Privacy

Privacy notice

The General Data Protection Regulation (GDPR) became law on 24th May 2016. This is a single EU-wide regulation on the protection of confidential and sensitive information.

This privacy notice lets you know what happens to any personal data that you give to us, or any that we may collect from or about you. This privacy notice applies to personal information processed by or on behalf of the practice.

This notice explains:

Who we are, how we use your information and our Data Protection Officer
What kinds of personal information about you do we process?
What are the legal grounds for our processing of your personal information (including when we share it with others)?
What should you do if your personal information changes?
For how long your personal information is retained by us?
What are your rights under data protection laws?

For the purpose of applicable data protection legislation (including but not limited to the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”), and the Data Protection Act 2018 the practice responsible for your personal data is Keats Surgery.

This notice describes how we collect, use and process your personal data, and how, in doing so, we comply with our legal obligations to you. Your privacy is important to us, and we are committed to protecting and safeguarding your data privacy rights.

The following notice reminds you of your rights in respect of the above legislation and how your GP Practice will use your information for lawful purposes in order to deliver your care and the effective management of the local NHS system.

This notice reflects how we use information for:

The management of patient records
Communication concerning your clinical, social and supported care
Ensuring the quality of your care and the best clinical outcomes are achieved through clinical audit and retrospective review
Participation in health and social care research
The management and clinical planning of services to ensure that appropriate care is in place for the people today and in the future

Data Controller

Keats Surgery is the data controller for any personal data that we hold about you.

Data Protection Officer

Our Data Protection Officer (DPO) is:

Mrs Nurdan Fuat
Keats Surgery
290A Church Street
Edmonton
London
N9 9HJ

Tel: 020 8807 2051

How Do We Maintain The Confidentiality Of Your Records?

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

What Information Do We Collect And Use?

All personal data must be processed fairly and lawfully, whether is it received directly from you or from a third party in relation to the your care.

We will collect the following types of information from you or about you from a third party (provider organisation) engaged in the delivery of your care:

‘Personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified from the data. This includes, but is not limited to name, date of birth, full postcode, address, next of kin and NHS Number; and
‘Special category / sensitive data’ such as medical history including details of appointments and contact with you, medication, emergency appointments and admissions, clinical notes, treatments, results of investigations, supportive care arrangements, social care status, race, ethnic origin, genetics and sexual orientation.

Your healthcare records contain information about your health and any treatment or care you have received previously (e.g. from an acute hospital, GP surgery, community care provider, mental health care provider, walk-in centre, social services). These records maybe electronic, a paper record or a mixture of both. We use a combination of technologies and working practices to ensure that we keep your information secure and confidential.

Why Do We Collect This Information?

The NHS Act 2006 and the Health and Social Care Act 2012 invests statutory functions on GP Practices to promote and provide the health service in England, improve quality of services, reduce inequalities, conduct research, review performance of services and deliver education and training. To do this we will need to process your information in accordance with current data protection legislation to:

Protect your vital interests
Pursue our legitimate interests as a provider of medical care, particularly where the individual is a child or a vulnerable adult
Perform tasks in the public’s interest
Deliver preventative medicine, medical diagnosis, medical research
Manage the health and social care system and services

How Do We Use This Information?

To ensure that you receive the best possible care, your records will be used to facilitate the care you receive. Information held about you may be used to protect the health of the public and to help us manage the NHS. Information may also be used for clinical audit to monitor the quality of the service provided. In addition, your information will be used to identify whether you are at risk of a future unplanned hospital admission and/or require support to effectively manage a long term condition.

From time to time we may contact you to remind you about appointments you have at the practice and to give you information on other services we provide (for example flu clinics, smoking cessation advice, health checks).

How Is The Information Collected?

Your information will be collected either electronically using secure NHS Mail or a secure electronic transferred over an NHS encrypted network connection. In addition physical information will be sent to your practice. This information will be retained within your GP’s electronic patient record or within your physical medical records.

Who Will We Share Your Information With?

In order to deliver and coordinate your health and social care, we may share information with the following organisations:

GP practices
Community services such as district nurses, rehabilitation services, telehealth and out of hospital services
Child health services that undertake routine treatment or health screening
GP Practices in Enfield in order to delivery extended primary care services
Enfield Community Health NHS Trust
Enfield Clinical Commissioning Group (CCG)
Referral Assessment Service (RAS)
Care/Nursing Homes/Community Hospitals that you may be resident in
NHS 111 and Out of Hours Service
Enfield Council (Adult & Children Social Services and Community Care)
Pharmacies/Prescription Pricing Authority
Her Majesty’s Coroner

Your information will only be shared if it is appropriate for the provision of your care or required to satisfy our statutory function and legal obligations. Your information will not be transferred outside of the European Union.

Who Do We Receive Information From?

Whilst we might share your information with the above organisations, we may also receive information from them to ensure that your medical records are kept up to date and so that your GP can provide the appropriate care.

In addition we received data from NHS Digital (as directed by the Department of Health) such as the uptake of flu vaccinations and disease prevalence in order to assist us to improve “out of hospital care”.

Third Party Processors

In order to deliver the best possible service, the practice will share data (where required) with other NHS bodies such as other GP practices and hospitals. In addition the practice will use carefully selected third party service providers. When we use a third party service provider to process data on our behalf then we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately. Examples of functions that may be carried out by third parties includes:

Companies that provide IT services & support, including our core clinical systems; systems which manage patient facing services (such as our website and service accessible through the same); data hosting service providers; systems which facilitate appointment bookings or electronic prescription services; document management services etc
Delivery services (for example if we were to arrange for delivery of any medicines to you)
Payment providers (if for example you were paying for a prescription or a service such as travel vaccinations)

Further details regarding specific third party processors can be supplied on request.

As a controller you should inform your patients (e.g. via posters or general communications) and undertake a Data Privacy Impact Assessment (DPIA) in relation to this change. We hope that this information, together with this letter, will assist your DPIA considerations and if you require any further detail then please do not hesitate to contact us and we would be happy to assist.

The safety and availability of your data is our utmost concern and we are confident that this approach will improve data security, integrity and performance.

How Do We Maintain Confidentiality Of Your Records?

We are committed to protecting your privacy and will only use information that has been collected lawfully. Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential. We maintain our duty of confidentiality by conducting annual training and awareness, ensuring access to personal data is limited to the appropriate staff and information is only shared with organisations and individuals that have a legitimate and legal basis for access.

Information is not held for longer than is necessary. We will hold your information in accordance with the Records Management Code of Practice for Health and Social Care 2016.

Where Do We Store Your Information Electronically?

All the personal data we process is processed by our staff in the UK however for the purposes of IT hosting and maintenance this information may be located on servers within the European Union.

No 3rd parties have access to your personal data unless the law allows them to do so and appropriate safeguards have been put in place such as a Data Processor as above). We have a Data Protection regime in place to oversee the effective and secure processing of your personal and or special category (sensitive, confidential) data.

EMIS WEB

The Practice uses a clinical system provided by a Data Processor called EMIS.

The data will remain in the UK at all times and will be fully encrypted both in transit and at rest. In doing this, there will be no change to the control of access to your data and the hosted service provider will not have any access to the decryption keys. AWS is one of the world’s largest cloud companies, already supporting numerous public sector clients (including the NHS), and it offers the very highest levels of security and support.

Where Do We Store Hard Copies Of Your Information?

The practice stores all patients’ medical records on-site.

Consent And Objections

Do I Need To Give My Consent?

The GDPR sets a high standard for consent. Consent means offering people genuine choice and control over how their data is used. When consent is used properly, it helps you build trust and enhance your reputation. However consent is only one potential lawful basis for processing information. Therefore your GP practice may not need to seek your explicit consent for every instance of processing and sharing your information, on the condition that the processing is carried out in accordance with this notice. Your GP Practice will contact you if they are required to share your information for any other purpose which is not mentioned within this notice. Your consent will be documented within your electronic patient record.

What Will Happen If I Withhold My Consent Or Raise An Objection?

You have the right to write to withdraw your consent to any time for any particular instance of processing, provided consent is the legal basis for the processing. Please contact your GP Practice for further information and to raise your objection.

Parental Consent

Children need particular protection when you are collecting and processing their personal data because they may be less aware of the risks involved.

ICO guidance:

You need to have a lawful basis for processing a child’s personal data. Consent is one possible lawful basis for processing, but it is not the only option. Sometimes using an alternative basis is more appropriate and provides better protection for the child
If you are relying on consent as your lawful basis for processing personal data, when offering an online service directly to a child, only children aged 13 or over are able provide their own consent.(This is the age proposed in the Data Protection Bill and is subject to Parliamentary approval)
For children under this age you need to get consent from whoever holds parental responsibility for the child – unless the online service you offer is a preventive or counselling service
Children have the same rights as adults over their personal data. These include the rights to access their personal data; request rectification; object to processing and have their personal data erased.

Health Risk Screening / Risk Stratification

Health Risk Screening or Risk Stratification is a process that helps your GP to determine whether you are at risk of an unplanned admission or deterioration in health. By using selected information such as age, gender, NHS number, diagnosis, existing long term condition(s), medication history, patterns of hospital attendances, admissions and periods of access to community care your GP will be able to judge if you are likely to need more support and care from time to time, or if the right services are in place to support the local population’s needs.

To summarise Risk Stratification is used in the NHS to:

Help decide if a patient is at a greater risk of suffering from a particular condition
Prevent an emergency admission
Identify if a patient needs medical help to prevent a health condition from getting worse
Review and amend provision of current health and social care services

Your GP will use computer based algorithms or calculations to identify their registered patients who are at most risk, with support from the local Commissioning Support Unit and/or a third party accredited Risk Stratification provider. The risk stratification contracts are arranged by NHS Enfield Clinical Commissioning Group in accordance with the current Section 251 Agreement. Will at any time have access to your personal or confidential data. They will only act on behalf of your GP to organise the risk stratification service with appropriate contractual technical and security measures in place.

Your GP will routinely conduct the risk stratification process outside of your GP appointment. This process is conducted electronically and without human intervention. The resulting report is then reviewed by a multidisciplinary team of staff within the practice. This may result in contact being made with you if alterations to the provision of your care are identified.

A Section 251 Agreement is where the Secretary of State for Health and Social Care has granted permission for personal data to be used for the purposes of risk stratification, in acknowledgement that it would overburden the NHS to conduct manual reviews of all patient registers held by individual providers.

As mentioned above, you have the right to object to your information being used in this way. However you should be aware that your objection may have a negative impact on the timely and proactive provision of your direct care. Please contact the practice manager to discuss how disclosure of your personal data can be limited.

Sharing Of Electronic Patient Records Within The NHS

Electronic patient records are kept in most places where you receive healthcare. Our local electronic systems (such as EMIS Web) enable your record to be shared with organisations involved in your direct care, such as:

GP practices
Community services such as district nurses, rehabilitation services, telehealth and out of hospital services
Child health services that undertake routine treatment or health screening
Urgent care organisations, minor injury units or out of hours services
Community hospitals
Palliative care hospitals
Care Homes
Mental Health Trusts
Hospitals
Social Care organisations
Pharmacies

In addition, NHS England have implemented the Summary Care Record which contains information about medication you are taking, allergies you suffer from and any bad reactions to medication that you have had in the past.

Your electronic health record contains lots of information about you. In most cases, particularly for patients with complex conditions and care arrangements, the shared record plays a vital role in delivering the best care and a coordinated response, taking into account all aspects of a person’s physical and mental health. Many patients are understandably not able to provide a full account of their care, or may not be in a position to do so. The shared record means patients do not have to repeat their medical history at every care setting.

Your record will be automatically setup to be shared with the organisations listed above, however you have the right to ask your GP to disable this function or restrict access to specific elements of your record. This will mean that the information recorded by your GP will not be visible at any other care setting.

You can also reinstate your consent at any time by giving your permission to override your previous dissent.

Supporting Medicines Management

CCGs support local GP practices with prescribing queries which generally don’t require identifiable information. CCG pharmacists work with your practice to provide advice on medicines and prescribing queries, and review prescribing of medicines to ensure that it is safe and cost-effective. Where specialist support is required e.g. to order a drug that comes in solid form, in gas or liquid, the CCG medicines management team will order this on behalf of the practice to support your care.

Safeguarding

To ensure that adult and children’s safeguarding matters are managed appropriately, access to identifiable information will be shared in some limited circumstances where it’s legally required for the safety of the individuals concerned.

Practice Confidentiality and security principles when using video/telephone consultations and web conferencing.

The health and social care system is facing significant pressures due to the COVID-19 outbreak and we will need to work in different ways from usual. In the current circumstances it would be more harmful not to share health and care information than to share it. Whilst video and telephone consultations are now being extensively used for patient healthcare as well as team conferencing, it is important to adhere to some basic confidentiality and security principles for the day to day use of the services. The following considerations can help minimise data breaches: Video and telephone conferencing:

Patient confidentiality must be respected and the same precautions should be taken as we would have done in normal circumstances i.e. video conferencing and telephone calls should be carried out in a confidential environment wherever possible
Video consultations should be treated as private meetings and staff should ensure that the patient is fully informed of the procedure
Calls should be made in an environment that affords the same privacy as a face to face consultation. Be aware of who can overhear you
Ensure room and content security for video consultations. For example, do not leave confidential information on whiteboards or documents which could easily be viewed
The processing of notes and administration should take place in the same way as face to face appointments, and patient records updated appropriately Team conferencing – Microsoft Teams Microsoft Teams is now being widely used for scheduling corporate team meetings and can also be used for one-to-one and group chats without the need to create a team. The following information security guidelines will help to maintain staff and patient confidentiality
Make sure you do not share sensitive information that you do not want all invited participants to a chat to see. They will be able to read the chat even if they do not join the meeting, or have already disconnected
The guidance for using Microsoft Teams is similar to NHS mail, therefore care should be taken to ensure that you are sharing with the right person as there can be several people with the same name on the system
Conversation history and chats are persistent – that is, your conversations stay around even after closing the application
Remember to consider what you are sharing and with whom
Sensitive patient or staff information should not be shared or uploaded via Microsoft Teams
Files containing sensitive information should not be shared or uploaded via Files
Patients should not be invited to use Microsoft Teams as data controllers we are still required to comply with relevant and appropriate data protection standards

Summary Care Record (SCR)

NHS England uses a national electronic record called the Summary Care Record (SCR) to support patient care. It contains key information from your GP record. Your SCR provides authorised healthcare staff with faster, secure access to essential information about you in an emergency or when you need unplanned care, where such information would otherwise be unavailable.

Summary Care Records are there to improve the safety and quality of your care. SCR core information comprises your allergies, adverse reactions and medications. An SCR with additional information can also include reason for medication, vaccinations, significant diagnoses / problems, significant procedures, anticipatory care information and end of life care information. Additional information can only be added to your SCR with your agreement.

Please be aware that if you choose to opt-out of SCR, NHS healthcare staff caring for you outside of this surgery may not be aware of your current medications, allergies you suffer from and any bad reactions to medicines you have had, in order to treat you safely in an emergency.

Your records will stay as they are now with information being shared by letter, email, fax or phone. If you wish to opt-out of having an SCR please return a completed opt out form to the practice.

Your Right To Withdraw Consent For Us To Share Your Personal Information (Opt-Out)

If you are happy for your data to be extracted and used for the purposes described in this fair processing notice then you do not need to do anything. If you do not want your information to be used for any purpose beyond providing your care you can choose to opt-out. If you wish to do so, please let us know so we can code your record appropriately. We will respect your decision if you do not wish your information to be used for any purpose other than your care but in some circumstances we may still be legally required to disclose your data.

There are two main types of opt-out.

Type 1 Opt-Out

If you do not want information that identifies you to be shared outside the practice, for purposes beyond your direct care, you can register a ‘Type 1 Opt-Out’. This prevents your personal confidential information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.

Type 2 Opt-Out

NHS Digital collects information from a range of places where people receive care, such as hospitals and community services. If you do not want your personal confidential information to be shared outside of NHS Digital, for purposes other than for your direct care, you can register a ‘Type 2 Opt-Out’. For further information about Type 2 Opt-Outs, please contact NHS Digital contact centre at enquiries@hscic.gov.uk referencing ‘Type 2 Opt-Outs – Data Requests’ in the subject line; or call NHS Digital on (0300) 303 5678; or visit the website: www.content.digital.nhs.uk/Information-ontype-2-opt-outs.

If you wish to discuss or change your opt-out preferences at any time please contact the practice manager.

Invoice Validation

If you have received treatment within the NHS, the local Commissioning Support Unit (CSU) may require access to your personal information to determine which Clinical Commissioning Group is responsible for payment for the treatment or procedures you have received. Information such as your name, address, date of treatment and associated treatment code may be passed onto the CSU to enable them to process the bill. These details are held in a secure environment and kept confidential. This information is only used to validate invoices in accordance with the current Section 251 Agreement, and will not be shared for any further commissioning purposes.

Your Right Of Access To Your Records

The Data Protection Act 1998 and General Data Protection Regulations allows you to find out what information is held about you including information held within your medical records, either in electronic or physical format. This is known as the “right of subject access”. If you would like to have access to all or part of your records, you can make a request in writing to the organisation that you believe holds your information. This can be your GP, or a provider that is or has delivered your treatment and care. You should however be aware that some details within your health records may be exempt from disclosure, however this will in the interests of your wellbeing or to protect the identity of a third party. If you would like access to your GP record please submit your request in writing to the Data Controller:

Keats Surgery
290A Church Street
Edmonton
London
N9 9HJ

Complaints

In the event that your feel your GP Practice has not complied with the current data protection legislation, either in responding to your request or in our general processing of your personal information, you should raise your concerns in the first instance in writing to the Practice Manager Nurdan Fuat at: