General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a new law that determines how your personal data is processed and kept safe, and the legal rights that you have in relation to your own data. You may wish to read our Practice Privacy Notice here
This practice is supporting vital coronavirus (COVID-19) planning and research by sharing your data with NHS Digital. You may wish to read more about this here.
The regulation applies from 25th May 2018, and will apply even after the UK leaves the EU.
How we use your personal information
This information explains why the GP practice collects information about you and how that information will be used.
The health care professionals who provide you with care maintain records about your health and any treatment or care you have received. This can include care received within the GP practice, NHS Trusts, Walk-in clinics, Urgent Care centres, and the Bexley out of hours GP service. These records help to provide you with the best possible healthcare.
The Westwood and Pickford Surgeries Practice is a registered data controller and must notify the Information Commissioner’s Office (ICO) of all personal information processing activities. Our ICO Data Protection Register number is [INSERT NUMBER] and our entry can be found in the Data Protection Register on the ICO website.
What type of personal data is used?
NHS health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technologies to ensure that your information is kept confidential and secure. Records which this GP practice holds about you may include the following information;
- Details about you, such as your address, carer, legal representative, emergency contact details and NHS number
- Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments, etc.
- Notes and reports about your health
- Details about your treatment and care
- Results of investigations such as laboratory tests, x-rays, images etc.
- Relevant information from other health professionals, relatives or those who care for you
- Sensitive information, such as racial, ethnic origin, religious beliefs and sexual orientation
- Criminal offence information and/or safeguarding
How is your Data used?
To ensure you receive the best possible care, your records are used to facilitate the care and treatment you receive. Information held about you may also be used to protect the health of the public and to help us manage the NHS. Information may be used within the GP practice for clinical audits to monitor the quality of the service provided.
Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified. This information can be used by other NHS statutory organisations to improve and develop services and information is de-identified so that your personal identifiable information is not seen.
All patients who receive NHS care are registered on a national database. The database is held securely by NHS Digital, a national organisation which has legal responsibilities to collect NHS data. More information can be found on the NHS Digital website
Purposes for using your information
To meet your healthcare needs in line with our statutory duty as a general practitioner, information is processed to provide direct health or social care to individual patients. When a patient agrees to a referral for direct care, such as to a hospital, relevant information about you will be shared with the other healthcare organisations and staff to enable them to give appropriate advice, investigations, treatment and/or other care. This will include providing details of prescription information to pharmacists and advising you of other beneficial health information.
Preventing ill health (Risk stratification)
The NHS are increasingly using technology to help determine a person’s risk of suffering a particular condition, preventing an unplanned or (re)admission to hospital, this is known at ‘Risk Stratification’. Information about you is collected from a number of sources including NHS Trusts and from this GP Practice. De-identified information is analysed using special software and is provided back to your GP in identifiable form. This information enables your GP to focus on preventing ill health and not just the treatment of sickness. Examples of these in Bexley are;
Quality and clinical audit
Your information may be used within the surgery for the purpose of clinical audit, to monitor the quality of the services we provide and improve care.
The GP Practice may conduct medicines management reviews of medications prescribed to its patients. This service performs a review of prescribed medications to ensure patients receive the most appropriate, up to date and cost effective treatments. The practice works closely with the Bexley Clinical Commissioning Group medicines management team.
Patient and public involvement
If you are a member of the GP practice patient participation group (PPG) information will be held about you so the practice can keep you informed regarding the work the practice is involved in, as well as details of meetings and consultation events. When you submit your details to us for involvement purposes, we will only use your information for this purpose and you can opt out at any time by contacting the practice manager Andrew Macmenemy at the practice or on 0208 303 5353
Accessible Information Standard and translation services
In line with the Accessible Information Standard (AIS) which was introduced in July 2015, the practice aims to ensure that people who have a disability, impairment or sensory loss receive information that they can access and understand. For example, in large print, braille or via email or professional communication support if it is required. i.e. British Sign Language (BSL) interpreter.
The GP practice also offers translation services to support patients with their translation needs.
In both cases, this will require support from another service provider to assist with your requirements. Organisations that provide these services may maintain small amounts of information about you, such as your name, address, contact and NHS number.
When these services are used, it will be done so with your consent and the information you provide will be handled in strict confidence in line with the data protection laws.
Your preferences for communication can be provided to the GP practice and will be registered on your records.
Sometimes your information may be requested to be used for research purposes. The surgery will always gain your consent before releasing the information for this purpose.
Safeguarding adults and children
Sometimes, health and social care professionals may need to share information so that other people, including healthcare staff, children or other safeguarding needs are protected from risk of harm.
These circumstances are rare and we do not need your consent or agreement to do this.
People’s wellbeing is at the heart of the care and support system under the Care Act 2014 and the prevention of abuse and neglect is one of the elements identified under a person’s wellbeing
Our GP practice is committed to working in partnership with local authorities and the Clinical Commissioning Group’s safeguarding team to fulfill their safeguarding responsibilities.
GP practice website
As part of the enhanced services available on the GP practice website, personal information will be gathered when accessing online consultation services such as : name, address, postcode, date of birth, gender, phone number and email address.
Staff and job applications
When individuals apply to work at our practice the information is used to process applications and recruit GP practice staff. Where the GP practice needs to disclose information to a third party, for example, to gain a reference, or to obtain a ‘disclosure’ from the Disclosure and Barring Service, the GP practice will not do so without informing the applicant beforehand, unless the disclosure is required by law.
Once a person has taken up employment the GP practice will maintain an employment file. The information contained in this file will be kept secure and will only be used for purposes directly relevant to that person’s employment.
What is the lawful basis for processing your information?
The General Data Protection Regulations 2018, (Article 6(1) (a), 6(1)(e) and 9(2)(h) legally provides the GP practice the right to process your information. The NHS Act 2006 and the Health and Social Care Act 2012 invests statutory functions on GP Practices to promote and provide the health services in England, improve quality of services, reduce inequalities, conduct research, review performance of services and deliver education and training.
To do this we will need to process your information in accordance with current data protection legislation to:
- Protect your vital interests
- Pursue our legitimate interests as a provider of medical care, particularly where the individual is a child or a vulnerable adult
- Perform tasks in the public’s interest
- Deliver preventative medicine, medical diagnosis and medical research
- Manage the health and social care system and services.
Healthcare staff will also respect and comply with their obligations under the common law duty of confidence.
Your information will only be shared if it is appropriate for the provision of your care or required to satisfy our statutory function and legal obligations.
Keeping your information private
We are committed to protecting your privacy and will only use information collected lawfully in accordance with the General Data Protection Regulations, Human Rights Act, the Common Law Duty of Confidentiality, and the NHS Codes of practice on confidential information.
Every member of staff who works for our practice has a legal obligation to keep information about you confidential. Anyone who receives information from an NHS organisation or health care service, or processes it on their behalf, has a legal and contractual duty to keep it confidential.
The practice will not share your information with third parties without your consent unless there are exceptional circumstances, such as when the health and safety of you or others is at risk, to protect the health and wellbeing of children and vulnerable adults, or where the law requires us to do so.
Sharing information for your care and well-being
We will share relevant information from your medical record with other health or social care staff or organisations when they provide you with care. For example, your GP will share information when they refer you to a specialist in a hospital, or your GP will send details about your prescription to your chosen pharmacy.
Healthcare staff working in A&E/Urgent Care Centres and the out of hours GP care service will also have access to your information. For example, it is important that staff who are treating you in an emergency know if you have any allergic reactions and the medication you are taking. This will involve the use of your Summary Care Record For more information see: https://digital.nhs.uk/summary-care-records or alternatively speak to your practice.
Your information may be shared if you have received treatment to determine which Clinical Commissioning Group (CCG) is responsible for paying for your treatment. This may include your name, address, NHS number and treatment date. All of this information is held securely and confidentially; it will not be used for any other purpose or shared with any third parties.
We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances such as;
- Through a court order, where a judge has ordered that specific and relevant information should be disclosed – in such an event as preventing crime or fraud
- When it is necessary for the reasons of public interest in the area of public health such as protecting again serious cross-border threats to health, such as a flu pandemic or rare infectious disease
- When it is necessary to protect the vital interests of an individual to protect the safety and welfare of vulnerable children and adults
- When there are specific lawful conditions to do so under the General Data Protection Regulations; or any subsequent data protection laws.
Caldicott Principle 7
The duty to share information can be as important as the duty to protect patient confidentiality. This means that health and social care professionals will share information in the best interest of their patients with the framework which is set out in the Caldicott principles.
Caldicott Guardian details
All NHS organisations are required to nominate a Caldicott Guardian. This role has the responsibility for protecting the confidentiality of patient information and enabling appropriate information sharing.
The name of our GP practice Caldicott Guardian is:
Setting a national opt-out preference
Commissioned by the Secretary of State for Health Dame Fiona Caldicott, the National Data Guardian for Health Care (NDG) has reviewed data security and data sharing in the health and social care system. The so-called ‘Caldicott review’ provides for people to be able to make an informed choice about whether to share data or not.
Patients and public who decide they do not want their personally identifiable data used for planning and research purposes will be able to set their national opt-out preference
As of the 25th May 2018, residents have the right to opt out of your personal confidential information being used for the following purposes.
- Providing local services and running the NHS and social care
- Supporting research and improving treatment of care
To set an opt-out preference, NHS Digital will offer digital (online) and non-digital national data opt-out systems.
For further information and support relating to opt-outs, please contact NHS Digital
The opt-out will not apply where there is a mandatory legal requirement or an overriding public interest. These will be areas where there is a legal duty to share information (for example a fraud investigation) or an overriding public interest (for example to tackle the ebola virus).
Who are our partner organisations?
Below are just some of the organisations that we may have to share your information with. This would only be done in line with the lawful basis for sharing information under the data protection laws.
- NHS Trusts / Foundation Trusts
- Other GP’s
- NHS Commissioning Support Units
- Independent Contractors such as dentists, opticians, pharmacists
- Private Sector Providers
- Voluntary Sector Providers
- Ambulance Trusts
- Clinical Commissioning Groups
- Social Care Services
- NHS Digital
- Primary Care Support England
- Local Authorities
- Education Services
- Fire and Rescue Services
- Police & Judicial Services
- Other ‘data processors’ which you will be informed of
We may also use external companies to process personal information, such as for archiving purposes. These companies are bound by contractual agreements to ensure information is kept confidential and secure.
Sharing your information to improve your care
To be able to provide the best care for our patients a system called Connect Care was developed. A similar system called Local Care Record is used in other parts of south east London. These systems allows GP staff, hospital staff, district nurses and other local organisations involved in your care to share important information about the people they care for. This could include checking which medications a patient is taking or a child's immunisation history.
Only authorised staff will have access to these systems on a need to know basis and the information is operated over a secure network.
You will be asked your permission at the point of care before viewing your record. If you are unable to give permission e.g. in an emergency, your care provider may access your record if they believe it is in your best interest.
Health providers who have access to your records will be better informed about your care and it enables faster and effective delivery of your care, without the need for sharing information by letter, email, fax or phone.
You have the right to choose not to have your information available through Connect Care and the Local Care Record. If you don’t want your information to be available through this service and want to find out how to opt-out, or want to find out how this might affect your care, visit the Connect Care web page. If you do not have access to the website, you can call 020 8836 4592 and leave your name and number for someone to contact you.
Sharing information with our local partners in Bexley
Urgent Care Centre’s
The Hurley Group provide urgent care and out of hours service to residents of Bexley. This service is offered at two sites – Queen Mary’s Hospital Sidcup and Erith District Hospital
GP Hubs - extended hours service
Bexley Health Neighbourhood Care (BHNC) provides patients that are registered with a GP practice in Bexley to access evening and weekend GP appointments. BHNC was created by local GPs and are based at Queen Mary’s Hospital Sidcup and Erith District Hospital
Bexley Health Limited provides referral booking management services for GP practices and patients in Bexley.
Ways we may communicate with you
Our practice may need to contact you for a variety of reasons including to:
- discuss your care and treatment
- Offer you a new appointment or alter an existing one
- Send you a reminder of an existing appointment
- Ask your opinion of our services
- Tell you about other care services (such as flu jabs)
- Arrange for transport to be provided
- Arrange for a home visit
- If you are a member of the patient participation group
It is important to confirm with your GP practice your communication preferences at the time of registering.
Our standard way to contact you is by letter or telephone. We may also use emails and SMS text messaging.
When our practice uses text messaging services, no confidential information will be contained in the message; it will generally be a reminder for an appointment or care service message.
It is important that you advise your GP practice of any change of details in relation to your phone and contact details as soon as possible.
You can change your communication preferences or opt out of the SMS text service at any time by contacting the surgery. ( Please note: Changes of address must be done in writing or in person at the surgery and will not be taken over the telephone)
Contact that is made to and from the GP practice from an individual’s private email account, are not secure. Any patient or service user using this method, do so at their own risk (however small).
How do I gain access to my personal information?
You have a right to request access to view or to obtain copies of what information the surgery holds about you and to have it amended should it be inaccurate. You are able to either view or receive copies of records held in electronic or paper format.
This type of request is known as a ‘Subject Access Request’ (SAR) and can be made in writing to the GP via email or post. For information from the hospital you will need to write direct to them. In special circumstances your right to see some details in your health records may be limited, to protect you and others mentioned in your records from harm, and to maintain the confidentiality of others.
Under the Data Protection laws our GP practice are required to respond to your request within 30 days. You will need to give adequate information (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified and your records located.
No fee will be charged for this service, unless a request is manifestly unfounded, excessive or repetitive.
GP patient on-line service
Patients with access to internet or a personal computer can register for ‘Patient On-line service’. Patients can sign up and register with the practice to view parts of your GP record, including information about medication, allergies, vaccinations, previous illnesses and test results. This service also offers booking and cancelling appointments on-line and ordering repeat prescriptions. For more information see GP Online services
Other additional information rights
As well as the right to have access to your personal information, under the data protection laws of 2018, individuals also have;
- the right to be informed (Through this privacy notice and other methods of communication)
- the right for information to be rectified
- the right to erasure
- the right to restrict processing
- the right to portability
- the right to object
- rights in relation to automated decision making and profiling
There are various exception and circumstances where your request may be refused and therefore individuals should always consult with the practice manager when making a request under your individual rights.
Can I access the records of my children?
You may be able to access the records of your child/children. However, if a clinician has stated that he/she believes your child/children to be competent to make their own decisions, then you will not have an automatic right of access. If this is the case, any requests for copies of your child’s records will need to be with the consent of your child/children.
As above, there may be legal exceptions when it will not be appropriate or possible to obtain information, such as safeguarding or a court order.
To apply for access, please use the procedure above.
To carry out your rights or request a copy of your information please contact:
Data Protection Lead
Name: Janet Borthwick (Practice Manager)
Address The Westwood Surgery, 24 Westwood Lanne, Welling DA16 2HE
How long do we keep your information?
GP medical records will be kept in line with the law and national guidance. Information on how long records are kept can be found at:
Transfer of information outside the European Union to third countries or international organisations.
There are legal restrictions imposed on health and care organisations regarding the transfer of personal data outside the European Union, to third countries or international organisations. Our GP practice does not share or transfer information outside of the European Union, to third countries or international organisations.
Automated individual decision-making (Profiling)
Automated individual decision-making is defined as making decisions or evaluating things about an individual solely by automated means without any human involvement.
Most GP practices in Bexley provide an on-line healthcare consultation process which provides self-care advice. This on-line consultation service may use automated clinical decision making tools.
Personal data breaches
All organisations that process personal data have a duty to report certain types of personal data breach to the Information Commissioners Office within 72 hours of an incident occurring.
What to do if you have any questions?
Should you have any concerns about how your information is managed at the practice, please contact [INSERT NAME].
NHS England leads the National Health Service (NHS) in England and set the priorities and direction of the NHS and encourages and informs the national debate to improve healthcare. The NHS England website provides information on how to provide your feedback or make a complaint. https://www.england.nhs.uk/
The Information Commissioners Office is a UK independent body which has been established to uphold information rights for individuals.