Your personal information choices
Health and social care information is used in a number of ways to support your personal care and to improve health and social care services for everyone.
When you attend a health or social care provider in England the clinicians and administrators you see will record information about your care. You can decide with your clinician on how your data will be used for your direct care. The second Caldicott Report defined direct care as a clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation of suffering of individuals. It includes supporting individuals' ability to function and improve their participation in life and society, the assurance of safe and high quality care and treatment through local audit and the management of untoward or adverse incidents.
There are choices you can make about how information is used, and you can choose to opt out of your information being shared or used for any purpose beyond providing your care.
If you do not want your information to be used for any purpose beyond providing your care you can choose to opt-out. If you wish to do so, please inform your GP practice and they will mark your choice in your medical record. There are two types of opt-out. You can withdraw either opt-out at any time by informing your GP practice.
Type 1 opt-outs
If you do not want information that identifies you to be shared outside your GP practice, for purposes beyond your direct care you can register a type 1 opt-out with your GP practice. This prevents your personal confidential information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.
Type 2 opt-outs
The HSCIC collects information from a range of places where people receive care, such as hospitals and community services. If you do not want your personal confidential information to be shared outside of the HSCIC, for purposes other than for your direct care you can register a type 2 opt-out with your GP practice.
A direction from Secretary of State sets out the Department of Health policy as to how type 2 opt-outs must be applied and instructs HSCIC to apply type 2 opt-outs from 29 April 2016.
When we have collected information about your type 2 opt out from your GP practice we use that to create a record of all current type 2 opt outs. We then use that record to check against any set of data that is to be made available by HSCIC to another organisation and remove all of your personal confidential information if it is in that data set, before that data are made available.
The direction sets out the scope of when your type 2 opt out does not apply such as when there is a legal requirement to release information, or where you have given your consent to a specific release of your information.
There are also some limited circumstances, which are set out in the direction, when we don't apply your type 2 opt out to information made available. These are cases where:
• The Secretary of State for health has identified the information flow is very important.
• There are complex technical barriers that make it very difficult to apply opt outs.
For more information on how we collect and use opt-out information see Applying Type 2 Opt Outs
For more information about care records and how to access them see NHS Choices. For details about how public bodies must make information available, see the model publication scheme published by the Information Commissioner's Office.
Subject Access Request (requesting information about you)
Under the Data Protection Act 1998 anyone can ask to see the information that an organisation holds about them. To ask us what information we hold you should complete and send us a Subject Access Request form, see policies and procedures.
If you do not wish to share your information, please complete and return an opt-out form.
SCR - Summary Care Record
A Summary Care Record is an electronic record which contains information about the medicines you take, allergies you suffer from and any bad reactions to medicines you have had. Having this information stored in one place makes it easier for healthcare staff to treat you in an emergency, or when your GP practice is closed.
If you do not wish to have a summary care record then please complete and return an opt-out form.
Fair Processing Notice
How we use your information
Our GP practice holds information about you and this document outlines how that information is used, with whom we may share that information, how we keep it secure (confidential) and what your rights are in relation to this.
The Health Care Professionals (HCP) who provide you with care, maintain records about your health and any treatment or care you have received previously (e.g. NHS Trust, GP surgery, Community clinics or staff etc.). These records help to provide you with the best possible healthcare.
NHS health records may be electronic, on paper or a mixture of both and we use a combination of working practices and technology to ensure that your information is kept confidential and secure.
What kind of information do we use?
- Details about you, such as contact details, your age and next of kin
- Any contact the surgery has had with you such as appointments, clinic visits, emergency appointments and so on
- Notes and reports about your health, treatment and care
- Results of investigations such as laboratory tests, x-rays etc.
- Relevant information from other HCPs
To ensure you receive the best possible care, your records are used to facilitate the care you receive. Information held about you may be used to help protect the health of the public and to help us manage the NHS. Information may be used for clinical audit to monitor the quality of the service provided and to plan NHS services.
Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified.
Sometimes your information may be requested to be used for research purposes – the surgery or organisation concerned will always endeavour to gain your consent before releasing the information.
The NHS Care Record Guarantee for England sets out the rules that govern how patient information is used in the NHS and what control patients can have over this.
The NHS Constitution establishes the principles and values of the NHS in England. It sets out rights to which patients, public and staff are entitled, and pledges which the NHS is committed to achieve, together with responsibilities, which the public, patients and staff owe to one another to ensure that the NHS operates fairly and effectively.
What do we use your personal and confidential/sensitive information for?
We can only use any information that may identify you (known as personal information) in accordance with the Data Protection Act 1998 and other laws such as the Data Protection Act 1998 and Health and Social Care Act 2012, however only the minimum necessary identifiers are used in processing personal information for this purpose. We also have a Common Law Duty of Confidentiality to protect your information. This means that where a legal basis for using your personal or confidential information does not exist, we will not do so.
Personal information may also be used in the following cases:
- To respond to patients, carers or Member of Parliament communication
- Where we have received consent from individuals to be able to use their information for a specific purpose.
- When there is an over-riding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime.
- When there is a legal requirement that will allow us to use or provide information (e.g. a formal court order).
- For the health and safety of others, for example to report an infectious disease such as meningitis or measles.
- Where we have special permission for health and research purposes (granted by the Health Research Authority).
- If we have special permission called a ‘Section 251 agreement’ (Section 60 of the Health and Social Care Act 2001 as re-enacted by Section 251 of the NHS Act 2006) which allows the Secretary of State for Health to make regulations to set aside the common law duty of confidentiality for defined medical purposes. An example of where this is used is in risk stratification.
We may use your details to contact you with regards to patient satisfaction surveys, such as the NHS Friends & Family Test, that relate to our services. This is to improve the way we deliver healthcare to you and other patients.
Risk stratification tools are increasingly being used in the NHS to help determine a person’s risks of suffering from a particular condition, preventing an unplanned or (re)admission and identifying a need for preventative intervention. Information about you is collected from a number of sources including NHS Trusts and from this GP Practice. A risk score is then arrived at through an analysis of your anonymised information using software managed by an agreed 3rd party as the data processor and is then only provided back to your GP or member of your care team as data controller. The data is processed under Section 251 of the NHS Act 2006. Risk stratification enables the practice to focus on the prevention of ill health through a system of case finding and not just the treatment of sickness.
Should you have any concerns about how information is managed at the practice, please write to the Practice Manager so you can discuss how the disclosure of your personal information can be limited.
Invoice validation is an important process that involves using your NHS number to check that the correct CCG is paying for your treatment. We can also use your NHS number to check whether your care has been funded through specialist commissioning, which NHS England will pay for. The CCG does not receive or see any patient level information relating to these invoices.
The legal basis to use information for invoice validation is provided under Regulations made under section 251 of the NHS Act 2006 and is based on the advice of the Health Research Authority’s Confidentiality and Advisory Group (reference CAG 7-07(a) and (b)/2013.)
Further information about invoice validation can be found here NHS England
We are required by law to protect the public funds we administer. We may share information provided to us with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.
How do we maintain confidentiality of your records?
We are committed to protecting your privacy and will only use information collected lawfully in accordance with the Data Protection At 1998 (which is overseen by the Information Commissioner’s Office), Human Rights Act, the Common Law Duty of Confidentiality and the NHS Codes of Confidentiality and Security.
Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential. Anyone who received information from an NHS organisation has a legal duty to keep it confidential.
We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (e.g. life or death situations) or where the law requires information to be passed on.
The NHS Code of Practice on Confidential Information applies to all of our staff, and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. All practice staff are expected to make sure information is kept confidential and receive annual training on how to do this. This is monitored by the practice and can be enforced through disciplinary procedures.
We also ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only and protect personal and confidential information held on equipment such as laptops with encryption (which masks data so that unauthorised users cannot see or make sense of it).
We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where information that could or does identify a person is processed.
We have a senior person responsible for protecting the confidentiality of patient information and enabling appropriate information sharing. This person is called the Caldicott Guardian. The Caldicott Guardian for the practice is Dr Daphne Hammersley who can be contacted via the practice reception team.
We are registered with the Information Commissioner’s Office (ICO) as a data controller which describes the purposes for which we process personal data. A copy of the registration is available from the ICO’s web site by searching on our practice name using this link.
Who are our Partner Organisations?
We may also share your information, subject to strict agreements on how it will be used, with other organisations. These may include, but are not restricted to:
- NHS Trusts, Specialist Trusts, Social Services, Ambulance Trusts
- Independent contractors such as dentists, opticians, pharmacists
- Private and Voluntary sector providers
- Local Authorities, Education Services, Fire & Rescue Services, Police
Sharing data with other organisations
We are working closely with a third party called Optum Health Solutions to develop systems that provide data to enable us to do our work, but in ways that do not involve Optum using information that can identify individual patients.
Pseudonymisation is a technical process that replaces identifiable information such as a NHS number, postcode, date of birth with a unique identifier, which completely obscures the actual identity of the individual patient to those working with the data. It allows records for the same patient from different sources to be linked to create a complete longitudinal record of that patients medical conditions, history and care.
Linkage of data from different health and social care data sources is undertaken enabling the processing of data and provision of appropriate analytical support for Lakeside GPs whilst protecting the privacy and confidentiality of our patients.
Technical and organisational measures are in place to ensure the security and protection of information. Robust access controls are in place to ensure only Lakeside staff are able to re-identify information about their individual patients with their consent when it is necessary for the provision of their care.
Optum Pseudonymisation at Source system has been confirmed by the Information Commissioners Office as sufficiently de-identifying patient identifiers before it leaves the originating source to make it impossible to re-identify the individual concerned.
What are your rights?
Where information from which you can be identified is held, you have the right to ask to:
- View this or request copies of the records by making a subject access request – also see below.
- request information is corrected
- have the information updated where it is no longer accurate
- ask us to stop processing information about you where we are not required to do so by law – although we will first need to explain how this may affect the care you receive.
Access to personal information
You have a right under the Data Protection Act 1998 to access/view what information the surgery holds about you, and to have it amended or removed should it be inaccurate. This is known as ‘the right of subject access’. If we do hold information about you we will:
- Give you a description of it
- Tell you why we are holding it
- Tell you who it could be disclosed to, and
- Let you have a copy of the information in an intelligible form
- If you would like to make a ‘subject access request’, please do so in writing to the Practice Manager.
Summary Care Records (SCR)
The Summary Care Record is a national scheme to share information about the medicines you are prescribed and any allergies or other adverse reactions you have experienced. Health Professionals at other organisations will only be able to access this information with your permission. You can opt-out of the scheme; please ask at the surgery if you need more information.
Summary Care Record with Additional Information
This is a national scheme to share more detailed information including your current medical problems and your care wishes. Health Professionals at other organisations will only be able to access this information with your permission. This information will only be available to other agencies if you have given us your permission to share it.
Your right to withdraw consent
If you are happy for your data to be extracted and used for the purposes described in this Fair Processing Notice, then you do not need to do anything.
If you do not want your personal data being extracted and used for the purposes described in this Fair Processing Notice, then you need to let us know as soon as possible in writing to the Practice Manager.
Please note that withdrawing your consent from sharing data may, in some circumstances, cause a delay in your receiving care.
How long do we hold information for?
All records held by the practice will be kept for the duration specified by national guidance from the Department of Health, The Records Management Code of Practice for Health and Social Care 2016. Confidential information is securely destroyed in accordance with this code of practice.