Fair Processing Notice for patients: data protection and confidentiality
Our identity – who we are, what we do.
The Holborn Medical Centre is a traditional GP Partnership; we are a training GP practice, with GP registrars, salaried GPs, practice nurses, health care assistant and counsellors.
The reasons why we collect and use patient data
We collect data on patients, so we can delivery direct patient care and this means we can process patient data lawfully under the General Data Protection Regulations 2018 (GDPR). We are therefore known as a Data Controller.
The health care professionals who provide you with care maintain records about your health and any treatment or care you have received previously (e.g. NHS Trust, GP Surgery, Walk-in clinic, etc.).
These records help to provide you with the best possible healthcare.
NHS health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure.
Records which this practice hold about you may include the following information and they are retained until a person dies:
- Details about you, such as your address, email address, telephone number, legal representative, emergency contact details
- Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments, etc.
- Notes and reports about your health
- Details about your treatment and care
- Results of investigations such as laboratory tests, x-rays etc
- Relevant information from other health professionals, relatives or those who care for you.
To ensure you receive the best possible care, your records are used to facilitate the care you receive. Information held about you may be used to help protect the health of the public and to help us manage the NHS. Information may be used within our practice for clinical audit to monitor the quality of the service provided.
Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified.
Sometimes your information may be requested to be used for research purposes – the surgery will always gain your consent before releasing the information for this purpose – further detail below
How do we maintain the confidentiality of your records?
We are committed to protecting your privacy and will only use information collected lawfully in accordance with:
- General Data Protection Regulation 2018
- Data Protection Act 1998
- Human Rights Act 1998
- Common Law Duty of Confidentiality
- Health and Social Care Act 2012
- NHS Codes of Confidentiality and Information
- Information: To Share or Not to Share Review
Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential. All our staff undergo yearly training on data protection.
We will only ever use or pass on health information about you if others involved in your care have a genuine need for it. We will not disclose your health information to any 3rd party without your
- there are exceptional circumstances (i.e. life or death situations),
- where the law requires information to be passed on (e.g. in event of a serious crime)
- in accordance with the new information sharing principle following Dame Fiona’s Caldicott
information sharing review (Information: to share or not to share https://www.gov.uk/government/publications/the-information-governance-review ) where “The duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles.
Holborn Medical Centre Oversight
We have assigned a Data Protection Officer who has oversight of the handling of information within the Practice. They oversee and makes decisions on information sharing and are accountable for information risk. If you wish to contact the Data Protection Officer, please contact the practice directly.
Other Data Sharing / Access Projects and special cases
Direct Patient Care
Often we have to share information for your medical care, such as with hospital when we refer you or if you attended an urgent care centre. Our practice also has electronic links with
other local services, hospital, out of hours or community services so they can see your record that we hold and vice versa when they are dealing with your medical care. Please contact the practice if you would like more detail. Please see CIDR below for more detail.
Special cases and the Law
The law requires us to share information from your medical records in certain circumstances. Information is shared so that the NHS or Public Health England can, for example:
- plan and manage services;
- check that the care being provided is safe;
- prevent infectious diseases from spreading.
We will share information with NHS Digital, the Care Quality Commission and local health protection team (or Public Health England) when the law requires us to do so.
- NHS Digital is a national body which has legal responsibilities to collect information about health and social care services.
- It collects information from across the NHS in England and provides reports on how the NHS is performing. These reports help to plan and improve services to patients.
- This practice must comply with the law and will send data to NHS Digital, for example, when it is told to do so by the Secretary of State for Health or NHS England under the Health and Social Care Act 2012.
Care Quality Commission (CQC)
- The CQC regulates health and social care services to ensure that safe care is provided.
- The law says that we must report certain serious events to the CQC, for example, when patient safety has been put at risk.
- For more information about the CQC see: https://www.cqc.org.uk
- The law requires us to share data for public health reasons, for example to prevent the spread of infectious diseases or other diseases which threaten the health of the population.
- We will report the relevant information to local health protection team or Public Health England.
For more information about Public Health England and disease reporting see: https://www.gov.uk/guidance/notifiable-diseases-and-causative-organisms-how-to-report
National screening programmes
- The NHS provides national screening programmes so that certain diseases can be detected at an early stage.
- These screening programmes include bowel cancer, breast cancer, cervical cancer, aortic aneurysms and a diabetic eye screening service.
- The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme.
More information can be found at: https://www.gov.uk/topic/population-screening-programmes
The Holborn Medical Centre sometime shares information from medical records:
- to support medical research when the law allows us to do so, for example to learn more about why people get ill and what treatments might work best;
- we will also use your medical records to carry out research within the practice.
This is important because:
- the use of information from GP medical records is very useful in developing new treatments and medicines;
- medical researchers use information from medical records to help answer important questions about illnesses and disease so that improvements can be made to the care and treatment patients receive.
We share identifiable information with medical research organisations only with your explicit consent or when the law requires.
You have the right to object to your identifiable information being used or shared for medical
research purposes. Please speak to the practice if you wish to object.
Some of our practices have CCTV in place for security reasons. These records are kept secure in a similar manner to patient records and follow the ICO code of practice https://ico.org.uk/for-organisations/guide-to-data-protection/cctv/ Information is only shared in the exceptional circumstances set out above.
Risk stratification data tools are increasingly being used in the NHS to help determine a person’s risk of suffering a particular condition, preventing an unplanned or (re)admission and identifying a need for preventive intervention. Information about you is collected from a number of sources including NHS Trusts and from this GP Practice. A risk score is then arrived at through an analysis of your pseudonymised information and is only provided back to your GP as data controller in an identifiable form. Risk stratification enables your GP to focus on preventing ill health and not just the treatment of sickness. If necessary, your GP may be able to offer you additional services. Please note that you have the right to opt out.
Camden Integrated Care Record (CIDR)
Care Integrated Digital Record (CIDR) is an electronic record linking information from health and social care organisations across Camden. Health and care professionals can view their patients/client these records through an online portal to enable them provide the best possible to patients and clients.
CIDR includes information about patients/clients recorded by acute hospitals, mental health, community health, social care and GP Practices. Healthcare professionals across North Central London are able to access their patient’s records through CIDR to enable them to make the best informed decision about their patient’s health and provide the best possible care.
The source of the information shared in this way is your electronic GP record for the purposes of direct care.
You have the right to raise an objection to your personal data being shared in CIDR. You also have the right opt out of having a CIDR record by completing an opt-out form with your Practice. Although we will first need to explain how this may affect the care you receive.
Information submitted online
The practice website allows for the submission of some personal information for the purposes of updating your medical record e.g. new contact details. The service is provided by accredited suppliers, and all information submitted is covered by the same regulations as all other patient information.
Access to personal information
You have a right under the General Data Protection Regulations 2018 to request access to view or to
obtain copies of what information the surgery holds about you and to have it amended should it be
inaccurate. In order to request this, you need to do the following:
- Your request must be made in writing to the practice - for information from hospital you should write direct to them.
- There is no charge for this.
- We are required to respond to you within one calendar month.
- You will need to give adequate information (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified and your records located.
Objections / Complaints
Should you have any concerns about how your information is managed, please contact the Practice Manager or the Data Protection Officer. If you are still unhappy following a review by the practice you can then complain to the Information Commissioners Office (ICO) via their website www.ico.org.uk
Opting out of Data Sharing
If you are happy for your data to be extracted and used for the purposes described in this fair processing notice then you do not need to do anything.
If you do not want your personal data being extracted and leaving the GP practice for any of the purposes described, you need to let us know as soon as possible.
We will then enter clinical codes into your records that will prevent data leaving the practice and / or leaving the central information system at NHS Digital.
From the 25th of May you will be able to do this online. See https://www.nhs.uk/your-nhs-data-matters/manage-your-choice/
Other Useful Sources of Information
A highly recommended source of information for patients that helps explain how your data is used in
the health service - https://understandingpatientdata.org.uk