Fair Processing Privacy Notice
| Version | V3.0 |
| Ratified by | Alan Kershaw, SIRO |
| Date Ratified | July 2021 |
| Author(s), role, contact | Robin Green, Quality, BI Team Manager |
| Responsible Committee / Officers | SPCT SIRO, Caldicott Guardian and DPO |
| Date Issue | July 2021 |
| Review Date | July 2022 |
| Intended Audience | Unlimited |
| Impact Assessment | QUALITY EQUALITY & DIVERSITY PRIVACY |
| Category of document | Data Protection |
| This document will be read in conjunction with but not restricted to | |
| Published by | Salford Primary Care Together 3rd Floor, 2 City Approach, Albert Street, Eccles, Salford, M30 0BL |
| Copies available from | Practice website: www.spctpractices.co.uk SPCT Organisation website: https://www.spctogether.co.uk/fair-processing-notice/ |
| Version | Purpose of review/comments | Reviewed by | Date |
|---|---|---|---|
| V0.3 | Issued for Approval and Ratification | Executive Team | |
| V1.0 | Approved | ||
| V2.0 | Annual review and updated in line with National Data Opt Out programme | Robin Green | March 2020 |
| Annual review & updated in line with National Data Opt Out programme | |||
| V3.0 | Notice approved | Alan Kershaw | June 2021 |
Your Information, Your Rights
Being transparent and providing accessible information to patients about how we will use your personal information is a key element of the Data Protection Act 2018 and the EU General Data Protection Regulations (GDPR).
The following notice reminds you of your rights in respect of the above legislation and how your GP Practice will use your information for lawful purposes in order to deliver your care and the effective management of the local NHS system.
This notice reflects how we use information for:
- The management of patient records;
- Communication concerning your clinical, social and supported care;
- Participation in health and social care research; and
- The management and clinical planning of services to ensure that appropriate care is in place for our patients today and in the future.
Data Controller
As your registered GP practice and provider of primary care services, we are the data controller for any personal data that we hold about you. A Data Controller has overall control of the practice data and is responsible for keeping your information secure and confidential. The contact details are:
Data Controller
Salford Primary Care Together
3rd Floor
2 City Approach
Albert Street
Eccles
Manchester
M30 0BL
Data Protection Officer (DPO)
The GDPR requires that public authorities appoint a DPO. The primary role of the DPO is to ensure that the processing of personal data of staff, patients and any other individuals processed by the organisation is in compliance with the relevant data protection rules. Although the DPO oversees compliance with data protection regulations, the responsibility for compliance is held by the Data Controller.
DPO services are provided by Salford CCG for all Salford GP practices (including Salford Primary Care Together) under the terms of the GP contract. If you would like to raise or discuss any issues relating to data processing, you can contact us at salccg.spct@nhs.net.
What information do we collect and use?
All personal data must be processed fairly and lawfully, whether is it received directly from you or from a third party in relation to the your care.
We will collect the following types of information from you or about you from a third party (provider organisation) engaged in the delivery of your care:
- ‘Personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified from the data. This includes, but is not limited to name, date of birth, full postcode, address, next of kin and NHS Number;
- ‘Special category / sensitive data’ such as medical history including details of appointments and contact with you, medication, emergency appointments and admissions, clinical notes, treatments, results of investigations, supportive care arrangements, social care status, race, ethnic origin, genetics and sexual orientation.
Your healthcare records contain information about your health and any treatment or care you have received previously (e.g. from an acute hospital, GP surgery, community care provider, mental health care provider, walk-in centre, social services). These records may be electronic, a paper record or a mixture of both. We use a combination of technologies and working practices to ensure that we keep your information secure and confidential.
We have limitations within our clinical systems, however for the majority of our uses and sharing of data we will aim to record your consent either verbally or in writing before we share any of your data where it is outside of the usual processing required for providing you with GP or Primary Care services. The usual processes will include our standard practice to share (such as a hospital referral) or where it would be in your best interests for us to share (where there has been an emergency). It is our responsibility to share only what is necessary.
Core principles of processing your data
- Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.
- You can change your mind about your choice at any time.
- Your information will not be transferred outside of the European Union. This currently remains the case following Britain’s exit from the European Union: https://ico.org.uk/for-organisations/dp-at-the-end-of-the-transition-period/information-rights-at-the-end-of-the-transition-period-frequently-asked-questions/#transfer.
- Information is not held for longer than is necessary. We will hold your information in accordance with the Records Management Code of Practice for Health and Social Care 2016.
- We will never under any circumstances sell your personal information.
Your Right of Access to Your Records
The Data Protection Act and General Data Protection Regulations allows you to find out what information is held about you including information held within your medical records, either in electronic or physical format. This is known as the “right of subject access”. If you would like to have access to all or part of your records, you can make a request in writing to the organisation that you believe holds your information. This can be your GP practice, or a provider that is or has delivered your treatment and care. You should however be aware that some details within your health records may be exempt from disclosure, however this will in the interests of your wellbeing or to protect the identity of a third party. If you would like access to your GP record please contact our reception team.
Uses of your data for research and planning
Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.
General Practices do not manage consent preferences under the National Data Opt Out programme. To find out more or to register your choice to opt out, you can select the National Data Opt Out menu on the right hand side of this page or visit www.nhs.uk/your-nhs-data-matters.
Sharing of Electronic Patient Records within the NHS
Electronic patient records are kept in most places where you receive healthcare. Electronic systems used in the practice enable your record to be shared with organisations involved in your direct care, such as:
- GP practices
- Community services such as district nurses, rehabilitation services, telehealth and out of hospital services.
- Child health services that undertake routine treatment or health screening
- Urgent care organisations, minor injury units or out of hours services
- Community hospitals
- Palliative care hospitals
- Care Homes
- Mental Health Trusts
- Hospitals
- Social Care organisations
- Pharmacies
At a national level, NHS England have implemented the Summary Care Record which contains information on medication you are taking, allergies and any bad reactions to medication that you have had in the past.
Your record will be automatically setup to be shared with the organisations listed above, however you have the right to ask your GP to disable this function or restrict access to specific elements of your record. This will mean that the information recorded by your GP will not be visible at any other care setting.
You can also consent to additional information from your GP record being included on your Summary Care Record. This includes significant medical history (past and present), reasons for medication, anticipatory care information (such as information about the management of long term conditions), end of life care information and immunisations. Additional information can only be included with explicit patient consent (unless a patient does not have the capacity to consent) and will only be used for the purposes of direct patient care.
You can also reinstate your consent at any time by giving your permission to override your previous dissent.
In addition, Salford has its own local patient record sharing system known as the Salford Integrated Record (SIR). SIR contains the information held on your GP record as well as information from your clinic and hospital records. This record is only accessible by health and social care professionals directly involved in your care. Staff will inform you if they wish to view your record each time you come into contact with a health professional and every time a record is viewed the identity of the reader is recorded You can request details of all the people who have accessed your SIR. Staff can be asked to give a reason why they have viewed your record and will be disciplined if rules on confidentiality are broken. As this forms an element of direct patient care, there is no option to opt out of the SIR.
Salford is currently in the process of moving towards a GM Care Record to replace SIR. More information about the GM Care Record is available at: healthinnovationmanchester.com/thegmcarerecord
SMS Text Messaging
At Salford Primary Care Together we may send out SMS text message to patients in order to support the delivery of direct care. This will most commonly be in the form of ‘2-Way’ text messaging to remind patients of upcoming pre-booked appointments and to allow patients to cancel unwanted appointments through reply SMS without needing to phone the surgery. We may also contact you by this means to support delivery of other direct care services. This may include, (but is not limited to) invitations to book in for flu vaccination clinics or annual review appointments. We will never use this text messaging service to contact you for marketing or any other purposes which fall outside the definition of direct care.
Our SMS solution is provided by the iPLATO, a web-based company that is hosted securely within N3 (the NHS network), and is compliant with the NHS Information Governance Statement of Compliance. There is a clear and unambiguous ability and legal basis for sharing data with iPLATO for processing patient data to deliver healthcare services under GDPR. Nevertheless, we operate a consent based approach to managing patient communication preferences and any patients who wish to withdraw or ‘opt-out’ of receiving text messages should contact the practice reception team.
Other providers we use
- Our clinical system is provided by a company called Vision who hold your electronic health record. Vision are an accredited supplier on the GP IT Framework
- Your paper records whilst in transit are processed by Primary Care Support England which is actually a private company called CAPITA
- We use a company called Docmail to send out both letters to both individual patients and targeted groups (eg. Annual review recalls or flu vaccination invites).
- We use a company called AccuRx to provide patient video consultations.
- We use a company called Silicon Practice to provide our GP practice website.
Coronovirus (Covid-19) pandemic and your information
The Information Commissioner’s Office (ICO) recognises the unprecedented challenges the NHS and other health professionals are facing during the Coronavirus (COVID-19) pandemic.
The ICO also recognises that ‘Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health.’
Under the Notice issued by the Secretary of State on 20th March 2020 made under Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 (COPI) which was addressed to GP Practices, NHS England are seeking to establish a national dataset to support the management of the 2020/21 Flu and Covid-19 Vaccination Programme.
Any information used or shared during the Covid-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data. Further information can be found on the www.gov.uk website.
During this period of emergency, opt-outs will not generally apply to the data used to support the Covid-19 outbreak, due to the public interest in sharing information. This includes National Data Opt-outs. However, in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply.
Invoice Validation
If you have received treatment within the NHS, the local Commissioning Support Unit (CSU) may require access to your personal information to determine which Clinical Commissioning Group is responsible for payment for the treatment or procedures you have received. Information such as your name, address, date of treatment and associated treatment code may be passed onto the CSU to enable them to process the bill. These details are held in a secure environment and kept confidential. This information is only used to validate invoices in accordance with the current Section 251 Agreement, and will not be shared for any further commissioning purposes.
Do I need to give my consent?
The GDPR sets a high standard for consent. Consent means offering people genuine choice and control over how their data is used. When consent is used properly, it helps you build trust and enhance your reputation. However consent is only one potential lawful basis for processing information. Therefore Salford Primary Care Together may not need to seek your explicit consent for every instance of processing and sharing your information, on the condition that the processing is carried out in accordance with this notice. Your GP Practice will contact you if they are required to share your information for any other purpose which is not mentioned within this notice. Your consent will be documented within your electronic patient record.
What will happen if I withhold my consent or raise an objection?
You have the right to write to withdraw your consent to any time for any particular instance of processing, provided consent is the legal basis for the processing. Please contact Salford Primary Care Together for further information and to raise your objection. You can do this by either directly contacting our reception team or by emailing us at salccg.spct@nhs.net.