Thurleigh Road Practice complying with GDPR (Word document)
It is important to note that the General Data Protection Regulation (GDPR) is an evolution of the Data Protection Act 1998 (which Thurleigh Road Practice already complies with).
We are committed to protecting the privacy of all individuals using this website.
This policy explains how we use any personal information we collect from you through this website.Information sharing with other services.
We may need to share your medical information with other organisations involved in the delivery of your care e.g. Podiatry or District Nursing. We will not share identifiable information with anyone that isn’t involved in your care unless legally required to.
You would have been asked to opt in or out when you registered at one of our GP surgeries as follows: “Are you happy for us to Share Out your full medical records electronically with other services involved in your care and/or to view (Share In) medical records held by other services?”
If you wish to reconsider or do not consider that you have opted in or out, you may contact our practice reception to discuss further and appropriate action will be taken.
The NHS Act 2006 and the Health and Social Care Act 2012 invests statutory functions on GP Practices to promote and provide the health service in England, improve quality of services, reduce inequalities, conduct research, review performance of services and deliver education and training. To do this we will need to process your information in accordance with current data protection legislation to:
Protect your vital interests;
Pursue our legitimate interests as a provider of medical care, particularly where the individual is a child or a vulnerable adult;
Perform tasks in the public’s interest;
Deliver preventative medicine, medical diagnosis, medical research; and
Manage the health and social care system and services.
Privacy Notice or Fair processing Notice includes the conditions which have to be met for any activity involving personal data or special categories of personal data to be lawful. Being transparent and providing accessible information to individuals about how an organisation will use their personal information is a key element of Data Protection Legislations. The most common way to provide this information is in a Practice Privacy Notice (PPN).
This PPN is part of our programme to make the data processing activities we are carrying out in order to meet our healthcare obligations transparent.
The PN tells you about information we collect and hold about you, the legal basis for collecting and holding the information, what we do with it, how we keep it secure (confidential), who we might share it with and what your rights are in relation to your information.
We use the following types of information/data:
Personal data or sensitive personal/special categories of personal data such as:
demographics – name, address, date of birth, postcode, NHS number
racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, medical/health data, sexual life or sexual orientation data.
Pseudonymised – about individuals but with identifying details (such as name or NHS number) replaced with a unique code.
Anonymised – about individuals but with identifying details removed.
Aggregated – anonymised information grouped together so that it doesn’t identify individuals.
We use and share information about you in a number of ways. These include:
Primary uses – information from your GP medical record which can be made available to other NHS and public sector organisations, including doctors, nurses and care professionals in order to help them make the best informed decision, and provide you with the best possible direct care delivery.
Secondary uses – information from your GP medical record involves extracting identifiable data and (usually) sharing that data with other NHS organisations, for the purpose of indirect care. Examples include using your information for research, auditing, and healthcare planning (population health management).
We share information about you with other GPs, NHS acute or mental health Trusts, local authority, community health providers, pharmacists, commissioning organisations, medical research organisations and some specific non NHS organisations for the purposes of direct and indirect care delivery of care.
We are required under the law to provide you with the following information how we process your personal data, the purpose of proposing, recipient/categories of your personal data, the identity of our Data Protection Officer (DPO), how long we retain personal information about you, the legal basis and justification for the processing, and your right to view, request access copies of your personal information, or object to the processing: Organisations we share your personal information with.
Your GP medical record is held on our secure clinical system. This clinical system allows for local record sharing with other healthcare providers who are commissioned in your area to provide care (e.g. acute hospitals, mental and community health). Through this record sharing, clinicians are able to see clinical information entered by other organisations who are party to the local record sharing agreement.
This local sharing is used to provide direct patient care for services such as continued extended access, home visits, universal offers, musculoskeletal service, GP at front door and other neighbourhood services across local borough we run our services in line the local Care delivery strategy and the NHS STP.
It also enables specific GPs identify their patients with highly complex, multiple morbidity and/or frailty, who might benefit from targeted multi-disciplinary team support as part of case management and care planning (the “Case Finding Purpose”).
The information is accessed in real time and on-demand, meaning that data from your GP record is neither extracted, nor uploaded, nor sent anywhere. The data remains within your GP clinical system supplier’s database and users are allowed read-view access only. If you have any concerns regarding your clinical system supplier’s local record sharing, you can opt out by speaking to your GP surgery team.
We use anonymised data to plan health care services. Specifically we use it to:
check the quality and efficiency of the health services we provide;
prepare performance reports on the services we provide and,
review the healthcare we provide in order they are of the highest standard.
Data may be de-identified and linked so that it can be used to improve health care and development and monitor NHS performance. Where data is used for these statistical purposes, stringent measures are taken to ensure individual patients cannot be identified.
When analysing current health services and proposals for developing future services it is sometimes necessary to link separate individual datasets to be able to produce a comprehensive evaluation. This may involve linking primary care GP data with other data such as secondary uses service (SUS) data (inpatient, outpatient and A&E). In some cases there may also be a need to link local datasets which could include a range of acute-based services such as radiology, physiotherapy, audiology etc, as well as mental health and community-based services such as Improving Access to Psychological Therapies (IAPT), community nursing, podiatry etc. When carrying out this analysis, the linkage of these datasets is always done using a unique identifier that does not reveal a person’s identity.
The organisation responsible for processing de-identified and linked data under this category, on behalf of the Practice at the local clinical commissioning group. We ensure that the data processor is legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.
We only use information that may identify you in accordance with the EU General Data Protection Regulation 2016. These Legislation requires us to process personal data only if there is a lawful basis for doing so and that any processing must be fair and lawful.
We also ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only, protect personal and confidential information held on equipment such as laptops with encryption (which masks data so that unauthorised users cannot see or make sense of it).
Our appropriate technical and security measures include:
The ability to ensure ongoing confidentiality, integrity, availability and resilience of our systems;
the ability to quickly restore availability and access to personal information in the event of a physical or technical incident; and
a process regularly testing, assessing and evaluating the effectiveness of security measures, and ensure they comply with the concept of privacy by design and default.
The NHS Digital Code of Practice on Confidential Information applies to all of our staff, and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. All Practice staff are trained to ensure information is kept confidential.
We are registered with the Information Commissioner’s Office (ICO) as a data controller and collects data for a variety of purposes. A copy of the registration is available through the ICO website. You can search by our Practice name or ICO Data Protection Register number Registration number: Z6487332.
Where information from which you can be identified is held, you have the:
Right of access to view or request copies of the records
Right to rectification of inaccurate personal data or special categories of personal data
Right to restriction of the processing of your data where accuracy of the data is contested, processing is unlawful or where we no longer need the data for the purposes of the processing
Right to object to any automated individual decision-making
Right to data portability by requesting the data which you provided to us (not data generated by us) in a structured, commonly used machine readable format. Your right to portability applies only where:
data is processed by automated means, and
you provided consent to the processing or,
the processing is necessary for the fulfilment of a contract
These rights will only apply where we cannot demonstrate compelling legitimate grounds for continued processing of your personal data for the purposes of direct provision of care, and compliance with a legal obligation to which we are subject.
Your right to erasure (right to be forgotten) will only apply where you had given ‘consent’ to process your personal health data and later withdrew the consent, and does not apply to the extent where the processing of your personal health data is necessary for:
Compliance with a legal obligation which we are subject to, under the UK law or, for the performance of a task carried out in the public interest or, in the exercise of official authority vested on us;
medical purposes and/or for reasons of public interest in the area of public health;
archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
the establishment, exercise or defence of legal claims
You can exercise your rights at any time by contacting the Practice (data controller) or the Data Protection Officer (DPO) at the address below, although we will first need to explain how this may affect the care you receive and any overriding legitimate grounds for the processing that may apply.
You have the right to see or have a copy of personal data we hold that can identify you. You do not need to give a reason to see your data. However, some information may be withheld under some exceptional circumstances.
If you want to access your personal information you must do so in writing by completing our Subject Access Request (SAR) form
Our Data Protection Officer is Mrs Shushma Leidig, Practice Manager.
The Freedom of Information Act 2000 (FOIA) gives people a general right of access to information held by or on behalf of public authorities, promoting a culture of openness and accountability across the public sector.
In theory, you can request any information that the Practice holds that does not fall under an exemption under the FOI Act. You may not ask for information that is covered by the Data Protection Act or EU General Data Protection Regulation (GDPR) under FOIA. However, you can request this under a Subject Access Request – see section above ‘Gaining access to the data we hold about you’.
Your request must be in writing and can be either posted or emailed to the surgery by email or post – please see contact details on our Contact Us page.
Common Law of Duty of Confidentiality – is not written out in one document like the GDPR or an Act of Parliament. Common Law is also referred to as ‘judge-made’ or case law. In practice, this means that all patient/client information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient/client. However, where the disclosure/sharing of the patient/client information is for the purpose of Direct Care consent to such disclosure/sharing may be implied where it is informed, given there is a legitimate relationship between the patient/client and the health professional.
Personal Data – means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Special Categories of Personal Data – data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
You have a right to see your records if you wish. Please ask at reception if you would like further details. An appointment will be required. In some circumstances a fee may be payable.
This website uses https to ensure data is encrypted in transmission. This encryption, known as TLS encryption protocol, allows us to protect your privacy. You can usually verify that the page is encrypted by seeing a small lock symbol in the upper left corner of your browser and the website address is prefixed with https://.
All data obtained by us is held and used in compliance with the Data Protection Act 2018.
This website contains links to other sites. We are not responsible for the privacy practices of third parties that run any other websites. Please refer to their own privacy policies for more information.
This privacy notice explains why health and care providers collect information about you and how that information may be used. For additional information about our ‘Connecting Your Care’ programme please also see ‘Connecting Your Care’ leaflet and Frequently Asked Question or visit: SW London NHS - Connecting your care.
Use Patient Access to book an appointment, order repeat prescriptions and view your medical record.
111 is the NHS non-emergency number. It's fast, easy and free. Call 111 and speak to a highly trained adviser, supported by healthcare professionals.
The NHS website. Take control of your health and wellbeing. Get medical advice, information about healthcare services and support for a healthy life.
Patient is one of the most trusted medical resources online, supplying evidence based information on a wide range of medical and health topics to patients and health professionals.