Your Data. For information on how Stoke Gifford and Conygre Road Medical Centre use your data, and your rights under the General Data Protection Regulations please view our Privacy Notice.
Overview of how the Practice manages your health data.
The practice relies on the following lawful reasons for processing. Medical records data is controlled by the practice in order to fulfil a legal obligation under section 6(1)f of the GDPR where the processing of personal data is ‘necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In some cases, the Practice will share data lawfully under section 6 (1)d when it is necessary to protect the vital interests of the data subject or another person where the data subject is incapable of giving consent, or under 6(1)c where it is necessary for compliance with a legal obligation.
Staff HR records are maintained in order to fulfil the employment contract that we have with individuals and to comply with legal obligations. Processing / controlling data necessary for the performance of a contract with the data subject or to take steps preparatory to such a contract is defined as a legal basis in 6(1)b of the GDPR.
The special category condition for processing for direct care is that processing is, ‘necessary for the purposes of preventive or occupational medicine, for the assessment of your working capacity, for medical diagnosis, for the provision of health or social care or treatment, or the management of health or social care systems and services..’ (Article 9(2)(h)). This would include our compliance with the Health and Social Care Act 2012.
For medical research purposes, the lawful basis and special category condition are Article (6)(1)(e) ‘…for the performance of a task carried out in the public interest…’ and Article 9(2)(j) ‘… for research purposes..’
Data Sharing. Our contract with NHS England requires a level of data sharing. These include:
- Disclosures which are required by law or clinical audit requirements. In order to comply with its legal obligations this practice may send data to NHS Digital when directed by the Secretary of State for Health under the Health and Social Care Act 2012’; and ‘This practice contributes to national clinical audits and will send the data which are required by NHS Digital when the law allows. This may include demographic data, such as date of birth, and information about your health which is recorded in coded form, for example, the clinical code for diabetes or high blood pressure.
- Disclosures for medical research or health management purposes. This practice contributes to medical research and may send relevant information to medical research databases such as the Clinical Practice Research Datalink and QResearch or others.
Data Sharing. There are currently 3 data sharing initiatives aimed at improving the NHS' responsiveness to changing medical care demand while aiming to improve the care that you recieve by sharing medical information between certain NHS provider organisations. These are known as: the Summary Care Record; Care Data, and Connecting Care. They are all slightly different in aims and scope so please read the information below and follow the links for further details.
The Summary Care Record
There is a new Central NHS Computer System called the Summary Care Record (SCR). It is an electronic record which contains information about the medicines you take, allergies you suffer from and any bad reactions to medicines you have had.
Why do I need a Summary Care Record? Storing information in one place makes it easier for healthcare staff to treat you in an emergency, or when your GP practice is closed.
This information could make a difference to how a doctor decides to care for you, for example which medicines they choose to prescribe for you.
Who can see it? Only healthcare staff involved in your care can see your Summary Care Record.
How do I know if I have one?
Over half of the population of England now have a Summary Care Record. You can find out whether Summary Care Records have come to your area by looking at our interactive map
or by asking your GP
Do I have to have one? No, it is not compulsory. If you choose to opt out of the scheme, then you will need to complete a form and bring it along to the surgery. You can use the form at the foot of this page.
More Information. For further information visit the NHS Care records website or the HSCIC Website
Information about you and the care you receive is shared, in a secure system, by healthcare staff to support your treatment and care. It is important that we, the NHS, can use this information to plan and improve services for all patients. We would like to link information from all the different places where you receive care, such as your GP, hospital and community service, to help us provide a full picture. This will allow us to compare the care you received in one area against the care you received in another, so we can see what has worked best.
Information such as your postcode and NHS number, but not your name, will be used to link your records in a secure system, so your identity is protected. Information which does not reveal your identity can then be used by others, such as researchers and those planning health services, to make sure we provide the best care possible for everyone.
You have a choice. If you are happy for your information to be used in this way you do not have to do anything. If you have any concerns or wish to prevent this from happening, please speak to practice staff or download the opt out form below, complete it and return it to the practice
We need to make sure that you know this is happening and the choices you have.
You can find out more on the NHS England Care Data website
The connecting care record is a new way for staff who are directly involved in your care to share relevant information about your care in a way that is both controlled and consistent. Read more here
To compare the data shared in the Connecting Care and Summary Care Record, please view this document. Connecting care and SCR precis
SUBJECT ACCESS REQUESTS FROM INSURANCE COMPANIES
Under the terms of the data protection act, we as the “data controller” have a responsibility to ensure the confidentiality and integrity of the information we hold about you. Furthermore, as your doctor we have a responsibility to ensure the confidentiality of matters of a sensitive medical, psychological, and emotional nature. A subject Access Request requires us as data controller to give you as the “subject” access to all data we hold about you. This includes every recorded encounter you have had with any GP or nurse in the surgery as well as copies of all hospital letters, test results and prescriptions issued.
Insurance companies require medical information from yourself and ourselves to assess your risk of illness, death and disability. There is a system in place for GPs to give a pertinent summary of all relevant medical information (excluding information of a sensitive or irrelevant nature) by way of an industry approved General Practitioner’s Report (GPR). The format of this report has been agreed by the Association of British Insurers and the British Medical Association. This system has been in place since then and a fee is paid by the insurance company to ourselves to ensure a prompt efficient service.
Lately some companies have been using the SAR system to obtain patients’ full medical records. We have reason to believe that this may be done to reduce costs to the insurance company. More worryingly, we are concerned that our patients may not have received adequate explanation that their full record will be given to the insurance company, or that there is a simpler system in place whereby we can provide a GP report (or GPR) which releases only the relevant information.
Once we release a medical record to a third party we are no longer the data controller for that information, and we have no control over how that information is stored, used, or shared.
Due to concerns about how your data may be used, we no longer respond to Subject Access Requests by insurance companies. We will write to any requesting insurance companies to suggest that they submit a request to us for a GP report.