Introduction

At College Lane Surgery, we have a legal duty to explain how we use any personal information we collect about you at the organisation. This is in both electronic and paper format. 

 

Why do we have to provide this privacy notice?

We are required to provide you with this privacy notice by law. It provides information about how we use the personal and healthcare information we collect, store and hold about you. If you have any questions about this privacy notice or are unclear about how we process or use your personal information or have any other issue regarding your personal and healthcare information, then please contact our Data Protection Officer Helen McNae, helen.mcnae@this.nhs.uk.

The main things the law says we must tell you about what we do with your personal data are:

●        We must let you know why we collect personal and healthcare information about you

●        We must let you know how we use any personal and/or healthcare information we hold about you

●        We need to inform you in respect of what we do with it

●        We need to tell you about who we share it with or pass it on to and why

●       We need to let you know how long we can keep it for

The General Data Protection Regulation (GDPR) became law on 24 May 2016. This was a single EU-wide regulation on the protection of confidential and sensitive information. It entered into force in the UK on the 25 May 2018, repealing the Data Protection Act (1998). Following Brexit, the GDPR became incorporated into the Data Protection Act 2018 (DPA18) at Part 2, Chapter 2 titled The UK GDPR.

For the purpose of applicable data protection legislation (including but not limited to the Data Protection Act 2018 (DPA2018) and Part 2 the UK GDPR).

 

Using your information

We will use your information so that we can check and review the quality of care we provide. This helps us improve our services to you.

·         We will share relevant information from your medical record with other health or social care staff or organisations when they provide you with care. For example, your GP will share information when they refer you to a specialist in a hospital or your GP will send details about your prescription to your chosen pharmacy. 

·         More information on how we share your information with organisations who are directly involved in your care can be found here: How we use data :: West Yorkshire Health & Care Partnership

·         Healthcare staff working in A&E and out of hours care will also have access to your information. For example, it is important that staff who are treating you in an emergency know if you have any allergic reactions. This will involve the use of your Summary Care Record For more information see NHS E Summary Care Record or alternatively speak to this organisation. 

You have the right to object to information being shared for your own care. Please speak to this organisation if you wish to object. You also have the right to have any mistakes or errors corrected.

 

Registering for NHS care

·        All patients who receive NHS care are registered on a national database (NHS Spine). The Spine is held and maintained by NHS England, a national organisation which has legal responsibilities to collect NHS data.

 

·        More information can be found at NHS England - Spine 

 

Identifying patients who might be at risk of certain diseases

·         Your medical records will be searched by a computer programme so that we can identify patients who might be at high risk from certain diseases such as heart disease or unplanned admissions to hospital. This means we can offer patients additional care or support as early as possible. 

·         This process will involve linking information from your GP record with information from other health or social care services you have used. Information which identifies you will only be seen by this organisation.

 

NHS England

We must share data for:

- Public health

- Commissioning

- National audits

- Funding arrangements

- Emergency response

Primary Care Support England (PCSE)

We must share data for:

- Payments and pensions

- Performer lists

- Staff records

- Medical record transfers

Summary Care Record (SCR)

Your SCR contains:

- Medications

- Allergies

- Adverse reactions

This allows urgent care services to treat you safely.

The system is mandatory, but you may opt out individually.

Personal Demographics Service (PDS)

Used for:

- NHS number verification

- Address updates

- Death notifications

GP Connect

Allows secure NHS sharing between:

- Your GP

- Hospitals

- Urgent treatment centres

- Out-of-hours services

OpenSAFELY

Your pseudonymised GP data is used for:

- Population health analysis

- Medicines safety

- Health inequality monitoring

- National research

No identifiable data leaves the secure NHS environment.

National Screening & Immunisation Programmes

We must share data for:

- Childhood immunisations

- Cancer screening

- Disease monitoring

Safeguarding

We are legally required to share information with:

- Local Authorities

- Police

- Safeguarding partners

Where there is a risk of harm.

Extended Access & Out-of-Hours Services

We share records with:

- GP Care Wakefield / Conexus Health

So you can receive care outside normal surgery hours.

 

Summary Care Record (SCR)

There is a national NHS healthcare records database provided and facilitated by NHS England, which holds your Summary Care Record (SCR). Your SCR is an electronic record which contains information about the medicines you take, allergies you suffer from and any bad reactions to medicines you have had. Storing information in one place makes it easier for healthcare staff to treat you in an emergency, or when your GP Practice is closed. This information could make a difference to how a doctor decides to care for you, for example which medicines they choose to prescribe for you.

Only healthcare staff involved in your care will access your Summary Care Record. When you are registered with a GP Practice in England your Summary Care Record is created automatically. It is not compulsory to have a Summary Care Record. If you choose to opt-out, you need to inform the Practice. For further information about SCR, visit the NHS England website.

Following the covid pandemic, a change has been made to the way Summary Care Records are made available, to enable health and care professionals to have better medical information about the patient they are treating at the point of care. If you have not previously expressed a preference about your SCR, both the core information set out above, and additional information below will be included in your SCR by default. 

The additional information includes:

·         significant medical history (past and present);

·         reason for medication;

·         anticipatory care information (such as information about the management of long-term conditions);

·         end of life care information;

·         information about your immunisations.

Specific sensitive information such as any fertility treatments, sexually transmitted infections, pregnancy terminations or gender reassignment will not be included, unless you specifically ask for any of these items to be included.

 

GP Connect

We use a facility called GP Connect to support your direct care. GP Connect makes patient information available to all appropriate clinicians when and where they need it, to support direct patient care, leading to improvements in both care and outcomes. GP Connect is not used for any purpose other than direct care.

Authorised Clinicians such as GPs, NHS111 Clinicians, Care Home Nurses (if you are in a Care Home), Secondary Care Trusts, Social Care Clinicians can access the GP records of the patients they are treating via a secure NHS England service called GP connect.

The NHS 111 service (and other services determined locally e.g. other GP Practices in a Primary Care Network) will be able to book appointments for patients at GP Practices and other local services. For additional information about the GP Connect facility, visit the NHS England website.

 

GP Clinical System - Electronic Patient Records

Our Practice uses an electronic patient record to securely process and share information between NHS staff.  This means that the healthcare professional who is caring for you can see your medical history, including any allergies and current medications, to provide you with safe care.  Our Practice uses SystmOne as our Electronic Patient Record.  You can find out more about SystmOne on the TPP Website here: https://www.tpp-uk.com/products/systmone, or further details on sharing in SystmOne can be found here.

We also use SystmConnect at our Practice which is an online consultation platform which is fully integrated with the SystmOne Electronic Patient Record.  Further details can also be found on the TPP website here.

 

Safeguarding

·         Sometimes we need to share information so that other people, including healthcare staff, children or others with safeguarding needs, are protected from risk of harm. These circumstances are rare, and we do not need your consent or agreement to do this.

 

·         Please see our local policies for more information: https://westyorkscp.trixonline.co.uk/

 

OpenSAFELY COVID-19 Service

·         NHS England has been directed by the government to establish and operate the OpenSAFELY COVID-19 Service and the OpenSAFELY Data Analytics Service. These services provide a secure environment that supports research, clinical audit, service evaluation and health surveillance for COVID-19 and other purposes.

·         Each GP practice remains the controller of its own GP patient data but is required to let approved users run queries on pseudonymised patient data. This means identifiers are removed and replaced with a pseudonym.

·         Only approved users are allowed to run these queries, and they will not be able to access information that directly or indirectly identifies individuals.

·         Patients who do not wish for their data to be used as part of this process can register a type 1 opt out with their GP.

·         Here you can find additional information about OpenSAFELY

Medical Research

·         This organisation shares information from medical records to support medical research when the law allows us to do so, for example to learn more about why people get ill and what treatments might work best. We will also use your medical records to carry out research within the organisation.

·         The use of information from GP medical records is very useful in developing new treatments and medicines; medical researchers use information from these records to help to answer important questions about illnesses and disease so that improvements can be made to the care and treatment patients receive.

·         You have the right to object to your identifiable information being used or shared for medical research purposes. Please speak to the organisation if you wish to object.  

 

Microsoft Teams

 

College Lane Surgery uses Microsoft Teams for internal staff communication to improve coordination and efficiency. No patient-identifiable information is shared through Teams except in approved clinical MDT settings. All clinical records continue to be stored securely within official NHS systems (SystmOne).

 

Surgery Connect by X-on Health

 

As part of the practices contract, we a required to move to a safe & secure cloud-based telephony system. Practices will be able to provide patients with a more holistic and personalised care with cloud-based telephony, and features such as, call recording & call back facility and system integration will help to achieve this. The aim of the X-on Surgery Connect platform is to improve communications between healthcare staff and patients resulting in improved outcomes, experience and productivity. X-on Surgery Connect is approved by NHS England to be used by GP practices and the other systems involved in patient care. NHS England has a lengthy assurance process to make sure they meet the highest standards of safety and security. Your data is safe and is shared only with your GP Practice.

The Practice uses the following X-on Surgery Connect features:

·         Telephone consultations, call recording, patient communications.

 

Checking the quality of care – national clinical audits

·         This organisation contributes to national clinical audits so that healthcare can be checked and reviewed. Information from medical records can help doctors and other healthcare workers to measure and check the quality of care that is provided to you.

·         The results of the checks or audits can show where organisations are doing well and where they need to improve. These results are also used to recommend improvements to patient care. 

·         Data is sent to NHS England, a national body with legal responsibilities to collect data.

·         The data will include information about you, such as your NHS Number and date of birth, and information about your health which is recorded in coded form – for example the code for diabetes or high blood pressure. 

·         We will only share your information for national clinical audits or checking purposes when the law allows.

·         For more information about national clinical audits see the Healthcare Quality Improvements Partnership website.

·         You have the right to object to your identifiable information being shared for national clinical audits. Please contact the organisation if you wish to object.

 

How We Protect Your Information

 

We use:

- Encryption

- Smartcards and access controls

- Secure NHS networks

- Audit logs

- Staff confidentiality training

- Secure messaging platforms

- Secure telephony systems

 

We are required by law to provide you with the following information about how we handle your information:

Data Controller	College Lane Surgery
Data Protection Officer	Helen McNae, helen.mcnae@this.nhs.uk
Purpose of the processing	To give direct health or social care to individual patients. An example is, when a patient agrees to a referral for direct care, such as to a hospital, relevant information about the patient will be shared with the other healthcare staff to enable them to give appropriate advice, investigations, treatments and/or care. To check and review the quality of care. (This is called audit and clinical governance).   Medical research and to check the quality of care which is given to patients (this is called national clinical audit).
Lawful basis for processing	These purposes are supported under the following sections of the GDPR:   Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and   Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”    The following sections of the GDPR mean that we can use medical records for research and to check the quality of care (national clinical audits):   Article 6(1)(e) – ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’.   For medical research: there are two possible Article 9 conditions.   Article 9(2)(a) – ‘the data subject has given explicit consent…’   or   Article 9(2)(j) – ‘processing is necessary for… scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member States law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject’.   Healthcare staff will also respect and comply with their obligations under the common law duty of confidence.
Recipient or categories of recipients of the processed data	The data will be shared with:   ●        Healthcare professionals and staff in this surgery ●        Local hospitals ●        Out of hours services ●        Diagnostic and treatment centres ●        Other organisations involved in the provision of direct care to individual patients ●        TPP SystmOne, Airmid, SystmConnect (main clinical and online platforms) ●        NHS App – appointments, prescriptions and GP record access ●        AccuRx (messaging, questionnaires, appointment booking links etc) ●        Surgery Connect from X-on Health (telephony and call recording) ●        Intelligent Integration Interface & Seca Software – ECG and spirometry ●        THIS IT (local NHS IT service) ●        Docmail (patient letters) ●        Swift Integration Broker – admin workflow integration ●        Dictate IT – clinical dictation and transcription ●        Microsoft Teams – internal staff communications ●        PCSE – Primary Care Support England ●        GP Connect (for sharing records between organisations) ●        NHS Digital Services ●        OpenSAFELY COVID-19 Service ●        Bright HR – staff HR management ●        iConnect – GP training and supervision   For national clinical audits which check the quality of care the data will be shared with NHS England.
Rights to object and the national data opt-out	You have the right to object to information being shared between those who are providing you with direct care. This may affect the care you receive – please speak to the practice. You are not able to object to your name, address and other demographic information being sent to NHS England. This is necessary if you wish to be registered to receive NHS care.   You are not able to object when information is legitimately shared for safeguarding reasons. In appropriate circumstances it is a legal and professional requirement to share information for safeguarding reasons. This is to protect people from harm. The information will be shared with the local safeguarding service, Wakefield Social Care Direct.   The national data opt-out model provides an easy way for you to opt-out of information that identifies you being used or shared for medical research purposes and quality checking or audit purposes.  Please contact the practice if you wish to opt-out. Further information is available from NHS England.
Right to access and correct	You have the right to access your medical record and have any errors or mistakes corrected. Please speak to a member of staff or look at our Access to Medical Records Policy.   We are not aware of any circumstances in which you will have the right to delete correct information from your medical record; although you are free to obtain your own legal advice if you believe there is no lawful purpose for which we hold the information and contact us if you hold a different view.
Retention period	Records will be kept in line with the law and national guidance. Information on how long records are kept can be found in the Records Management Code of Practice.
Right to complain	In the unlikely event that you are unhappy with any element of our data-processing methods, do please contact the Practice Manager in the first instance. If you feel that we have not addressed your concern appropriately, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).   Further details, visit https://ico.org.uk/for-the-public/ and select “Make a complaint” or telephone: 0303 123 1113.
Data we get from other organisations	We receive information about your health from other organisations who are involved in providing you with health and social care. For example, if you go to hospital for treatment or an operation the hospital will send us a letter to let us know what happens. This means your GP medical record is kept up-to date when you receive care from other parts of the health service.

 

Our Young Person's Privacy Notice can be found here.