The Practice uses a system called EMIS Web to manage clinical information about your care and health. This system is provided by a company called EMIS Health LTD who act as a data processor on behalf of the Practice. EMIS Health LTD also uses a sub-processor which is Amazon Web Services (sub processor) who act under written instruction from EMIS Health LTD to store the data. Under no circumstances is it technically possible for Amazon Web Services to access any information about you. Should you have any concerns or queries please do not hesitate to contact the Practice.
We are legally required to tell you:
- What personal information we use
- Why we need your personal information
- The lawful basis for processing your personal information i.e. legitimate reasons for collecting, keeping, using and sharing it
- How we use, store, protect and dispose of your personal information
- How long we keep it for and who we may share it with
- About your information rights
- How to report a compliant or concern
- Telephone calls to and from the practice may be recorded for montiroing and training purposes
Your Personal Information When we mean personal information, we are referring to any information that can identify a specific person, either on its own or together with other information. The obvious examples are name, address and date of birth; however this could include other forms for data, such as email address, car registration, specific physical feature, NHS number, pictures, images and so forth.
Most of the personal information we process is confidential or sensitive because of the nature of our business activities (health and social care). This could be used in a discriminatory way and is likely to be of a private nature, so greater care is needed to ensure this is processed securely. Confidential or sensitive information includes your racial or ethnic origin of the data subject, political opinions, religious beliefs or other beliefs of a similar nature, Trade Union membership, physical or mental health or condition, sexual life, commission, alleged commission of or proceeding for any offence.
Anonymised data is not personal information. This is any information that cannot reasonably identify you, so it cannot be personal, confidential or sensitive. Anonymisation requires the removal of personal information that might identify you. This process allows personal information to be converted
The personal information we collect may be used for any of the following specific purposes:
- Health care for patients – diagnosis, treatment and referral
- Accounting, financial management and auditing
- Education and training
- Consultancy and Advisory services
- Human resources and staff administration
- Crime prevention and prosecution
- Health administration and services management
- Business activity information and databank administration
- Contractual arrangements for data processing by third parties
- Occupational Health referrals
- Research, national surveys
- Security services e.g CCTV monitoring, confidentiality audits
Without your personal information, we cannot:
- Direct, manage and deliver the health care you may require
- Ensure we have accurate and up to date information to assess and provide what you require
- Provide the appropriate level of assistance or adequate guidance
- Refer you to a specialist or another service
- Protect the general public or promote public health
- Manage, develop or improve our services Investigate complaints or proceed with legal actions for claims
- Employ you to join our workforce
- Procure products and services
- Commission business activities
- Comply with a court order
- Comply with regulatory requirements
- Meet some of our legal obligations
- Compile statistics to review our performance
- Educate and train our workforce
- Undertake clinical trials and research studies you have consented to
- Complete occupational health checks you have consented to
- Keep you and other service users safe on our premises
Lawful Basis for Processing your Personal Information We do not rely on consent to use your personal information as a ‘lawful basis for processing’ following appropriate guidance from the British Medical Association (BMA).
We rely on the following specific provisions under Article 6 (Lawful Processing) and 9 (Processing of Special Categories of Personal Data) of the GDPR:
For your personal information Article 6 (1c) ‘processing is necessary for compliance with a legal obligation…’
Article 6 (1e) ‘…a task carried out in the public interest or in the exercise of official authority vested in the controller.’ For your special category information Article 9 (2b) ‘…for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…’ Article 9 (2h) ‘processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…’ Article 9 (2i) ‘processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices…’
Please note: You do have the right to say ‘NO’ to our use of your personal information but this may have an impact on our ability to provide appropriate care or services. Please speak to your healthcare professional, the team providing your care or contact our Data Protection Officer.
We never use your personal information for advertising, marketing and public relations or insurance purposes without your consent.
Retention and Disposal of Personal Information Your personal information may be written down (manual), digitised or held on computers (electronic) centrally within or outside of the Practice. These may be paper records, scans, photographs, slides, CCTV images, microform (i.e. fiche/film), audio, video, emails, computerised records on IT systems, or scanned documents etc. which we process securely in accordance with data protection legislation and store in conjunction with the Records Management code of Practice. - Records Management Code of Practice 2016
Keeping your Personal Information Safe We are committed to keeping your information secure and have operational policies, procedures and technical measures in place to protect your information whether it is in a hardcopy, digital or electronic format.
We are registered to the Information Commissioner’s Office: registration number: Z8580662
Mandatory training and regular audits are in place to ensure that only authorised personnel with the absolutely necessary need to know your personal information can use it.
When there are data protection breaches (for example - unauthorised access, inappropriate use, failure to secure and keep personal information secure or accurate), these are reported and investigated, with appropriate action (disciplinary, legal, lessons learned, re-training etc.) taken.
Sharing Personal Information We may need to share your personal information with another organisation e.g. NHS
organisations, health and social care organisations, public bodies (Social Services, Probation Service, Police, Regulatory Authorities) or third party providers commissioned to process personal information on our behalf.
This is because of our duty to share which is equally as important as our duty of confidentiality. We also may also share your personal information for planning services across the NHS. This is vital to delivering better healthcare and improving our services.
You have the right say no and to opt-out of or restrict this sharing. Your right to opt-out for reasons other than direct care (e.g. planning and research purposes) is managed through the National Data Opt-Out Programme (search online or contact NHS Digital on 0300 303 5678 to find out more).
Your Information Rights You have the right to
- Be informed about the processing of your personal information by the Practice (done through this notice)
- Access the information we hold about you (paper, digital or electronic copies)
- Ask the Practice to correct or complete your personal information
- Ask the Practice to erase your personal information under certain circumstances, if the Practice does not have a lawful basis to process it.
- Ask the Practice to restrict the processing of your personal information under certain circumstances
- Ask the Practice to move, copy and transfer your personal information which you have provided to the Practice, , in a portable, common used/machine readable format and securely, for your own purpose
- Ask us not to process your personal information
- Ask us not to use your personal information for public interests, direct marketing, automated decision-making, profiling, research or statistical purposes
- Receive a response to your access or change request within a calendar month*
Requests for information Please complete a subject access application form on our website. We will require proof of identity before we can disclose any personal information.
Report Complaint or Concern We try to meet the highest standards when processing personal information. You should let us know when we get something wrong.
The Practice employs an independent Data Protection Officer (DPO). The role our DPO is to examine and ensure we operate within the law.
These services are provided by Umar Sabat from IG-Health. He can be contacted on email@example.com. He can only assist with complaints about your personal information all other complaints should be directed to the Practice.
Supplementary Privacy Notice issued in response to COVID-19
(This Privacy Notice is to run alongside our standard Practice Privacy Notice)
Due to the unprecedented challenges that the NHS and, Cavendish Medical Practice face due to the worldwide Covid-19 pandemic, there is a greater need for public bodies to require additional collection and sharing of personal data to protect against serious threats to public health.
In order to look after your healthcare needs in the most efficient way Cavendish Medical Practice may therefore need to share your personal information, including medical records, with staff from other GP Practices including Practices within our Primary Care Network, as well as other health organisations (i.e. Clinical Commissioning Groups, Commissioning Support Units, Local authorities etc.) and bodies engaged in disease surveillance for the purposes of research, protecting public health, providing healthcare services to the public and monitoring and managing the Covid-19 outbreak and incidents of exposure.
The Secretary of State has served notice under Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 (COPI) to require organisations to process confidential patient information in the manner set out below for purposes set out in Regulation 3(1) of COPI.
The notice can be seen here
Purpose of this Notice
The purpose of this Notice is to require organisations such as Cavendish Medical Practice to process confidential patient information for the purposes set out in Regulation 3(1) of COPI to support the Secretary of State’s response to Covid-19 (Covid-19 Purpose). “Processing” for these purposes is defined in Regulation 3(2) and includes dissemination of confidential patient information to persons and organisations permitted to process confidential patient information under Regulation 3(3) of COPI.
This Notice is necessary to require organisations such as Cavendish Medical Practice to lawfully and efficiently process confidential patient information as set out in Regulation 3(2) of COPI for purposes defined in regulation 3(1), for the purposes of research, protecting public health, providing healthcare services to the public and monitoring and managing the Covid-19 outbreak and incidents of exposure.
Requirement to Process Confidential Patient Information
The Secretary of State has served notice to recipients under Regulation 3(4) that requires Cavendish Medical Practice to process confidential patient information, including disseminating to a person or organisation permitted to process confidential patient information under Regulation 3(3) of COPI.
Cavendish Medical Practice is only required to process such confidential patient information:
where the confidential patient information to be processed is required for a Covid-19 Purpose and will be processed solely for that Covid-19 Purpose in accordance with Regulation 7 of COPI from 20th March 2020 until end of March 2021.
A Covid-19 Purpose includes but is not limited to the following:
- Understanding Covid-19 risks and controlling them
- Identifying and understanding information about patients or potential patients with or at risk of Covid-19
- Monitoring and managing the response to Covid-19
- Delivering services to patients, clinicians, health services and adult social care services
- Supporting research and planning
A record will be kept by Cavendish Medical Practice of all data processed under this Notice.
Sending Public Health Messages
Data protection and electronic communication laws will not stop Cavendish Medical Practice from sending public health messages to you, either by phone, text or email as these messages are not direct marketing.
It may also be necessary, where the latest technology allows Cavendish Medical Practice to do so, to use your information and health data to facilitate digital consultations and diagnoses and we will always do this with your security in mind. This includes Video Consultations, Remote working, Mobile SMS and photo messaging if needed
Visitors to The Practice
We have an obligation to protect our staff and employees’ health, so it is reasonable for staff at Cavendish Medical Practice to ask any visitors to our practice to tell us if they have visited a particular country, or are experiencing Covid-19 symptoms. This must only be in pre-approved circumstances and we would also ask all patients to consider government advice on the NHS 111 website and not attend the practice.
Where it is necessary for us to collect information and specific health data about visitors to our practice, we will not collect more information than we need, and we will ensure that any information collected is treated with the appropriate safeguards.
Expiry of this Notice
This Notice will expire on the 31st March 2021.
Our Data Protection Officer
The Practice has appointed Umar Sabat as its Data Protection Officer.
He can be contacted on the following e-mail address: Sdsmyhealthcare.firstname.lastname@example.org
If you have any concerns about how your data is shared, or if you would like to know more about your rights in respect of the personal data we hold about you, then please contact the Practice Data Protection Officer.
How to contact the appropriate authorities
If you have any concerns about your information is managed then we would encourage you to first speak to our Data Protection Officer in the first instance.
If you are still unhappy following our Data Protection Officer’s review you have the right to lodge a complaint with the Information Commissioners Office at the following address:
Tel: 01625 545745