Privacy

This section of the privacy notice describes how we may use your information to protect you and others during the Covid-19 outbreak. 

The health and social care system is facing significant pressures due to the Covid-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.

Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law the Secretary of State has required NHS Digital; NHS England and Improvement; Arms Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the Covid-19 outbreak. Any information used or shared during the Covid-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data. Further information is available on gov.uk and some FAQs on this law are available here- https://www.nhsx.nhs.uk/covid-19-response/data-and-information-governance/information-governance/copi-notice-frequently-asked-questions/.

During this period of emergency, opt-outs will not generally apply to the data used to support the Covid-19 outbreak, due to the public interest in sharing information. This includes National Data Opt-outs. However in relation to the Summary Care Record, existing choices will be respected. Where data is used and shared under these laws your right to have personal data erased will also not apply. It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new opt-out requests whilst we focus our efforts on responding to the outbreak.

In order to look after your health and care needs we may share your confidential patient information including health and care records with clinical and non clinical staff in other health and care providers, for example neighbouring GP practices, hospitals and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email.

During this period of emergency we may offer you a consultation via telephone or video-conferencing. By accpeting the invitation and entering the consultation you are consenting to the use of data for the purposes of delivering your care but this is not consent to use your data for any other purposes. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.

We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. Further information about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the Covid-19 response is here – https://www.nhsx.nhs.uk/covid-19-response/data-and-information-governance/how-data-supporting-covid-19-response/.

NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the Covid-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves. All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.

In such circumstances where you tell us you’re experiencing Covid-19 symptoms we may need to collect specific health data about you. Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards.

We may amend this privacy notice at any time so please review it frequently. This policy was last updated on 18/05/2020

Westbourne Medical Centre aims to ensure the highest standard of medical care for our patients. To do this we keep records about you, your health and the care we have provided or plan to provide to you.

 This privacy notice does not provide exhaustive details of all aspects of the collection and use of personal information by Westbourne Medical Centre.  However, we are happy to provide any additional information or explanation needed.  If you wish to request further information please contact patient.contact@nhs.net.

 We will collect information such as personal details, including name, address, next of kin, records of appointments, visits, telephone calls, your health records, treatment and medications, test results, X-rays, etc. and any other relevant information to enable us to deliver effective medical care.

Your data is collected for the purpose of providing direct patient care; however, we can disclose this information if it is required by law, if you give consent or if it is justified in the public interest. The practice may be requested to support research; however, we will always gain your consent before sharing your information with medical research databases or others when the law allows.

Your records are used to:

– Provide a basis for all health decisions made by care professionals with and for you;

– Make sure your care is safe and effective;

– Work effectively with others providing you with care.

– We also may use, or share, your information for the following purposes:

– Looking after the health of the general public;

– Making sure that our services can meet patient needs in the future;

– Auditing accounts;

– Preparing statistics on NHS performance and activity (where steps will be taken to ensure you cannot be identified);

– Investigating concerns, complaints or legal claims;

– Helping staff to review the care they provide to make sure it is of the highest standards;

– Training and educating staff;

– Research approved by the Local Research Ethics Committee. (If anything to do with the research would involve you personally, you will be contacted to provide consent);

We work with a number of other NHS and partner agencies to provide healthcare services to you.  Below is a list of trusted organisations that we currently share your information with, only when they are involved with your care:

Over time this might extend to include;

– MJog for the purpose of providing appointment reminders by text messaging;

– AccuRx for the purposes of e-consultation, video calling or text messaging you to provide or request health information related to our direct care and treatment;

– Attend Anywhere for providing a secure video call service for video consultations for the purposes of providing direct care and treatment; 

– other NHS hospitals

– relevant GP Practices

– dentists, opticians and pharmacies

– private Sector Providers (private hospitals, care homes, hospices, contractors providing services to the NHS)

– voluntary Sector Providers who are directly involved in your care

– Ambulance Trusts

– Specialist Trusts

– Health & Social Care Information Centre (HSCIC)

– Clinical Commissioning Groups

– NHS 111

– Out of Hours medical service

– NHS walk in centres

– NHS England

– The Health and Social Care Information Centre (HSCIC)

This list is not intended to be exhaustive and we may well share data with other NHS care services but it will always be for the purpose of your direct care.

We may also share your information, with your consent, and subject to strict sharing protocols, about how it will be used, with:

 – Local authority departments, including social care and health (formerly social services), education and housing and public health;

 – Police and fire services

Our Practice uses an electronic patient record to securely process and share information between NHS staff. The Practice operates a Clinical Computer System called SystmOne on which NHS Staff record information securely.  This information can then be shared with other clinicians, such as GP out of hours services, so that everyone caring for you is fully informed about your medical history, including allergies and medication. This information may be obtained from your Summary Care Record or from System One. For more information see https://digital.nhs.uk/summary-care-records .

To provide around the clock safe care, unless you have asked us not to, we will make information available to trusted organisations.  Wherever possible, their staff will ask your consent before your information is viewed.

We are able to share clinical information about your health and care requirements held on your SystmOne electronic patient record with other health organisations including other GP practices, child health services, community health services, hospitals, out of hours, continuing healthcare team at the CCG and other similar organisations. This means that the healthcare professional looking after you has the most relevant information to enable them to provide you with the most appropriate care. We automatically set up the sharing facility in our electronic patient record system to allow your information to be shared out to other health organisations.

Local trusted organisations that we work with on a regular basis are able to access your record immediately once they have asked your permission. If you say “no” they will not be able to see any information. An audit log is maintained, showing who accessed your record and when it was accessed. You are entitled to request a copy of this log.

If you see a healthcare professional outside your local geographic area (who also uses SystmOne), and you agree that they can have access to your medical records, you will be asked to provide additional security details in the form of a verification code which is sent to you either as a text, email or via your SystmOnline account. It is therefore important that we always have your up-to-date contact details.

If you do not wish us to share your information in this way, please let us know at Reception and we will ensure that your information is not shared.

Our Practice uses EMIS as our Electronic Patient Record. You can find out more about EMIS on their website here:  https://www.emishealth.com/care-settings/primary-care/

Primary Care Networks (PCNs) are groups of GP Practices working closely together with their local partners (e.g. other primary and community care staff, mental health, social care, pharmacy, hospital and voluntary services for the benefit of patients and the local community. Our Practice is part of Poole Bay and Bournemouth PCN, alongside Denmark Road Medical Centre, Winton Health Centre and Leybourne Surgery.

Working as part of a network rather than a stand-alone business means that the GP Practices in our PCN can share expertise and resources which means that we can offer a wide range of services to suit the needs of our local community to give you the best possible care. You may be seen by clinicians from anywhere in our PCN, at any of our Practices. In order that they can give you the best possible care, they will have access to your health data. Only healthcare staff involved in your care will have access to your record.

To support your care, and improve the sharing of relevant information to our partner organisations when they are involved in looking after you, we will share information to other systems.  The general principle is that information is passed to these systems unless you request this does not happen, but that system users should ask for your consent before viewing your record.  

Your information may be shared if you have received treatment, to determine which Clinical Commissioning Group (CCG) is responsible for paying for your treatment. This information may include your name, address and treatment date. All of this information is held securely and confidentially; it will not be used for any other purpose or shared with any third parties.

We record all incoming and outgoing telephone calls to and from the Practice for the following purposes:

 ·         to help with staff training (in this instance a transcript of the call is created which contains no patient identifiable or sensitive information);

 ·         to enable us to obtain the necessary facts in the event of a complaint;

 ·         for patient telephone consultations (in this instance a transcript of the call is created and entered into the individual patient health record);

 ·         for medico-legal purposes; and

 ·         for quality assurance to allow us to audit and improve our service to you.

 Recordings of telephone calls will only be accessed where necessary by the Practice management team.  Recordings are stored in accordance with the Records Management Code of Practice for Health and Social Care 2016 Retention Schedule, after which they are deleted.

We are committed to protecting your privacy and will only use information collected lawfully in accordance with the Data Protection Act 2018, Article 8 of the Human Rights Act, the Common Law Duty of Confidentiality, and the NHS Codes of Confidentiality and Security. We adhere to the General Data Protection Regulation (GDPR), as well as guidance issued by the Information Commissioner’s Office (ICO).

 Access to information is strictly controlled and restricted to those who need it in order to do their jobs. All our staff receive annual mandatory training on confidentiality and data security and have strict contractual clauses within their employment contracts which oblige them to respect data protection and confidentiality. We will only ever use or pass on your information if there is a genuine need to do so.  We will not disclose information about you to third parties without your permission unless there are exceptional circumstances, such as when the law requires.

 At all times your information is kept secure.  We use encryption for sending electronic information and if we are sending your information in the post we use the special delivery service for sensitive medical information.

 To protect your confidentiality, we will not normally disclose any medical information about you over the telephone, or by fax, unless we are sure that we are talking to you.  This means that we will not disclose information to your family, friends, and colleagues about any medical matters at all, unless we know that we have your consent to do so.

Anyone who receives information from us is also under a legal duty to keep it confidential and secure

All persons in the practice sign a confidentiality agreement that explicitly makes clear their duties in relation to personal health information and the consequences of breaching that duty.

Please be aware that your information will be accessed by non-clinical practice staff in order to perform tasks enabling the functioning of the practice.  These are, but not limited to:

 – Typing referral letters to hospital consultants or allied health professionals;

 – Opening letters from hospitals and consultants;

 –  Scanning clinical letters, radiology reports and any other documents not available in electronic format;

 – Photocopying or printing documents for referral to consultants;

 – Handling, printing, photocopying and postage of medico legal and life assurance reports and of associated documents.

The national data opt-out programme affords patients the opportunity to make an informed choice about whether they wish their confidential patient information to be used for their individual care and treatment or also used for research and planning purposes. Patients who wish to opt out of data collection can set their national data opt-out choice online. This can be done via the NHS Digital national data opt-out page  https://www.nhs.uk/your-nhs-data-matters/manage-your-choice/or by calling 0300 3035678. Further information is available at:   https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research), and  https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made).

 Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

An alternative provision will be made for those patients who are unable to or do not want to use the online system.

You have the right to request a copy of the personal information that we hold about you; this is known as a Subject Access Request. We have one month to reply to you and give you the information that you require. This can be extended by two further months, if the request is complex or we have received a number of requests from you. Subject Access Requests can be made by you the patient, by a legal representative; a solicitor acting on your behalf, a carer, parent, guardian or appointment representative, with appropriate consent. A personal representative also has the right of access to deceased records.

If you would like a copy of the information we hold about you, please contact:

Westbourne Medical Centre

Address: Milburn Road, Westbourne, BH4 9HJ

Tel: 01202 752550

Email: patient.contact@nhs.net

We will provide this information free of charge however, we may in some limited and exceptional circumstances have to make an administrative charge for any extra copies if the information requested is excessive, complex or repetitive.

We can restrict disclosure of your information if your doctor feels that granting access would disclose information likely to cause serious harm to your physical or mental health or that of another individual, and where you do not already know the information. Or where granting access would disclose information relating to or provided by a third party who could be identified from the information, and who has not provided consent for it to be released.

Right to restrict or object to the use of your information

We cannot share your information with anyone else for a purpose that is not directly related to your health without your consent. Patients have the right to restrict the processing of your personal information for secondary purposes through NHS Digital’s National Data Opt-Out. More information is available here.

The right to restrict processing of healthcare data can only be exercised in the following circumstances:

• the accuracy of the data is contested;
• the processing is unlawful.Right to have incorrect information corrected

If you feel that information held about you is incorrect, you have the right to ask for it to be corrected. This applies to matters of fact, not opinion. Incorrect contact information such as your address will be corrected immediately. If the information is of a clinical nature, this will need to be reviewed and investigated by the Practice, which will result in one of the following outcomes:

• the Practice considers the information to be correct at the time of recording and will not amend the data. A statement from you may be placed within the record to demonstrate that you disagree with the information held. You have the right to appeal to the Information Commissioner;
• the Practice agrees that the information is incorrect, however it is not legal to modify or remove information within the record as it represents ‘historical information’ which may have influenced subsequent events of decisions made. In these circumstances, a note will be made in the record which advises the reader of the inaccuracy and of the correct facts. The Practice will agree the content of the note with you.

Right to data portability

This right only applies where the original processing is based on the data subjects’ consent or fulfilment of a contract that they are party to, and if the processing is automated. However, in the spirit of the Regulations, you have the right to request that your personal and/or healthcare information is transferred, in and electronic or other form, to another organisation.

Right to appropriate decision making

The right to appropriate decision making applies to automated processing, including profiling, which produces legal outcomes, or that significantly affects you. The Practice has not identified any automated processing which is solely automated and without human involvement in the outcome of the processing.

Right to erasure

This is sometimes known at the right to be forgotten, but it is not an absolute right. You cannot ask for this right of erasure in relation to records which the Practice is legally bound to retain. The Practice has an obligation, not only to retain information for a specified time period, but also not to retain information for longer than is necessary and will dispose of information securely.

Right to lodge a complaint

In the unlikely event that you are unhappy with any element of our data-processing methods, you have the right to make a complaint. In the first instance, formal complaints should be addressed to the Practice at the above address.

You also have the right to make a complaint to the Information Commissioner’s Office – the independent regulator of data protection. For further details, visit ico.org.uk and select ‘Raising a concern’ or contact:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Or using their online submission: https://ico.org.uk/global/contact-us/

Who else may ask to access your information?

 –  The law courts can insist that we disclose medical records to them;

 – Solicitors often ask for medical reports. These will always be accompanied by your signed consent for us to disclose information.  We will not normally release details about other people that are contained in your records (eg wife, children, parents etc) unless we also have their consent;

 – Limited information is shared with Public Health England to help them organise national programmes for Public Health such as childhood immunisations;

 – Social Services.  The Benefits Agency and others may require medical reports on you from time to time. These will often be accompanied by your signed consent to disclose information. Failure to co-operate with these agencies can lead to loss of benefit or other support.  However, if we have not received your signed consent we will not normally disclose information about you;

 – Life assurance companies frequently ask for medical reports on prospective clients.  These are always accompanied by your signed consent form.  We must disclose all relevant medical conditions unless you ask us not to do so. In that case, we would have to inform the insurance company that you have instructed us not to make a full disclosure to them.

 – You have the right, should you request it, to see reports to insurance companies or employers before they are sent.

We will normally ask you for your consent, but there are times when we may be required by law to share your information without your consent, for example:

 – where there is a serious risk of harm or abuse to you or other people;

 – where a serious crime, such as assault, is being investigated or where it could be prevented;

 – notification of new births;

 – where we encounter infectious diseases that may endanger the safety of others, such as meningitis or measles (but not HIV/AIDS);

 – where a formal court order has been issued;

 – where there is a legal requirement, for example if you had committed a Road Traffic Offence.

Westbourne Medical Centre is committed to ensuring that your privacy is protected.  Should we ask you to provide certain information by which you can be identified when using this website, then you can be assured that it will only be used in accordance with this privacy statement.

You may choose to restrict the collection or use of your personal information in the following ways:

 – information you supply using any electronic form(s) on this website will only be used for the purpose(s) stated on the form;

 – whenever you are asked to fill in a form on the website, look for the box that you can click to indicate that you do not want the information to be used by anybody for direct marketing purposes;

– if you have previously agreed to us using your personal information for direct marketing purposes, you may change your mind at any time by contacting us at  westbournemedical@nhs.net

The Practice processes personal data for primary purposes under the following legal bases:

General Data Protection Regulations 2016/679 Article 6(1)(e):

“processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”

For the processing of personal data for secondary purposes the Practice may rely on one of the following legal bases depending on the circumstances:

General Data Protection Regulations 2016/679 Article 6(1)(c):

“processing is necessary for compliance with a legal obligation to which the controller is subject”
There are some National Audits and patient registers which require the Practice to process your information under Article 6(1)(c) in accordance with UK legislations such as the National Health Service Act 2006 and Health and Social Care (Safety and Quality) Act 2015.

There are also obligations within the Crime and Disorder Act 1998, Terrorism Act, Children’s Act(s) 1989 and 2004, Mental Health Act 1983 and 2007 to share information with the Police or Social Services.
The Practice processes special categories of data (health data) for primary purposes under the following legal basis:

General Data Protection Regulations 2016/679 Article 9(2)(h):

“Processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health and social care systems and services on the basis of Union or Member State law or pursuant to contact with a health professional and subject to the conditions and safeguards referred to in paragraph 3”

Paragraph 3: “Personal data referred to in paragraph 1 [special categories of data] may be processed for the purposes referred to in point (h) of paragraph 2 when those data are processed by or under the responsibility of a professional subject to the obligation of a professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union of Member State law or rules established by national competent bodies.”

General Data Protection Regulations 2016/679 Article 9(2)(b):

“Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and interests of the data subject”

The Practice processes special categories of data for secondary purposes under the following legal basis:

General Data Protection Regulations 2016/679 Article 9(2)(j):

“Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subjects”

General Data Protection Regulations 2016/679 Article 9(2)(i):

“Processing is necessary for reasons of public interest in the areas of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.”

Where data has been anonymised, it is not considered to be personal data and the General Data Protection Regulations 2016/679 and Data Protection Act 1998 will not apply. The Practice will use anonymous data for audit and population health management.
Occasionally, the Practice may rely on consent as a legal basis:

General Data Protection Regulations 2016/679 Article 6(1)(a):

“the data subject has given consent to the processing of his or her personal data for one or more specific circumstances”

Where you are asked for your consent to take part in Research, Clinical Trials or Audits, your care will not be affected if your decline to take part. Research and Audit are vital for the NHS to evaluate and improve Healthcare for everyone.

General Data Protection Regulations 2016/679 Article 9(2)(a):

“the data subject has given explicit consent to the processing of those personal data for one of more specified purposes”

However, these circumstances will be few and the Practice will not rely on consent where there is another lawful basis that we should use.

General Data Protection Regulations 2016/679 Recital 43 specifies that for consent to be freely given it

“should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation.”

Our Practice upholds transparency and fairness through the use of this privacy notice. We uphold data minimisation techniques like pseudonymisation and anonymisation where possible to protect data and ensure that the purpose of processing is relevant and adequate.
The Practice holds data security in the highest importance; our systems have role-based access and clinical systems are auditable to ensure transparency in the use of systems by staff. Devices are encrypted and all our staff undertake annual mandatory data security training.

Should you have any questions about our privacy policy or the information we hold about you, you can:

1. Contact the Practice Manager Anna Szyfner in the first instance at: practice-manager.wmc@dorsetgp.nhs.uk

2. If further support is needed contact the Data Protection Officer (DPO) Helen Williams at GPDPO@dorsetccg.nhs.uk.

We regularly review our privacy policy and any updates will be published on our website, in our newsletter and on posters to reflect the changes. This policy is to be reviewed on [16/03/2021].