Privacy Notice

BACK TO MAIN INDEX

In line with the new GDPR legislation introduced as of 25th May 2018, please see our privacy notice in full below:

How we use your information to provide you with healthcare

• This practice keeps medical records confidential and complies with the General Data Protection Regulation and UK data protection legislation.
• We hold your medical record so that we can provide you with safe care and treatment.
• We will also use your information so that this practice can check and review the quality of the care we provide. This helps us to improve our services to you.
• We will share relevant information from your medical record with other health or social care staff organisations when they provide you with care. For example, your GP will share information when they refer you to a specialist in a hospital, or your GP will send details about your prescription to your chosen pharmacy.
• We use a medical record system called SystmOne. Other health and social care organisations, for example GP Out of Hours services and community services, who also use this system may have the ability to view your GP medical record when they are providing care to you. You may be asked if you are happy for your record to be viewed, or in some circumstances you may be sent a verification code to allow services caring for you to view your record. You can choose not to allow other organisations to be able to view your GP medical record.
• Healthcare staff working in A&E and out of hours care may also have access to your information. For example, it is important that staff who are treating you in an emergency know if you have any allergic reactions. This information may be obtained from your Summary Care Record or from SystmOne. For more information see our Summary Care Records page
• You have the right to request to have any mistakes in your medical record corrected.

Other important information about how your information is used to provide you with healthcare

Registering for NHS care

• All patients who receive NHS care are registered on a national database.
• This database holds your name, address, date of birth and NHS Number but it does not hold medical information about the care you receive.
• The database is held by NHS Digital, a national organisation which has legal responsibilities to hold the NHS register.
• More information can be found via the NHS Digital website or the phone number for general enquires at NHS Digital is 0300 303 5678

Identifying patients who might be at risk of certain diseases

• Your medical records may be searched by approved computer programmes so that we can identify patients who might be at high risk from certain diseases such as heart disease or unplanned admissions to hospital.
• This means we can offer patients additional care or support as early as possible.
• This process may involve linking information from your GP record with information from other health or social care services you have used.

Safeguarding

• Sometimes we need to share information so that other people, including healthcare staff, children or others with safeguarding needs, are protected from risk of harm.
• These circumstances are rare.
• We do not need your consent or agreement to share information in these circumstances, as we are required to do this.
• Please see local policies for more information:

We are required by law to provide you with the following information about how we handle your information to provide you with healthcare.

Purpose of the processing

• To provide direct health or social care to individual patients.
• For example, when a patient agrees to a referral for direct care, such as to a hospital, relevant information about the patient will be shared with the other healthcare staff to enable them to give appropriate advice, investigations, treatments and/or care.
• To check and review the quality of care. This is called audit and clinical governance.

Lawful basis for processing

• These purposes are supported under the following sections of the General Data Protection Regulation:

Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or
in the exercise of official authority…’; and
Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the
assessment of the working capacity of the employee, medical diagnosis, the provision of
health or social care or treatment or the management of health or social care systems and
services...”

• Healthcare staff will also respect and comply with their obligations under the common law duty of confidence.

Recipient or categories of recipients of the processed data

The data will be shared with:

• healthcare professionals and staff in this surgery;
• local hospitals
• out of hours services;
• diagnostic and treatment centres;
• screening services;
• or other organisations involved in the provision of direct care to individual patients.
• Organisations who help us manage our data for specific purposes, and under formal agreement, include:

1. Serco-ASP who provide our End of Life Care Dashboard for clinicians caring for patients who are terminally ill. 
2. Cambridgeshire & Peterborough NHS Foundation Trust who help identify patients who are frail and may require additional care services.
3. ICS Health and Wellbeing who send letters to patients on our behalf, inviting patients to attend a diabetes prevention service where we have identified them as being at risk of developing diabetes.

Right to object

• You have the right to request to object to information being shared between organisations who are providing you with direct care.
• This may affect the care you receive.
• You are not able to object to your name, address and other demographic information being sent to, and held by, NHS Digital.
• This is necessary if you wish to be registered to receive NHS care.
• You are not able to object when information is legitimately shared for safeguarding reasons.
• In appropriate circumstances it is a legal and professional requirement to share information for safeguarding reasons. This is to protect people from harm.
• The information will be shared with the local safeguarding service(s). Data we get from other organisations
• We receive information about your health from other organisations who are involved in providing you with health and social care. 

Data we get from other organisations

• We receive information about your health from other organisations who are involved in providing you with health and social care. 
• For example, if you go to hospital for treatment or an operation the hospital will send us a letter to let us know what happens. This means your GP medical record is updated when you receive care from other organisations.

How your information is used for medical research and to measure the quality of care

Medical research using population-based information

We share information from medical records:

• to support medical research when the law allows us to do so, for example to learn more about why people get ill and what treatments might work best;
• we will also use your medical records to carry out research within the practice.

This is important because:

• the use of information from GP medical records is very useful in developing new treatments and medicines;
• medical researchers use information from medical records to help answer important questions about illnesses and disease so that improvements can be made to the care and treatment patients receive.
• We share information with the following medical research organisations with your explicit consent or when the law allows: CRN Eastern | NIHR Clinical Research Network
• You have the right to object to your identifiable information being used or shared for medical research purposes.

Medical research trials that individual patients may agree to take part in

• If the practice takes part in a medical research trial, individual patients may be invited to be part of the trial. In order to take part, patients will be asked to consent to their data being used and shared for the particular research trial.

Checking the quality of care – national clinical audits

This practice contributes to national clinical audits so that healthcare can be checked and
reviewed.

• Information from medical records can help doctors and other healthcare workers measure and check the quality of care which is provided to you.
• The results of the checks or audits can show where hospitals are doing well and where they need to improve.
• The results of the checks or audits are used to recommend improvements to patient care.
• Data is sent to NHS Digital which is a national body with legal responsibilities to collect data. 
• The data will include information about you, such as your NHS Number and date of birth and information about your health which is recorded in coded form - for example the code for diabetes or high blood pressure.
• We will only share your information for national clinical audits or checking purposes when the
• law allows.
• For more information about national clinical audits see the Healthcare Quality Improvements Partnership website or phone 020 7997 7370.
• You have the right to object to your identifiable information being shared for national clinical audits.

We are required by law to provide you with the following information about how we handle your information for research.

Purpose of the processing

• Medical research, and to check the quality of care which is given to patients (this is called national clinical audit).

Lawful basis for processing

The following sections of the General Data Protection Regulation mean that we can use medical records for research and to check the quality of care (national clinical audits)

• Article 6(1)(e) – ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’.

For medical research: there are two possible Article 9 conditions.

• Article 9(2)(a) – ‘the data subject has given explicit consent…’ (where an individual has agreed to take part in a specific research trial)

OR

• Article 9(2)(j) – ‘processing is necessary for… scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member States law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject’. (where data is used for medical research using population based information)

To check the quality of care (clinical audit):

• Article 9(2)(h) – ‘processing is necessary for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and services...’

Recipient or categories of recipients of the processed data

• For medical research the data will be shared with NHS Digital and CRN Eastern | NIHR Clinical Research Network
• For national clinical audits which check the quality of care the data will be shared with NHS Digital.

Rights to object and the national data opt-out

• Most of the time, anonymised data is used for research and planning so that you cannot be identified.
• From 25th May 2018, the national data opt-out enables you have a choice about whether you want your identifiable confidential patient information to be used for research and planning.
• To find out more or to register your choice under the national data opt-out, please visit the NHS website. You can change your mind about your choice at any time.

How your information is shared so this practice can meet legal requirements

The law requires the practice to share information from your medical records in certain circumstances. Information is shared so that the NHS or Public Health England can, for example:

• plan and manage services;
• check that the care being provided is safe;
• prevent infectious diseases from spreading.

We will share information with NHS Digital, the Care Quality Commission and local health protection team (or Public Health England) when the law requires us to do so. Please see below for more information.

We must also share your information if a court of law orders us to do so.

NHS Digital

• NHS Digital is a national body which has legal responsibilities to collect information about health and social care services.
• It collects information from across the NHS in England and provides reports on how the NHS is performing. These reports help to plan and improve services to patients.
• This practice must comply with the law and will send data to NHS Digital, for example, when it is told to do so by the Secretary of State for Health or NHS England under the Health and Social Care Act 2012.
• More information about NHS Digital and how it uses information can be found via the NHS Digital website
• NHS Digital sometimes shares names and addresses of patients suspected of committing immigration offences with the Home Office. More information on this can be found via this website

Care Quality Commission (CQC)

• The CQC regulates health and social care services to ensure that safe care is provided.
• The law says that we must report certain serious events to the CQC, for example, when patient safety has been put at risk.
• For more information about the CQC see their website

Public Health

• The law requires us to share data for public health reasons, for example to prevent the spread of infectious diseases or other diseases which threaten the health of the population
• We will report the relevant information to local health protection team or Public Health England.
• For more information about Public Health England and disease reporting click here

We are required by law to provide you with the following information about how we handle your information and our legal obligations to share data.

Purpose of the processing

• Compliance with legal obligations or court order.

Lawful basis for processing

The following sections of the General Data Protection Regulation mean that we can share information when the law tells us to:

• Article 6(1)(c) – ‘processing is necessary for compliance with a legal obligation to which the controller is subject…’
• Article 9(2)(h) – ‘processing is necessary for the purpose of preventative…medicine…the
• provision of health or social care or treatment or the management of health or social care systems and services...’

Recipient or categories of recipients of the processed data

• The data will be shared with NHS Digital.
• The data will be shared with the Care Quality Commission.
• The data will be shared with our local health protection team or Public Health England.
• The data will be shared with the court if ordered.

Rights to object and the national data opt-out

• There are very limited rights to object when the law requires information to be shared but government policy allows some rights of objection as set out below.

NHS Digital

• You have the right to object to your identifiable information being shared with NHS Digital for reasons other than your own direct care.
• This is called a ‘Type 1’ opt-out – you can ask your practice to apply this code to your record.
• Opting out of sharing your confidential patient information
• From 25th May 2018, the national data opt-out enables you have a choice about whether
• you want your identifiable confidential patient information to be used for research and
• planning. This replaces a ‘Type 2 opt-out’.
• To find out more or to register your choice under the national data opt-out, please visit the NHS website. You can change your mind about your choice at any time.

NHS Digital sharing with the Home Office

• There is no right of objection to NHS Digital sharing names and addresses of patients who are suspected of having committed an immigration offence.

Public health

• Legally information must be shared under public health legislation. This means that you are unable to object.

Care Quality Commission

• Legally information must be shared when the Care Quality Commission needs it for their regulatory functions. This means that you are unable to object.

Court order

• Your information must be shared if it ordered by a court. This means that you are unable to object.

National screening programmes

• The NHS provides national screening programmes so that certain diseases can be detected at an early stage.
• These screening programmes include bowel cancer, breast cancer, cervical cancer, aortic aneurysms and a diabetic eye screening service.
• The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme.
• More information can be found via this website

We are required by law to provide you with the following information about how we handle your information in relation to our legal obligations to share data.

Purpose of the processing

• The NHS provides several national health screening programmes to detect diseases or conditions early such as cervical and breast cancer, aortic aneurysm and diabetes.
• The information is shared so that the correct people are invited for screening. This means those who are most at risk can be offered treatment.

Lawful basis for processing

The following sections of the General Data Protection Regulation allow us to contact patients for screening:

• Article 6(1)(e) – ‘processing is necessary…in the exercise of official authority vested in the controller...’
• Article 9(2)(h) – ‘processing is necessary for the purpose of preventative…medicine…the
• provision of health or social care or treatment or the management of health or social care
• systems and services...’

Recipient or categories of recipients of the processed data

• The data will be shared with NHS Digital, hospital laboratory services, local breast screening units, and Health Intelligence who provide diabetic eye screening.
• The Practice shares your diabetes related data with the Diabetic Eye Screening Programme operated by Health Intelligence, commissioned by NHS England. 

Rights to object

• For national screening programmes you can opt so that you no longer receive an invitation to a screening programme.

Data we get from other organisations

• We receive information about your screening test results from other organisations who are involved in providing these services.
• This means your GP medical record is updated with screening results.

Data we hold about you

We hold data about you in electronic and paper records. We use a combination of working
practices and technology to ensure that your information is kept confidential and secure.
The type of data that we hold about you may include the following:

• Details about you, such as your address and next of kin;
• Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments, etc.
• Notes and reports about your health;
• Details about your treatment and care;
• Results of investigations, such as laboratory tests, x-rays, etc.
• Relevant information from other health professionals, relatives or those who care for you.
• Your medical record is held in a computer system called SystmOne. This system is provided to us under a National contract. Your data is held and managed in secure data centres by TPP. For more information please visit this website

SMS and Email

• We will hold your mobile phone number and email address where you have provided these to us.
• We may use these to send you text messages or emails about your care, for example, messages about appointments, test results, or inviting you to attend for a clinic.
• You have the right to provide your mobile number for calls only. If you do not wish to receive text messages from us, please speak to the practice so we can add this to your record to prevent text messages being sent to you.
• You have to right to have your email address or mobile phone number removed from your GP record.
• We will only use the email address or mobile phone number for direct medical care purposes, unless you have provided us with your explicit consent to email you for other purposes as well, for example, for us to send you surgery newsletters, details from patient participation group meetings, or details about new services.
• If you provide your consent for us to send you information other than for your direct care, you can remove this consent at any time.

Right to access and correct

• You have the right to access the data we hold about you, and request to have any errors or mistakes corrected. Please speak to a member of staff for our ‘subject access request’ policy 
• We are not aware of any circumstances in which you will have the right to delete correct information from your medical record; although you are free to obtain your own legal advice if you believe there is no lawful purpose for which we hold the information and contact us if you hold a different view.

Retention period

• GP medical records will be kept in line with the law and national guidance. Information on how long records are kept can be found via this website

Right to complain

• If you have concerns about the way we manage your data. Please contact the surgery
• You have the right to seek independent advice about data protection, as well as the right to complain, by contacting the Information Commissioner’s Office or call the helpline 0303 123 1113

Data Controller

Contact Details: Bridge Street Medical Centre, 2 All Saints Passage, Cambridge, CB2 3LS
Data Protection Registration Number:  Z7521934
Date last reviewed or updated: 17th May 2018