Marden Medical Practice

01743 241313

Privacy Notice

MARDEN MEDICAL PRACTICE

 

PRIVACY NOTICE

 

INTRODUCTION

 

This privacy notice lets you know what happens to any personal data that you give to us, or any information that we may collect from you or about you from other organisations.

 

This privacy notice applies to personal information processed by or on behalf of the practice.

 

This Notice explains:

  • Who we are and how we use your information
  • Information about our Data Protection Officer
  • What kinds of personal information about you we hold and use (process)
  • The legal grounds for our processing of your personal information (including when we share it with others)
  • What should you do if your personal information changes?
  • For how long your personal information is retained / stored by us?
  • What are your rights under Data Protection laws

 

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018) became law on 25th May 2018. The GDPR is a single EU-wide regulation on the protection of confidential and sensitive (special) information, the DPA 2018 deals with elements of UK law that differ from the European Regulation, both came into force in the UK on the 25th May 2018, repealing the previous Data Protection Act (1998).

 

For the purpose of applicable data protection legislation (including but not limited to the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”), and the Data Protection Act 2018 (currently in Bill format before Parliament) the practice responsible for your personal data is Marden Medical Practice.

 

This Notice describes how we collect, use and process your personal data, and how, in doing so, we comply with our legal obligations to you. Your privacy is important to us, and we are committed to protecting and safeguarding your data privacy rights.

 

The following notice reminds you of your rights in respect of the above legislation and how your GP Practice will use your information for lawful purposes in order to deliver your care and the effective management of the local NHS system.

This notice reflects how we use information for:

  • The management of patient records;
  • Communication concerning your clinical, social and supported care;
  • Ensuring the quality of your care and the best clinical outcomes are achieved through clinical audit and retrospective review;
  • Participation in health and social care research; and
  • The management and clinical planning of services to ensure that appropriate care is in place for the people today and in the future.

 

DATA CONTROLLER

 

Marden Medical Practice is the data controller for any personal data that we hold about you.

 

DATA PROTECTION OFFICER

 

Our Data Protection Officer (DPO) Is Mr Paul Couldrey, PCDC, NBV Enterprise Centre, 6 David Lane, Nottingham, Nottinghamshire, NG6 0JU, Tel: 0155 838 6770 Email: info@pcdc.org.uk

 

HOW DO WE MAINTAIN THE CONFIDENTIALITY OF YOUR RECORDS? 

 

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

  • Data Protection Act 2018
  • The General Data Protection Regulations 2016
  • Human Rights Act 1998
  • Common Law Duty of Confidentiality
  • Health and Social Care Act 2012
  • NHS Codes of Confidentiality, Information Security and Records Management
  • Information: To Share or Not to Share Review

 

WHAT INFORMATION DO WE COLLECT AND USE?

 

All personal data must be processed fairly and lawfully, whether is it received directly from you or from a third party in relation to the your care.

 

We will collect the following types of information from you or about you from a third party (provider organisation) engaged in the delivery of your care:

 

  • ‘Personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified from the data. This includes, but is not limited to name, date of birth, full postcode, address, next of kin and NHS Number; and
  • ‘Special category / sensitive data’ such as medical history including details of appointments and contact with you, medication, emergency appointments and admissions, clinical notes, treatments, results of investigations, supportive care arrangements, social care status, race, ethnic origin, genetics and sexual orientation.

 

Your healthcare records contain information about your health and any treatment or care you have received previously (e.g. from an acute hospital, GP surgery, community care provider, mental health care provider, walk-in centre, social services). These records maybe electronic, a paper record or a mixture of both. We use a combination of technologies and working practices to ensure that we keep your information secure and confidential.

 

WHY DO WE COLLECT THIS INFORMATION?

 

The NHS Act 2006 and the Health and Social Care Act 2012 invests statutory functions on GP Practices to promote and provide the health service in England, improve quality of services, reduce inequalities, conduct research, review performance of services and deliver education and training. To do this we will need to process your information in accordance with current data protection legislation to:

  • Protect your vital interests;
  • Pursue our legitimate interests as a provider of medical care, particularly where the individual is a child or a vulnerable adult;
  • Perform tasks in the public’s interest;
  • Deliver preventative medicine, medical diagnosis, medical research; and
  • Manage the health and social care system and services.

 

HOW DO WE USE THIS INFORMATION?

 

To ensure that you receive the best possible care, your records will be used to facilitate the care you receive. Information held about you may be used to protect the health of the public and to help us manage the NHS. Information may also be used for clinical audit to monitor the quality of the service provided. In addition, your information will be used to identify whether you are at risk of a future unplanned hospital admission and/or require support to effectively manage a long term condition.

 

From time to time we may contact you to remind you about appointments you have at the Practice and to give you information on other services we provide (for example Flu clinics, Smoking Cessation advice, Health Checks).

 

HOW IS THE INFORMATION COLLECTED?

 

Your information will be collected either electronically using secure NHS Mail or a secure electronic transferred over an NHS encrypted network connection. In addition physical information will be sent to your practice. This information will be retained within your GP’s electronic patient record or within your physical medical records.

 

WHO WILL WE SHARE YOUR INFORMATION WITH?

 

In order to deliver and coordinate your health and social care, we may share information with the following organisations:

  • GP practices
  • Community services such as district nurses, rehabilitation services, telehealth and out of hospital services.
  • Child health services that undertake routine treatment or health screening
  • GP Practices in Shropshire in order to delivery extended primary care services
  • Shropshire Community Health NHS Trust
  • Shropshire Clinical Commissioning Group (CCG)
  • Shropshire and Telford Hospitals (SATH) or the Hospital you have chosen
  • Referral Assessment Service (RAS)
  • Care/Nursing Homes/Community Hospitals that you may be resident in
  • NHS 111 and Shropdoc Out of Hours Service
  • West Midlands Ambulance Service (WMAS)
  • Shropshire County Council (Adult & Children Social Services and Community Care)
  • Voluntary Support Organisations
  • Pharmacies/Prescription Pricing Authority
  • Her Majesty’s Coroner

 

Your information will only be shared if it is appropriate for the provision of your care or required to satisfy our statutory function and legal obligations. Your information will not be transferred outside of the European Union.

 

WHO DO WE RECEIVE INFORMATION FROM?

 

Whilst we might share your information with the above organisations, we may also receive information from them to ensure that your medical records are kept up to date and so that your GP can provide the appropriate care.

 

In addition we received data from NHS Digital (as directed by the Department of Health) such as the uptake of flu vaccinations and disease prevalence in order to assist us to improve “out of hospital care”.

 

THIRD PARTY PROCESSORS

 

In order to deliver the best possible service, the practice will share data (where required) with other NHS bodies such as other GP practices and hospitals. In addition the practice will use carefully selected third party service providers. When we use a third party service provider to process data on our behalf then we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately. Examples of functions that may be carried out by third parties includes:

 

  • Companies that provide IT services & support, including our core clinical systems; systems which manage patient facing services (such as our website and service accessible through the same); data hosting service providers; systems which facilitate appointment bookings or electronic prescription services; document management services etc.
  • Delivery services (for example if we were to arrange for delivery of any medicines to you).
  • Payment providers (if for example you were paying for a prescription or a service such as travel vaccinations).

 

Further details regarding specific third party processors can be supplied on request.

As a controller you should inform your Patients (e.g. via posters or general communications) and undertake a Data Privacy Impact Assessment (DPIA) in relation to this change. Further supporting information is available here. We hope that this information, together with this letter, will assist your DPIA considerations and if you require any further detail then please do not hesitate to contact us and we would be happy to assist.

 

The safety and availability of your data is our utmost concern and we are confident that this approach will improve data security, integrity and performance.

 

HOW DO WE MAINTAIN THE CONFIDENTIALITY OF YOUR RECORDS?

 

We are committed to protecting your privacy and will only use information that has been collected lawfully. Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential. We maintain our duty of confidentiality by conducting annual training and awareness, ensuring access to personal data is limited to the appropriate staff and information is only shared with organisations and individuals that have a legitimate and legal basis for access.

 

Information is not held for longer than is necessary. We will hold your information in accordance with the Records Management Code of Practice for Health and Social Care 2016.

 

WHERE DO WE STORE YOUR INFORMATION ELECTRONICALLY?

 

All the personal data we process is processed by our staff in the UK however for the purposes of IT hosting and maintenance this information may be located on servers within the European Union.

No 3rd parties have access to your personal data unless the law allows them to do so and appropriate safeguards have been put in place such as a Data Processor as above).  We have a Data Protection regime in place to oversee the effective and secure processing of your personal and or special category (sensitive, confidential) data.

EMIS WEB

The Practice uses a clinical system provided by a Data Processor called EMIS, with effect from 10th June 2019, EMIS will start storing your practice’s EMIS Web data in a highly secure, third party cloud hosted environment, namely Amazon Web Services (“AWS”).

 

The data will remain in the UK at all times and will be fully encrypted both in transit and at rest. In doing this, there will be no change to the control of access to your data and the hosted service provider will not have any access to the decryption keys. AWS is one of the world’s largest cloud companies, already supporting numerous public sector clients (including the NHS), and it offers the very highest levels of security and support.

 

ACCURX (SMS & VIDEO CONSULTATIONS)

 

Video consultations are run by AccuRx, a NHS Digital approved supplier. Unique URLs are generated for each video consultation and all participants are visible in the consultation, no third party can ‘listen in’. The video and audio content is not recorded or stored on any server.

 

Links to files or documents sent via SMS by healthcare staff directly to a patient’s mobile phone are encrypted in transit via HTTPS and responses are encrypted at rest via TDE. Patients are also asked to input their date of birth as identity verification, before being able to access the document. The document is only accessible for 14 days.

Where a link to sensitive data is shared (e.g. to a document), the patient has to verify their identity by typing in the date of birth.

 

eCONSULT

 

Electronic consultations are run by eConsult Health Limited. eConsult enables NHS based GP practices to offer online consultations to their patients. This allows patients to submit their symptoms or requests to their own GP electronically, and offers around the clock NHS self-help information, signposting to services, and a symptom checker.

eConsult is the most widely used digital triage tool in NHS primary care, built by NHS GPs for NHS patients.

 

eConsult will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

 

eConsult have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, they limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. Third parties will only process your personal data on their instructions and they are subject to a duty of confidentiality.

 

eConsult will only retain your personal data for as long as necessary to fulfil the purposes they collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

 

To determine the appropriate retention period for personal data, they consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which they process your personal data and whether they can achieve those purposes through other means, and the applicable legal requirements.

 

WHERE DO WE STORE HARD COPIES OF YOUR INFORMATION?

 

The Practice stores all patients’ medical records off-site. The company responsible for storing and transporting the records on and off site is noteSpace.  noteSpace is IG compliant with all information processed within the NHS HSCN environment. Patient records requested electronically using noteSpace are safely and securely delivered from our IG / BS 27001:2005 security accredited storage facility via the GPS Tracked Secure Carrier Fleet.

When an electronic copy of a record is required, records are scanned at the storage facility and delivered direct to the practice via noteSpace using our secure NHS HSCN datacentre.

The secure storage solution that forms part of noteSpace is provided by Box-it and their parent company Oasis Group, a long established provider of records management services to both the NHS and Business community.

CONSENT AND OBJECTIONS

 

DO I NEED TO GIVE MY CONSENT?

 

The GDPR sets a high standard for consent. Consent means offering people genuine choice and control over how their data is used. When consent is used properly, it helps you build trust and enhance your reputation. However consent is only one potential lawful basis for processing information. Therefore your GP practice may not need to seek your explicit consent for every instance of processing and sharing your information, on the condition that the processing is carried out in accordance with this notice. Your GP Practice will contact you if they are required to share your information for any other purpose which is not mentioned within this notice. Your consent will be documented within your electronic patient record.

 

WHAT WILL HAPPEN IF I WITHHOLD MY CONSENT OR RAISE AN OBJECTION?

 

You have the right to write to withdraw your consent to any time for any particular instance of processing, provided consent is the legal basis for the processing. Please contact your GP Practice for further information and to raise your objection.

 

 

PARENTAL CONSENT

 

Children need particular protection when you are collecting and processing their personal data because they may be less aware of the risks involved.

 

ICO guidance:

  • You need to have a lawful basis for processing a child’s personal data. Consent is one possible lawful basis for processing, but it is not the only option. Sometimes using an alternative basis is more appropriate and provides better protection for the child.
  • If you are relying on consent as your lawful basis for processing personal data, when offering an online service directly to a child, only children aged 13 or over are able provide their own consent.(This is the age proposed in the Data Protection Bill and is subject to Parliamentary approval).
  • For children under this age you need to get consent from whoever holds parental responsibility for the child – unless the online service you offer is a preventive or counselling service.
  • Children have the same rights as adults over their personal data. These include the rights to access their personal data; request rectification; object to processing and have their personal data erased.

 

HEALTH RISK SCREENING / RISK STRATIFICATION

 

Health Risk Screening or Risk Stratification is a process that helps your GP to determine whether you are at risk of an unplanned admission or deterioration in health. By using selected information such as age, gender, NHS number, diagnosis, existing long term condition(s), medication history, patterns of hospital attendances, admissions and periods of access to community care your GP will be able to judge if you are likely to need more support and care from time to time, or if the right services are in place to support the local population’s needs.

 

To summarise Risk Stratification is used in the NHS to:

  • Help decide if a patient is at a greater risk of suffering from a particular condition;
  • Prevent an emergency admission;
  • Identify if a patient needs medical help to prevent a health condition from getting worse; and/or
  • Review and amend provision of current health and social care services.

 

Your GP will use computer based algorithms or calculations to identify their registered patients who are at most risk, with support from the local Commissioning Support Unit and/or a third party accredited Risk Stratification provider. The risk stratification contracts are arranged by NHS Shropshire Clinical Commissioning Group in accordance with the current Section 251 Agreement. Neither the CSU nor Shropshire CCG will at any time have access to your personal or confidential data. They will only act on behalf of your GP to organise the risk stratification service with appropriate contractual technical and security measures in place.

 

Your GP will routinely conduct the risk stratification process outside of your GP appointment. This process is conducted electronically and without human intervention. The resulting report is then reviewed by a multidisciplinary team of staff within the Practice. This may result in contact being made with you if alterations to the provision of your care are identified.

 

A Section 251 Agreement is where the Secretary of State for Health and Social Care has granted permission for personal data to be used for the purposes of risk stratification, in acknowledgement that it would overburden the NHS to conduct manual reviews of all patient registers held by individual providers.

 

As mentioned above, you have the right to object to your information being used in this way. However you should be aware that your objection may have a negative impact on the timely and proactive provision of your direct care. Please contact the Practice Manager to discuss how disclosure of your personal data can be limited.

 

SHARING OF ELECTRONIC PATIENT RECORDS WITHIN THE NHS

 

Electronic patient records are kept in most places where you receive healthcare. Our local electronic systems (such as EMIS Web) enable your record to be shared with organisations involved in your direct care, such as:

  • GP practices
  • Community services such as district nurses, rehabilitation services, telehealth and out of hospital services.
  • Child health services that undertake routine treatment or health screening
  • Urgent care organisations, minor injury units or out of hours services
  • Community hospitals
  • Palliative care hospitals
  • Care Homes
  • Mental Health Trusts
  • Hospitals
  • Social Care organisations
  • Pharmacies

 

In addition, NHS England have implemented the Summary Care Record which contains information about medication you are taking, allergies you suffer from and any bad reactions to medication that you have had in the past.

 

Your electronic health record contains lots of information about you. In most cases, particularly for patients with complex conditions and care arrangements, the shared record plays a vital role in delivering the best care and a coordinated response, taking into account all aspects of a person’s physical and mental health. Many patients are understandably not able to provide a full account of their care, or may not be in a position to do so. The shared record means patients do not have to repeat their medical history at every care setting.

 

Your record will be automatically setup to be shared with the organisations listed above, however you have the right to ask your GP to disable this function or restrict access to specific elements of your record. This will mean that the information recorded by your GP will not be visible at any other care setting.

You can also reinstate your consent at any time by giving your permission to override your previous dissent.

 

REMOTE WORKING

 

Marden Medical Practice will secure its data and its physical corporate assets when they are removed from Marden Medical Practice premises for the purpose of staff working in remote locations, including working from home.

 

It is intended that Marden Medical Practice complies with NHS and legal requirements for the securing of all information and physical assets whilst in transit and in use in locations outside Marden’s premises. By doing so Marden Medical Practice seeks to ensure the

 

  • Confidentiality of personal information
  • Integrity of information
  • Availability of information

 

 

SUPPORTING MEDICINES MANAGEMENT

 

CCGs support local GP practices with prescribing queries which generally don’t require identifiable information. CCG pharmacists work with your practice to provide advice on medicines and prescribing queries, and review prescribing of medicines to ensure that it is safe and cost-effective. Where specialist support is required e.g. to order a drug that comes in solid form, in gas or liquid, the CCG medicines management team will order this on behalf of the practice to support your care.

 

 

 

SAFEGUARDING


To ensure that adult and children’s safeguarding matters are managed appropriately, access to identifiable information will be shared in some limited circumstances where it’s legally required for the safety of the individuals concerned.

 

SUMMARY CARE RECORD (SCR)

 

NHS England uses a national electronic record called the Summary Care Record (SCR) to support patient care. It contains key information from your GP record. Your SCR provides authorised healthcare staff with faster, secure access to essential information about you in an emergency or when you need unplanned care, where such information would otherwise be unavailable.

 

Summary Care Records are there to improve the safety and quality of your care. SCR core information comprises your allergies, adverse reactions and medications. An SCR with additional information can also include reason for medication, vaccinations, significant diagnoses / problems, significant procedures, anticipatory care information and end of life care information. Additional information can only be added to your SCR with your agreement.

Please be aware that if you choose to opt-out of SCR, NHS healthcare staff caring for you outside of this surgery may not be aware of your current medications, allergies you suffer from and any bad reactions to medicines you have had, in order to treat you safely in an emergency.

Your records will stay as they are now with information being shared by letter, email, fax or phone. If you wish to opt-out of having an SCR please return a completed opt-out form to the practice.

 

YOUR RIGHT TO WITHDRAW CONSENT FOR US TO SHARE YOUR PERSONAL INFORMATION (OPT-OUT)


If you are happy for your data to be extracted and used for the purposes described in this fair processing notice then you do not need to do anything. If you do not want your information to be used for any purpose beyond providing your care you can choose to opt-out. If you wish to do so, please let us know so we can code your record appropriately. We will respect your decision if you do not wish your information to be used for any purpose other than your care but in some circumstances we may still be legally required to disclose your data.

 

There are two main types of opt-out.

 

TYPE 1 OPT-OUT

 

If you do not want information that identifies you to be shared outside the practice, for purposes beyond your direct care, you can register a ‘Type 1 Opt-Out’. This prevents your personal confidential information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.

 

TYPE 2 OPT-OUT

 

NHS Digital collects information from a range of places where people receive care, such as hospitals and community services. If you do not want your personal confidential information to be shared outside of NHS Digital, for purposes other than for your direct care, you can register a ‘Type 2 Opt-Out’. For further information about Type 2 Opt-Outs, please contact NHS Digital contact centre at enquiries@hscic.gov.uk referencing ‘Type 2 Opt-Outs – Data Requests’ in the subject line; or call NHS Digital on (0300) 303 5678; or visit the website: http://content.digital.nhs.uk/article/7092/Information-on-type-2-opt-outs .

 

If you wish to discuss or change your opt-out preferences at any time please contact the Practice Manager.

 

NATIONAL OPT-OUT FACILITY

 

You can choose whether your confidential patient information is used for research and planning.

 

Who can use your confidential patient information for research and planning?

 

It is used by the NHS, local authorities, university and hospital researchers, medical colleges and pharmaceutical companies researching new treatments.

Making your data opt-out choice

You can choose to opt out of sharing your confidential patient information for research and planning. There may still be times when your confidential patient information is used: for example, during an epidemic where there might be a risk to you or to other people’s health. You can also still consent to take part in a specific research project.

Will choosing this opt-out affect your care and treatment?

No, your confidential patient information will still be used for your individual care. Choosing to opt out will not affect your care and treatment. You will still be invited for screening services, such as screenings for bowel cancer.

What should you do next?

You do not need to do anything if you are happy about how your confidential patient information is used.

If you do not want your confidential patient information to be used for research and planning, you can choose to opt out securely online or through a telephone service.

You can change your choice at any time. To find out more or to make your choice visit nhs.uk/your-nhs-data-matters or call 0300 303 5678

 

INVOICE VALIDATION

 

If you have received treatment within the NHS, the local Commissioning Support Unit (CSU) may require access to your personal information to determine which Clinical Commissioning Group is responsible for payment for the treatment or procedures you have received. Information such as your name, address, date of treatment and associated treatment code may be passed onto the CSU to enable them to process the bill. These details are held in a secure environment and kept confidential. This information is only used to validate invoices in accordance with the current Section 251 Agreement, and will not be shared for any further commissioning purposes.

 

YOUR RIGHT OF ACCESS TO YOUR RECORDS

 

The Data Protection Act 1998 and General Data Protection Regulations allows you to find out what information is held about you including information held within your medical records, either in electronic or physical format. This is known as the “right of subject access”. If you would like to have access to all or part of your records, you can make a request in writing to the organisation that you believe holds your information. This can be your GP, or a provider that is or has delivered your treatment and care. You should however be aware that some details within your health records may be exempt from disclosure, however this will in the interests of your wellbeing or to protect the identity of a third party. If you would like access to your GP record please submit your request in writing to the Data Controller:

 

Marden Medical Practice

25 Sutton Road

Shrewsbury, SY2 6DL

COMPLAINTS

 

In the event that your feel your GP Practice has not complied with the current data protection legislation, either in responding to your request or in our general processing of your personal information, you should raise your concerns in the first instance in writing to the Practice Manager (Mrs Zoe George) at:

 

Marden Medical Practice

25 Sutton Road

Shrewsbury

SY2 6DL

 

Our Data Protection Officer (DPO) Is Mr Paul Couldrey, PCDC, NBV Enterprise Centre, 6 David Lane, Nottingham, Nottinghamshire, NG6 0JU, Tel: 0155 838 6770 Email: info@pcdc.org.uk

 

If you remain dissatisfied with our response you can contact the Information Commissioner’s Office at Wycliffe House, Water Lane, Wimslow, Cheshire SK9 5AF – Enquiry Line: 0303 123 1113 or online at: www.ico.gov.uk

 

 

 

 

Translate »