTECTION

PRIVACY NOTICE - LAMBERHURST SURGERY -  PROTECTING YOUR CONFIDENTIALITY                                                                                                 

 This privacy notice explains why we collect information about you, how that information may be used and how we keep it safe and confidential.

Welcome to Lamberhurst Surgery’s privacy notice. We respect your privacy and are committed to protecting your personal data. This privacy notice will inform you how we look after your personal data when you visit our website (regardless of where you visit it from) and tell you about your privacy rights and how the law protects you.

Lamberhurst Surgery keeps data on you relating to who you are, where you live, what you do, your family, possibly your friends, your employers, your habits, your health problems and diagnoses, the reasons you seek help, your appointments, where you are seen and when you are seen, who by, referrals to specialists and other healthcare providers, tests carried out here and in other places, investigations and scans, treatments and outcomes of treatments, your treatment history, the observations and opinions of other healthcare workers, within and without the NHS as well as comments and aide memoires reasonably made by healthcare professionals in this practice who are appropriately involved in your health care.

When registering for NHS care, all patients who receive NHS care are registered on a national database.  The database is held by NHS Digital, a national organisation which has legal responsibilities to collect information for the NHS.

NHS Digital is the secure haven for NHS patient data, a single repository where data collected from all branches of the NHS is processed. NHS Digital provides reports on the performance of the NHS, statistical information, audits and patient outcomes (https://digital.nhs.uk/data-and-information). Examples include; A/E and outpatient waiting times, the numbers of staff in the NHS, percentage target achievements, payments to GPs etc. and more specific targeted data collections and reports such as Female Genital Mutilation, general practice appointments data and English National Diabetes Audits. GPs are required by the Health and Social Care Act to provide NHS Digital with information when instructed. This is a legal obligation which overrides any patient wishes. These instructions are called “Directions”. More information on the directions placed on GPs can be found at https://digital.nhs.uk/article/8059/NHS-England-Directions- and www.nhsdatasharing.info

GPs have always delegated tasks and responsibilities to others that work with them in their surgeries.  On average an NHS GP has between 1,500 to 2,500 patients for whom he or she is accountable, it is not possible for the GP to provide hands on personal care for each and every one of those patients.  For this reason GPs share your care with others, predominantly within the surgery but occasionally with outside organisations.

If your health needs require care from others outside this practice, we will exchange with them whatever information about you that is necessary for them to provide that care. When you make contact with healthcare providers outside the practice but within the NHS it is usual for them to send us information relating to that encounter. We will retain part or all of those reports. Normally we will receive equivalent reports of contacts you have with non NHS services but this is not always the case.

Your consent to this sharing of data, within the practice and with those others outside the practice is assumed and is allowed by law.

People who have access to your information will only normally have access to that which they need to fulfil their roles, for instance admin staff will normally only see your name, address, contact details, appointment history and registration details in order to book appointments, the practice nurses will normally have access to your immunisation, treatment, significant active and important past histories, your allergies and relevant recent contacts whilst the GP you see or speak to will normally have access to everything in your record.

There are occasions when intervention is necessary in order to save or protect a patient’s life or to prevent them from serious immediate harm, for instance during a collapse or diabetic coma or serious injury or accident. In many of these circumstances the patient may be unconscious or too ill to communicate. In these circumstances we have an overriding duty to try to protect and treat the patient. If necessary we will share your information and possibly, sensitive confidential information, with other emergency healthcare services, the police or fire brigade, so that you can receive the best treatment.

The law acknowledges this and provides supporting legal justifications.

Individuals have the right to make pre-determined decisions about the type and extent of care they will receive should they fall ill in the future.  These are known as “Advance Directives” and if lodged in your records these will normally be honoured.

You have the right to object to our sharing your data in these circumstances but we have an overriding responsibility to do what is in your best interests.

The NHS provides national screening programmes so that certain diseases can be detected at an early stage. These currently apply to bowel cancer, cervical cancer, breast cancer, aortic aneurysms and diabetic retinal screening service. The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme.

More information can be found at: https://www.gov.uk/topic/population-screening-programmes

Contract holding GPs in the UK receive payments from their respective governments on a tiered basis. Most of the income is derived from baseline capitation payments made according to the number of patients registered with the practice on quarterly payment days. The amount paid per patient per quarter varies according to the age, sex and other demographic details for each patient. There are also graduated payments made according to the practice’s achievement of certain agreed national quality targets known as the Quality and Outcomes Framework (QOF), for instance the proportion of diabetic patients who have had an annual review.

Practices can also receive payments for participating in agreed national or local enhanced services, for instance opening early in the morning or late at night or at the weekends. Practices can also receive payments for certain national initiatives such as immunisation programs and practices may also receive incomes relating to a variety of non-patient related elements such as premises.

Finally there are short term initiatives and projects that practices can take part in. Practices or GPs may also receive income for participating in the education of medical students, junior doctors and GPs themselves as well as research.

In order to make patient based payments basic and relevant, necessary data about you needs to be sent to the various payment services. The release of this data is required by English law.

The Summary Care Record is an English NHS development. It consists of a basic medical record held on a central government database on every patient registered with a GP surgery in England. The basic data is automatically extracted from your GP’s electronic record system and uploaded to the central system. GPs are required by their contract with the NHS to allow this upload. The basic upload consists of current medication, allergies and details of any previous bad reactions to medicines, the name, address, date of birth and NHS number of the patient.

As well as this basic record additional information can be added, and this can be far reaching and detailed. However, whereas the basic data is uploaded automatically any additional data will only be uploaded if you specifically request it and with your consent.

Summary Care Records can only be viewed within the NHS on NHS smartcard controlled screens or by organisations, such as pharmacies, contracted to the NHS. You can find out more about the SCR here https://digital.nhs.uk/summary-care-records

You have the right to object to our sharing your data in these circumstances and you can ask your GP to block uploads.

Public health encompasses everything from national smoking and alcohol policies, the management of epidemics such as flu, the control of large scale infections such as TB and Hepatitis B to local outbreaks of food poisoning or Measles. Certain illnesses are also notifiable; the doctors treating the patient are required by law to inform the Public Health Authorities, for instance Scarlet Fever.

This will necessarily mean the subject’s personal and health information being shared with  Public Health organisations.

Some of the relevant legislation includes: the Health Protection (Notification) Regulations 2010 (SI 2010/659), the Health Protection (Local Authority Powers) Regulations 2010 (SI 2010/657), the Health Protection (Part 2A Orders) Regulations 2010 (SI 2010/658), Public Health (Control of Disease) Act 1984, Public Health (Infectious Diseases) Regulations 1988 and The Health Service (Control of Patient Information) Regulations 2002

The records we keep enable us to plan for your care.

Lamberhurst Surgery keeps data on you that we apply searches and algorithms to in order to identify preventive interventions. This means using only the data we hold or in certain circumstances linking that data to data held elsewhere by other organisations, and usually processed by organisations within or bound by contracts with the NHS.

If any processing of this data occurs outside the practice your identity will not be visible to the processors. Only this practice will be able to identify you and the results of any calculated factors, such as your risk of having a heart attack in the next 10 years or your risk of being admitted to hospital with a complication of chest disease

You have the right to object to our processing your data in these circumstances and before any decision based upon that processing is made about you. Processing of this type is only lawfully allowed where it results in individuals being identified with their associated calculated risk. It is not lawful for this processing to be used for other ill-defined purposes, such as “health analytics”.

Despite this we have an overriding responsibility to do what is in your best interests. If we identify you as being at significant risk of having, for example a heart attack or stroke, we are justified in performing that processing.

Where there is a suspected or actual safeguarding issue we will share information that we hold with other relevant agencies whether or not the individual or their representative agrees.

There are three laws that allow us to do this without relying on the individual or their representatives’ agreement (unconsented processing), these are:

Section 47 of The Children Act 1989 :
(https://www.legislation.gov.uk/ukpga/1989/41/section/47),

Section 29 of Data Protection Act (prevention of crime) https://www.legislation.gov.uk/ukpga/1998/29/section/29

and

section 45 of the Care Act 2014 http://www.legislation.gov.uk/ukpga/2014/23/section/45/enacted.

In addition there are circumstances when we will seek the agreement (consented processing) of the individual or their representative to share information with local child protection services, the relevant law being; section 17 Childrens Act 1989 https://www.legislation.gov.uk/ukpga/1989/41/section/17

The Care Quality Commission (CQC) is an organisation established in English law by the Health and Social Care Act. The CQC is the regulator for English health and social care services to ensure that safe care is provided. They inspect and produce reports on all English general practices in a rolling 5 - year program. The law allows CQC to access identifiable patient data as well as requiring this practice to share certain types of data with them in certain circumstances, for instance following a significant safety incident.

For more information about the CQC see: http://www.cqc.org.uk/

We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.

1) Data Controller contact details

 

 

Dr Innes Cameron, Lamberhurst Surgery, The Down, Lamberhurst, Kent, TN3 8EX

Tel: 01892 890 800

2) Data Protection Officer contact details

 

 

Dr Innes Cameron, Lamberhurst Surgery, The Down, Lamberhurst, Kent, TN3 8EX

Tel: 01892 890 800

3) Purpose of the  processing

Direct Care is care delivered to the individual alone, most of which is provided in the surgery. After a patient agrees to a referral for direct care elsewhere, such as a referral to a specialist in a hospital, necessary and relevant information about the patient, their circumstances and their problem will need to be shared with the other healthcare workers, such as specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and care.

4) Lawful basis for  processing

The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere  is supported under the following Article 6 and 9 conditions of the GDPR:

Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.

Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...” 

 

We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”*

5) Recipient or categories of recipients of the processed data

The data will be shared with health and care professionals and support staff in this surgery and at hospitals, diagnostic and treatment centres who contribute to your personal care. 

6) Rights to object

You have the right to object to some or all the information being processed under Article 21. Please contact the Data Controller or the practice. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.

8) Retention period

The data will be retained in line with the law and national guidance. https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016

or speak to the practice.

 

9)  Right to Complain.

You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/ 

 

or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)

There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)

“Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

  • where the individual to whom the information relates has consented;
  • where disclosure is in the public interest; and
  • where there is a legal duty to do so, for example a court order.

© Tree View Designs Ltd 2021