As data controllers, GPs have fair processing responsibilities under the Data Protection Act and GDPR law 2018. This means ensuring that your personal confidential data (PCD) is handled in ways that are safe, transparent and what you would reasonably expect. Please find documents and links below.
The practice relies on the following lawful reasons for processing. Medical records data is controlled by the practice in order to fulfil a legal obligation under section 6(1)f of the GDPR where the processing of personal data is ‘necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In some cases, the Practice will share data lawfully under section 6 (1)d when it is necessary to protect the vital interests of the data subject or another person where the data subject is incapable of giving consent, or under 6(1)c where it is necessary for compliance with a legal obligation.
Staff HR records are maintained in order to fulfil the employment contract that we have with individuals and to comply with legal obligations. Processing / controlling data necessary for the performance of a contract with the data subject or to take steps preparatory to such a contract is defined as a legal basis in 6(1)b of the GDPR.
The special category condition for processing for direct care is that processing is, ‘necessary for the purposes of preventive or occupational medicine, for the assessment of your working capacity, for medical diagnosis, for the provision of health or social care or treatment, or the management of health or social care systems and services..’ (Article 9(2)(h)). This would include our compliance with the Health and Social Care Act 2012.
For medical research purposes, the lawful basis and special category condition are Article (6)(1)(e) ‘…for the performance of a task carried out in the public interest…’ and Article 9(2)(j) ‘… for research purposes..’
Our contract with NHS England requires a level of data sharing. These include:
- Disclosures which are required by law or clinical audit requirements. In order to comply with its legal obligations this practice may send data to NHS Digital when directed by the Secretary of State for Health under the Health and Social Care Act 2012’; and ‘This practice contributes to national clinical audits and will send the data which are required by NHS Digital when the law allows. This may include demographic data, such as date of birth, and information about your health which is recorded in coded form, for example, the clinical code for diabetes or high blood pressure.
- Disclosures for medical research or health management purposes. This practice contributes to medical research and may send relevant information to medical research databases such as the Clinical Practice Research Datalink and QResearch or others.
Data Sharing. There are currently 3 data sharing initiatives aimed at improving the NHS’ responsiveness to changing medical care demand while aiming to improve the care that you recieve by sharing medical information between certain NHS provider organisations. These are known as: the Summary Care Record; Care Data, and Connecting Care. They are all slightly different in aims and scope so please read the information below and follow the links for further details.
How the NHS and care services use your information
Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment. The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
- improving the quality and standards of care provided
- research into the development of new treatment
- preventing illness and diseases
- monitoring safety
- planning services
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law. Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.
To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters. On this web page you will:
- See what is meant by confidential patient information
- Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
- Find out more about the benefits of sharing data
- Understand more about who uses the data
- Find out how your data is protected
- Be able to access the system to view, set or change your opt-out setting
- Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
- See the situations where the opt-out will not apply
You can also find out more about how patient information is used at:
https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and
https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)
You can change your mind about your choice at any time.
Please note, this opt out does not apply to local data sharing agreements that relate to data used to support an individual’s care.
The connecting care record is a new way for staff who are directly involved in your care to share relevant information about your care in a way that is both controlled and consistent. Read more here
To compare the data shared in the Connecting Care and Summary Care Record, please view this document. Connecting Care and SCR Comms V2
SUBJECT ACCESS REQUESTS FROM INSURANCE COMPANIES
Under the terms of the data protection act, we as the “data controller” have a responsibility to ensure the confidentiality and integrity of the information we hold about you. Furthermore, as your doctor we have a responsibility to ensure the confidentiality of matters of a sensitive medical, psychological, and emotional nature. A subject Access Request requires us as data controller to give you as the “subject” access to all data we hold about you. This includes every recorded encounter you have had with any GP or nurse in the surgery as well as copies of all hospital letters, test results and prescriptions issued.
Insurance companies require medical information from yourself and ourselves to assess your risk of illness, death and disability. There is a system in place for GPs to give a pertinent summary of all relevant medical information (excluding information of a sensitive or irrelevant nature) by way of an industry approved General Practitioner’s Report (GPR). The format of this report has been agreed by the Association of British Insurers and the British Medical Association. This system has been in place since then and a fee is paid by the insurance company to ourselves to ensure a prompt efficient service.
Lately some companies have been using the SAR system to obtain patients’ full medical records. We have reason to believe that this may be done to reduce costs to the insurance company. More worryingly, we are concerned that our patients may not have received adequate explanation that their full record will be given to the insurance company, or that there is a simpler system in place whereby we can provide a GP report (or GPR) which releases only the relevant information.
Once we release a medical record to a third party we are no longer the data controller for that information, and we have no control over how that information is stored, used, or shared.
Due to concerns about how your data may be used, we no longer respond to Subject Access Requests by insurance companies. We will write to any requesting insurance companies to suggest that they submit a request to us for a GP report.
A cookie is a small file, typically of letters and numbers, downloaded on to a device (like your computer or smart phone) when you access certain websites.
Cookies allow a website to recognise a user’s device.
Some cookies help websites to remember choices you make (e.g. which language you prefer if you use the Google Translate feature). Analytical cookies are to help us measure the number of visitors to a website. The two types we use are ‘Session’ and ‘Persistent’ cookies. Some cookies are temporary and disappear when you close your web browser, others may remain on your computer for a set period of time.
We do not knowingly collect or intend to collect any personal information about you using cookies. We do not share your personal information with anyone.
What can I do to manage cookies on my devices?
Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.allaboutcookies.org.
To opt out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout.
If you are concerned about cookies and would like to ask further questions please do not hesitate to write to our website developers – [email protected]