Who we are
We are a GP practice who provide a range of primary health services including GP and nurse appointments, prescription dispensing and delivery, minor surgery, specialist clinics for diabetes, COPD and other long-term conditions.
What is a privacy notice?
Why issue a fair processing notice?
We recognise the importance of protecting personal and confidential information in all that we do and we take care to meet our legal and regulatory duties. This notice is one of the ways in which we can demonstrate our commitment to the safety and security of your personal information.
This notice also explains what rights you have to control how we use your information.
Legal basis for holding and processing information
Our legal basis for holding and processing information is:
GDPR Article 6 (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, and;
GDPR Article 9 (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
Why and how we collect information
We may ask for or hold personal confidential information about you which will be used to support delivery of appropriate care and treatment. This is to support the provision of high quality care.
This information may include:
- Basic details, such as name, address, date of birth, next of kin
- Contact we have had, such as appointments and home visits
- Details and records of treatment and care, including notes and reports about your health
- Results of x-rays, blood tests, etc
- Information from people who care for you and know you well, such as health professionals and relatives
It may also include personal sensitive information such as sexuality, race, your religion or beliefs, and whether you have a disability, allergies or health conditions. It is important for us to have a complete picture, as this information assists staff involved in your care to deliver and provide improved care, deliver appropriate treatment and care plans, to meet your needs.
Information is collected in a number of ways, via your healthcare professional, clinic details from a hospital, out-of-hours service or ambulance service, or directly given by you.
How we use information
- To help inform decisions that we make about your care.
- To ensure that your treatment is safe and effective.
- To work effectively with other organisations who may be involved in your care.
- To support the health of the general public.
- To ensure our services can meet future needs.
- To review care provided to ensure it is of the highest standard possible.
- To train healthcare professionals.
- For research and audit.
- To prepare statistics on NHS performance.
- To monitor how we spend public money.
When using information to inform future services and provision, non-identifiable information will be used.
How information is retained and kept safe
There are a number of ways in which your privacy is shielded; by removing your
identifying information wherever possible, by only accessing your data on a need-to-know basis, by having systems access controlled by NHS smartcards, by access audits, and by ensuring data sharing and processing agreements are in place.
The Data Protection Act 1998 and successor legislation regulates the processing of personal information. Strict principles govern our use of information and our duty to ensure it is kept safe and secure.
Caldbeck Surgery is registered with the Information Commissioners Office (ICO). Details of our registration can be found on https://ico.org.uk/esdwebpages/search.
Technology allows us to protect information in a number of ways, in the main by restricting access.
How do we keep information confidential?
Everyone working for the Practice is subject to the Common Law Duty of Confidentiality and the Data Protection Act 1998.
Under the NHS Confidentiality Code of Conduct, all staff are required to protect information, inform you of how your information will be used and allow you to decide if and how your information can be shared. This will be noted in your records.
All practice staff undertake annual training in data protection, confidentiality and IT security, with additional training for specialists such as those dealing with healthcare records, data protection officers and IT staff.
There are only three situations in which we will disclose any of your personal information to those who are not directly caring for you:
- When you give your explicit consent;
- Where you or another person may otherwise come to harm, or to help investigate violent crime, or;
- When ordered to by a court.
There are no other circumstances in which we will disclose your personal information to anyone.
Clinical placements for students commonly take place within our practice. Students such as student nurses or medical students could be receiving training with us.
We will always ask for your permission before a clinical student participates in providing your care. The treatment or care you receive will not be affected if you refuse to have a student present during your episode of care.
Who can the information be shared with?
To provide best care possible, sometimes we will need to share information about you with others. We may share your information with other NHS or statutory County Council social care organisations and regulatory bodies. Examples of this are sharing your medical details with the North West Ambulance Service, with the Cumberland Infirmary or other NHS hospital, with other service providers for the purposes of referral to those services.
Sharing with non-NHS organisations
For your benefit, we may also need to share information from your records with non-NHS organisations, from whom you are also receiving care, such as social services or private healthcare organisations. We cannot disclose any health information to non-NHS organisations without your explicit consent, unless there are exceptional circumstances, such as when your health is at risk and you are unable to provide consent. In this situation we are bound to act in your best interest.
Your right to withdraw consent for us to share your personal information
You have the right to refuse/withdraw consent to information sharing at any time. We will fully explain the possible consequences to you, which could include delays in you receiving care.
Contacting us about your information
Each organisation has a senior person responsible for protecting the confidentiality of your information and enabling appropriate sharing. This person is known as the Caldicott Guardian. Our Caldicott Guardian is Martin Woodham, who you can contact via reception.
If you have any questions or concerns regarding the information we hold on you, the use of your information or would like to discuss further, please contact Martin.
Can I access my information?
Under the GDPR you have the right of access to your medical record, and you may request erasure or redaction in certain circumstances. For more information on how to exercise these rights please ask at reception.
NHS UK – http://www.nhs.uk/pages/home.aspx
What are we governed by?
The key pieces of legislation/guidance we are governed by are:
- Data Protection Act 1998 and successor legislation
- Human Rights Act 1998 (Article 8)
- Access to Health Records Act 1990
- Freedom of Information Act 2000
- Health and Social Care Act 2012, 2015
- Public Records Act 1958
- Copyright Design and Patents Act 1988
- The Re-Use of Public Sector Information Regulations 2015
- The Environmental Information Regulations 2004
- Computer Misuse Act 1990
- The Common Law Duty of Confidentiality
- The Care Record Guarantee for England
- The Social Care Record Guarantee for England
- International Organisation for Standardisation (ISO) – Information Security Management Standards (ISMS)
- Information Security Management – NHS Code of Practice
- Records Management – Code of Practice for Health and Social Care 2016
- Accessible Information Standards (AIS)
- General Data Protection Regulations (GDPR) – post 25th May 2018
Who are we governed by?
Department of Health – https://www.gov.uk/government/organisations/department-ofhealth
Information Commissioner’s Office – https://ico.org.uk/
Care Quality Commission – http://www.cqc.org.uk/
NHS England – https://www.england.nhs.uk/
Our doctors, nurses, healthcare professionals and registered support staff are
also regulated and governed by professional bodies including Royal colleges.
Contacting us if you have a complaint or concern
We try to meet the highest standards when collecting and using personal information as required to by law. We encourage people to bring concerns to our attention and we take any complaints we receive very seriously. You can submit a complaint verbally or in writing to the reception team or the practice manager.
If you remain dissatisfied with our decision following your complaint, you may wish to contact:
Information Commissioner’s Office
Their web site is at www.ico.gov.uk The Information Commissioner will not normally consider an appeal until you have exhausted your rights of redress and complaint to the practice.