Introduction

The Data Protection Act gives every living person (or authorised representative) the right to apply for access to their health records.

Online Access to Medical Records

As of March 2016, [Coded information from Medical Records / Full Medical Records] can be accessed as part of the Practice’s online services. For security reasons, you will have to visit the practice to undertake an identity check before you are granted access to these records.

To make a subject access request

A request for your medical records held at Ryeland Surgery must be made by submitting a Data Subject Access Request (DSAR) form. Upon completing the application form, please return the form to the surgery along with two forms of ID (one being a form of photo ID(passport/driving licence). If the application relates to a patient under the age of 13, then ID of the parent/guardian and the child’s birth certificate will need to be provided.

Due to limited capacity within the practice these requests are outsourced to iGPR who will liaise with you directly once we have submitted your request.  iGPR is accredited by NHS Digital and conform to the relevant data security standards. It can take up to 30 days to receive a copy of your records.

Costs

Under the Data Protection Act you will not normally be charged a fee for the first copy of your records however you may be charged a fee for any subsequent copies of the same information.

CCTV

• CCTV images will not be retained longer than is considered necessary, and will be then be deleted.
• All images will be held securely, and all access requests, and access to images will be documented.
• Except for law enforcement bodies, images will not be provided to third parties.
• Images may record individuals and/or record incidents. Not all recordings are designed to identify persons.
• Other than in accordance with statutory rights, the release or availability of images will be at the discretion of the Data Controller(s) for the purposes of the Data Protection Act.
• Images are held to improve the personal security of patients and staff whilst on the premises, and for the prevention and detection of crime, and images may be provided to police or other bodies.
• Where access is granted in response to an application received, the image may be edited to exclude images of third parties who may be also included within the requested image. This may be necessary to protect the identity of the third parties. In these circumstances the image released as part of the application may identify the “data subject” only.
• Images will be located by the Data Controller or authorised person.
• The practice regularly reviews compliance with the ICO’s CCTV Code of Practice; continued operational effectiveness and whether the system continues to meet its purposes and remains justified.

Complaints

If you have any complaints about any aspect of your application to obtain access to your health records, you should first discuss this with the Operations Manager.

Alternatively you can contact the Information Commissioners Office (responsible for governing Data Protection compliance)

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 01625 545745 or visit the website

If you identify yourself as a carer, our staff will try to offer you:

1. Telephone appointments if caring responsibilities mean you cannot leave the person you care for at home or bring them with you to the surgery.
2. Flexibility on appointment times where possible.
3. An annual health check and a flu jab.
4. Referral to our in-house well-being team for advice on the following:

• Information about local carers support services which may be able to arrange transport and/or sitting services to help you leave home to attend surgery.
• Information about your right to a Carers’ Assessment of your own needs as a carer.
• Discussing with you what you would like us to do in the event of you or the person you care for having a medical or other emergency.
• In some cases caring roles are full time and very demanding. We would like to support you in your caring role where we can.
• Caring should not be at the expense of your own health and wellbeing. Please tell us how your caring role is affecting you and if you have any support needs.

Should you wish to make a comment/complaint to the surgery, please see the information below for instructions.

Let Us Know Your Views

At Ryeland Surgery we are always looking for ways to improve our service. To do this, we need to know what you think about the service you receive. We want you to tell us what we do best and where we do not meet your expectations together with any ideas and suggestions you may have.

Practice Complaints Procedure

If you have a complaint or are concerned about the service you have received from the practice, please let us know. We operate a practice complaints procedure as part of an NHS system for dealing with complaints which meets national criteria. However, this procedure does not deal with matters of legal liability or compensation.

You can speak to the Operations Manager either by phone or in person by appointment, or you can put your concerns in writing by letter or please let us know by completing our secure online form

Often problems can be sorted out easily and quickly at the time they arise and with the person concerned. If your problem cannot be sorted out on this way and you wish to make a complaint, please let us know as soon as possible, ideally within a matter of days or at most a few weeks, because this will enable us to establish what happened more easily. If it is not possible to do that, please let us have the details of your complaint:

• Within 6 months of the incident that caused the problems, or
• Within 6 months of discovering that you have a problem, provided this is within 12 months

We will acknowledge your complaint within three working days of receipt and after investigation we will then be in a position to share our findings with you.

Complaining On Behalf Of Someone Else

Please note that we keep strictly to the rules of medical confidentiality. If you are complaining on behalf of someone else, we will need them to give us permission to liaise with you. This permission can be given to us in writing or by telephone.

Complaining To NHS England

We hope that, if you have a problem, you will use our practice complaints procedure. However, if you feel you cannot raise your complaint with us you can contact NHS England Customer Care Centre on 0300 311 22 33 or email england.contactus@nhs.net.

Alternatively you can write to: NHS England, PO Box 16738, Redditch B97 9PT

If you need help or advice to make your complaint you can contact the NHS Complaints Advocacy Service Derbyshire Mind either by telephone on 01332 623 732 or email advocacy@derbyshiremind.org.uk for further information.

If You Are Unhappy With The Response To A Complaint

You should allow your complaint to be investigated first, but if you remain dissatisfied following receipt of the response and any further discussion you can complain to the Parliamentary and Health Ombudsman. The Ombudsman is independent of the NHS and government.

The helpline is: 0345 015 403

This Privacy Notice is to run alongside our standard Practice Privacy Notice

Due to the unprecedented challenges that the NHS and we, Ryeland Surgery, face due to the worldwide COVID-19 pandemic, there is a greater need for public bodies to require additional collection and sharing of personal data to protect against serious threats to public health.

In order to look after your healthcare needs in the most efficient way we, Ryeland Surgery, may therefore need to share your personal information, including medical records, with staff from other GP Practices including Practices within our Primary Care Network, as well as other health organisations (i.e. Clinical Commissioning Groups, Commissioning Support Units, Local authorities etc.) and bodies engaged in disease surveillance for the purposes of research, protecting public health, providing healthcare services to the public and monitoring and managing the Covid-19 outbreak and incidents of exposure.

The Secretary of State has served notice under Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 (COPI) to require organisations to process confidential patient information in the manner set out below for purposes set out in Regulation 3(1) of COPI.

Purpose of this Notice

The purpose of this Notice is to require organisations such as Ryeland Surgery to process confidential patient information for the purposes set out in Regulation 3(1) of COPI to support the Secretary of State’s response to Covid-19 (Covid-19 Purpose). “Processing” for these purposes is defined in Regulation 3(2) and includes dissemination of confidential patient information to persons and organisations permitted to process confidential patient information under Regulation 3(3) of COPI. This Notice is necessary to require organisations such as Ryeland Surgeryto lawfully and efficiently process confidential patient information as set out in Regulation 3(2) of COPI for purposes defined in regulation 3(1), for the purposes of research, protecting public health, providing healthcare services to the public and monitoring and managing the Covid-19 outbreak and incidents of exposure.

Requirement to Process Confidential Patient Information

The Secretary of State has served notice to recipients under Regulation 3(4) that requires Ryeland Surgery to process confidential patient information, including disseminating to a person or organisation permitted to process confidential patient information under Regulation 3(3) of COPI.

Ryeland Surgery is only required to process such confidential patient information:

• where the confidential patient information to be processed is required for a Covid-19 Purpose and will be processed solely for that Covid-19 Purpose in accordance with Regulation 7 of COPI
• from 20th March 2020 until 31 March 2021.

Covid-19 Purpose.

A Covid-19 Purpose includes but is not limited to the following:

• understanding Covid-19 and risks to public health, trends in Covid-19 and such risks, and controlling and preventing the spread of Covid-19 and such risks
• identifying and understanding information about patients or potential patients with or at risk of Covid-19, information about incidents of patient exposure to Covid-19 and the management of patients with or at risk of Covid-19 including: locating, contacting, screening, flagging and monitoring such patients and collecting information about and providing services in relation to testing, diagnosis, self-isolation, fitness to work, treatment, medical and social interventions and recovery from Covid-19
• understanding information about patient access to health services and adult social care services and the need for wider care of patients and vulnerable groups as a direct or indirect result of Covid-19 and the availability and capacity of those services or that care
• monitoring and managing the response to Covid-19 by health and social care bodies and the Government including providing information to the public about Covid-19 and its effectiveness and information about capacity, medicines, equipment, supplies, services and the workforce within the health services and adult social care services
• delivering services to patients, clinicians, the health services and adult social care services workforce and the public about and in connection with Covid-19, including the provision of information, fit notes and the provision of health care and adult social care services
• research and planning in relation to Covid-19.

Recording of processing

A record will be kept by Ryeland Surgery of all data processed under this Notice.

Sending Public Health Messages

Data protection and electronic communication laws will not stop Ryeland Surgery from sending public health messages to you, either by phone, text or email as these messages are not direct marketing.

Digital Consultations

It may also be necessary, where the latest technology allows Ryeland Surgery to do so, to use your information and health data to facilitate digital consultations and diagnoses and we will always do this with your security in mind.

Research and Pandemic Planning

The Secretary of State has directed NHS Digital to collect, process and analyse data in connection with COVID-19 to support the Secretary of State’s response to COVID-19 and support various COVID-19 purposes set out in the COVID-19 Public Health Directions 2020, 17 March 2020 (as amended) (COVID-19 Direction) and below. This enables NHS Digital to collect data and analyse and link the data for COVID-19 purposes with other data held by NHS Digital.

The purpose of the data collection is also to respond to the intense demand for General Practice data to be shared in support of vital planning and research for COVID-19 purposes, including under the general legal notice issued by the Secretary of State under Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 (COPI).

NHS Digital has therefore been requested by the joint co-chairs of the Joint GP IT Committee (JGPITC) (the BMA and RCGP) to provide a tactical solution during the period of the COVID-19 pandemic to meet this demand and to relieve the growing burden and responsibility on General Practices. On 15 April 2020 the BMA and RCGP therefore gave their support via JGPITC to NHS Digital’s proposal to use the General Practice Extraction Service (GPES) to deliver a data collection from General Practices, at scale and pace, as a tactical solution to support the COVID-19 response in the pandemic emergency period.

It is a requirement of the JGPITC that all requests by organisations to access and use this data will need to be made via the NHSX SPOC COVID-19 request process, that will triage and prioritise these requests and refer appropriate requests on to the NHS Digital Data Access Request Service (DARS). NHS Digital will consult with representatives of the BMA and the RCGP on all requests for access to the data. An outline of the process for this agreed with the BMA and the RCGP is published here. Requests by organisations to access record level data from this collection will also be subject to Independent Group Advising on the Release of Data (IGARD) consideration. Data applicants will need to demonstrate they have a lawful basis to access the data for COVID-19 purposes.

Benefits of this sharing

Organisations, including the Government, health and social care organisations and researchers need access to this vital data for a range of COVID-19 purposes, to help plan, monitor and manage the national response to the COVID-19 pandemic, which will help save lives. COVID-19 purposes for which this data may be analysed and used may include:

• understanding COVID-19 and risks to public health, trends in COVID-19 and such risks, and controlling and preventing the spread of COVID-19 and such risks
• identifying and understanding information about patients or potential patients with, or at risk of COVID-19, information about incidents of patient exposure to COVID-19 and the management of patients with or at risk of COVID-19 including: locating, contacting, screening, flagging and monitoring such patients and collecting information about and providing services in relation to testing, diagnosis, selfisolation, fitness to work, treatment, medical and social interventions and recovery from COVID19
• understanding information about patient access to health services and adult social care services as a direct or indirect result of COVID-19, and the availability and capacity of those services
• monitoring and managing the response to COVID-19 by health and social care bodies and the Government including providing information to the public about COVID-19 and its effectiveness and information about capacity, medicines, equipment, supplies, services and the workforce within the health services and adult social care services
• delivering services to patients, clinicians, the health services and adult social care services workforce and the public about and in connection with COVID-19, including the provision of information, fit notes and the provision of health care and adult social care services; and
• research and planning in relation to COVID-19.

Data may be analysed and linked to other data held by NHS Digital or held by other organisations to which access to the data is granted for COVID-19 purposes, through the process described above.

Data will be collected nationally from all GP Practices by NHS Digital every fortnight. All requests to access this data will be triaged through the NHSX SPOC COVID-19 request process and assessed and fulfilled by NHS Digital through DARS. This will significantly reduce the burden on General Practice at a time when demand on resources is high, enabling General Practice to focus on delivering health care and support to patients. It will also reduce compliance burden and risk for General Practice associated with sharing data and complying with the terms of the general legal notice issued under COPI, which applies to General Practices.

Legal Basis for this collection

NHS Digital has been directed by the Secretary of State under section 254 of the 2012 Act under the COVID-19 Direction to establish and operate a system for the collection and analysis of the information specified for this service: GPES Data for Pandemic Planning and Research (COVID-19). A copy of the COVID-19 Direction is published here.

Details of the information to be collected can be found on the NHS Digital website – Specification of this DPN. Type 1 objections will be upheld in collecting this data from General Practices and therefore the data for those patients who have registered a Type 1 objection with their GP will not be collected. The Type 1 objection prevents an individual’s personal identifiable confidential information from being shared outside of their GP Practice except when it is being used for the purposes of their direct care. The National Data Opt-Out will not apply to the collection of the data, as this is a collection which is required by law.

This information is required by NHS Digital under section 259(1)(a) of the 2012 Act to comply with the COVID-19 Direction. In line with section 259(5) of the 2012 Act, all organisations in England that are within the scope of this Notice, as identified below under Health and Social Care Bodies within the scope of the collection, must comply with the requirement and provide information to NHS Digital in the form, manner and for the period specified in this Notice. This Notice is issued in accordance with the procedure published as part of NHS Digital’s duty under section 259(8) of the 2012 Act. Covid-19 Privacy Notice

In August 2020, the NHS announced that the seasonal national flu immunisation programme criteria for 2020 – 2021 will be expanded to include patients on the SPL. Therefore, to provide information that will support the identification of patients at moderate or high risk of complications from flu, a revision to the weekly extract of data has taken place. This, version three of the extract for the purpose of maintaining and updating the SPL, will continue until the expiry of the COVID-19 Direction. This is currently 31 March 2022 but will be reviewed in September 2020 and every six months thereafter. The frequency of the data collection may change in response to demand.

The Secretary of State has directed NHS Digital to collect, process and analyse data in connection with COVID-19 to support the Secretary of State’s response to COVID-19 and support various COVID-19 purposes set out in the COVID-19 Public Health Directions 2020, 17 March 2020 (COVID-19 Direction) (as amended) (COVID-19) Direction) and below. This enables NHS Digital to collect data and analyse and link the data for COVID-19 purposes with other data held by NHS Digital. The rationale for changing the data extraction is that the initial data collection was based on an existing specification for flu vaccination eligibility. This data extraction was then refined in order to more accurately reflect the patients who are clinically extremely vulnerable to COVID-19 and also to minimise the data we are collecting. A further refinement of the data extraction has taken place leading to the inclusion of new data being extracted. This will provide information to inform vaccination programmes. This General Practice Extraction

Service (GPES) data will be extracted weekly and be used to assist in producing a weekly update of the SPL. The objective of this collection is on an ongoing basis to identify patients registered at General Practices who may be:

• clinically extremely vulnerable if they contract COVID-19
• at moderate or high risk of complications from flu or COVID-19

The data collected will be analysed and linked with other data NHS Digital or other organisations hold to identify:

• a list of clinically extremely vulnerable patients who will be advised to take shielding measures to protect themselves. Advice given to these patients has been published by Public Health England and is available here
• a list of patients at moderate or high risk of complications from flu to inform the flu call/recall vaccination programme

Further information on the flu programme can be found here

The extract may also be used for future direct care purposes relating to the COVID-19 outbreak. The methodology NHS Digital has used to produce the SPL is explained in detail and is published on the NHS Digital SPL website page here.

Patients added to the SPL will be contacted by post, email (and/or SMS message where this is necessary) by the NHS on behalf of the Chief Medical Officer, Chris Whitty, to:

advise of the measures they can take to reduce their risk of contracting the virus and signpost them to the Extremely Vulnerable Persons service operated by gov.uk

offer a flu vaccination or to contact non-responders who remain unvaccinated (as per NHS England specifications for the service). The SPL will also be used to inform GPs of their individual patients on the SPL, by flagging those patient records on GP patient record systems. The SPL will be shared with a variety of other organisations involved in the care and support of those patients and for planning, commissioning and research purposes associated with COVID-19. Full details of those with whom information has been shared can be found on the NHS Digital SPL website here.

Requests by organisations to access record level data from this collection will be subject to Independent Group Advising on the Release of Data (IGARD) consideration. Data applicants will need to demonstrate they have a lawful basis to access the data for COVID-19 purposes.

Benefits of the collection

Organisations, including Government, health and social care organisations need to access this vital data for a range of COVID-19 purposes, to help plan, monitor and manage the national response to the COVID-19 pandemic, which will help save lives. COVID-19 purposes for which this data may be analysed and used may include:

• understanding COVID-19 and risks to public health, trends in COVID-19 and such risks, and controlling and preventing the spread of COVID-19 and such risks
• identifying and understanding information about patients or potential patients with, or at risk of COVID-19, information about incidents of patient exposure to COVID-19 and the management of patients with or at risk of COVID-19 including: locating, contacting, screening, flagging and monitoring such patients and collecting information about and providing services in relation to testing, diagnosis, self-isolation, fitness to work, treatment, medical and social interventions and recovery from COVID19.

Data will be analysed and linked to other data held by NHS Digital or held by other organisations to which access to the data is granted for COVID-19 purposes, through the process described above. Data will be collected nationally from all General Practices by NHS Digital every week. All requests to access this data will be through Data Access Request Service (DARS). This will significantly reduce the burden on General Practice at a time when demand on resources is high, enabling General Practice to focus on delivering health care and support to patients. It will also reduce compliance burden and risk for General Practice associated with sharing data and complying with the terms of the general legal notice issued under the National Health Service (Control of Patient Information Regulations) 2002 (COPI), which applies to General Practices Patients facing the greatest risk if they contract COVID-19 and/or are in the moderate to high risk of complications from flu:

• will be identified and known to health organisations
• will have a greater awareness of the recommended preventative shielding measures
• will be able to follow clear advice
• will be able to ask for help and support, including social care support and essential food supplies, through the Extremely Vulnerable Persons service operated by gov.uk.

It will enable the SPL to be updated weekly to identify new patients and changes to patients on the List and will enable support provisions to be more dynamic and responsive to both social and clinical need.It will also enable vital planning, commissioning, and research to be carried out for COVID19 purposes. If patients facing the greatest risk follow advice, it is hoped that this will contribute to the delay and mitigation of the spread of COVID-19 and save lives.

Visitors to The Practice

We have an obligation to protect our staff and employees’ health, so it is reasonable for staff at Ryeland Surgery to ask any visitors to our practice to tell us if they have visited a particular country, or are experiencing COVID-19 symptoms. This must only be in preapproved circumstances and we would also ask all patients to consider government advice on the NHS 111 website and not attend the practice.

Where it is necessary for us to collect information and specific health data about visitors to our practice, we will not collect more information than we need, and we will ensure that any information collected is treated with the appropriate safeguards.

Review and Expiry of this Notice

This Notice will be reviewed on or before 31 March 2021 and may be extended by The Secretary of State. If no further notice is sent to Ryeland Surgery by The Secretary of State, this Notice will expire on 31 March 2021.

v1.3 22/09/2020

Introduction

The Data Protection Act 1998 (DPA) requires a clear direction on Policy for security of information within the Practice. The policy provides direction on security against unauthorised access, unlawful processing, and loss or destruction of personal information.

The following is a Statement of Policy which will apply:

The Policy

• The Practice is committed to security of patient and staff records.
• The Practice will display a poster in the waiting room, explaining the practice policy to patients.
• The Practice will make available a practice leaflet on Access to Medical Records and Data Protection for the information of patients.
• The Practice will take steps to ensure that individual patient information is not deliberately or accidentally released or (by default) made available or accessible to a third party without the patient’s consent, unless otherwise legally compliant.

This will include training on Confidentiality issues, DPA principles, working security procedures, and the application of Best Practice in the workplace.

• The Practice will undertake prudence in the use of, and testing of, arrangements for the backup and recovery of data in the event of an adverse event.
• The Practice will maintain a system of “Significant Event Reporting” through a no-blame culture to capture and address incidents which threaten compliance.
• DPA issues will form part of the Practice general procedures for the Management of Risk.
• Specific instructions will be documented within confidentiality and security instructions and will be promoted to all staff

Data Protection Officer

Paul Couldrey
PCIG Consulting Limited
7 Westacre Drive
Quarry Bank
West Midlands
DY5 2EE

If you have any special needs please let our staff know so that we can help and ensure you get the same support in the future.

Loop System

We have a loop induction system at the reception desk to assist the hearing impaired.

• British Deaf Association
• The Deaf Health Charity – SignHealth
• Action Hearing Loss
• Royal Association for Deaf People
• National Deaf Children’s Society

Blind / Partially Sighted

If you or family members are blind or partially sighted we can give you a large print of our practice leaflet upon request. Please ask Reception for further information.

For more advice and support for blind people please see the following websites:

• Royal National Institute of Blind People (RIND)
• British Wireless for the Blind Fund
• British Blind Sport

Guide Dogs

Guide dogs are welcome at the surgery but we ask that you be aware of other patients and staff who may have an allergy or fear of dogs.

Further Information:

• Guide Dogs

Other Disability Websites

• BID Services
• Disability Go
• Disabled People, your Rights, Benefits, Carers and the Equality Act
• Disability Rights UK
• Living with a Disability NHS Choices
• Disability Action
• Mencap

All GP practices are required to declare the mean net earnings (eg average pay) for GPs working to deliver NHS services to patients at each practice.  This is required in the interests of the greater public accountability recognising GP pay is ultimately funded from tax paid by the public.

The average pay for GPs working in Ryeland Surgery in the last financial year was £81,360 before tax and national insurance. This is for 3 full time GPs, 9 part time GPs and 1 locum GP who worked in the practice for more than six months.

Practice Charter Standards

These are the local standards set within this practice for the benefit of our patients. It is our job to give you treatment and advice. Following discussion with you, you will receive the most appropriate care, given by suitably qualified people. No care or treatment will be given without your informed consent. In the interest of your health it is important for you to understand all the information given to you. Please ask us questions if you are unsure of anything.

Our Responsibility To You

We are committed to giving you the best possible service.

Names

People involved in your care will give you their names and ensure that you know how to contact them. The surgery should be well signposted and the doctors’ or nurses’ names are indicated on their surgery doors.

Test Results

If you have undergone tests or x-rays ordered by the practice, we will inform you of the results at your next appointment. If no further appointment needs to be arranged, we will advise you when and how to obtain these results.

Respect

Patients will be treated as individuals and partners in their healthcare, irrespective of their ethnic origin or religious and cultural beliefs.

Information

We will give you full information about the services we offer. Every effort will be made to ensure that you receive the information which directly affects your health and the care being offered.

Health Promotion

The practice will offer patients advice and information on: steps they can take to promote good health and avoid illness; self-help which can be undertaken without reference to a doctor in the case of minor ailments.

Your Responsibility To Us

Help us to help you.

Please let us know if you change your name, address or telephone number.

Please do everything you can to keep appointments. Tell us as soon as possible if you cannot. Otherwise, other patients may have to wait longer.

Please ask for home visits only when the person is too ill to visit the surgery.

Please keep your phone call brief and avoid calling during the peak morning time for non-urgent matters.

Test results take time to reach us, so please do not ring before you have been asked to do so. Enquiries about tests ordered by the hospital should be directed to the hospital, not the practice.

We ask that you treat the doctors and practice staff with courtesy and respect. Legal action may be taken against patients who are violent or abusive to the doctors or practice staff or other persons on the practice premises. Such patients may also be asked to leave the practice.

Please read our practice booklet. This will help you to get the best out of the services we offer. It is important that you understand the information given to you. Please ask questions if you are unsure of anything.

Remember, you are responsible for your own health and the health of your children. We will give you our professional help and advice. Please act upon it.

How we use your information

We understand how important it is to keep your personal information safe and secure and we take this very seriously. We have taken steps to make sure your personal information is looked after in the best possible way and we review this regularly.

Please read this Privacy Notice carefully, as it contains important information about how we use the personal and healthcare information we collect on your behalf.

A new data privacy law was introduced in the UK in May 2018. As a result, we’ve published a new privacy notice to make it easier for you to find out how the NHS uses and protects your information.

Why are we providing this Privacy Notice?

We are required to provide you with this Privacy Notice by Law. It explains how we use the personal and healthcare information we collect, store and hold about you. If you are unclear about how we process or use your personal and healthcare information, or you have any questions about this Privacy Notice or any other issue regarding your personal and healthcare information, then please do contact our Data Protection Officer.

The Law says:

• We must let you know why we collect personal and healthcare information about you
• We must let you know how we use any personal and/or healthcare information we hold on you
• We need to inform you in respect of what we do with it
• We need to tell you about who we share it with or pass it on to and why
• We need to let you know how long we can keep it for

What is a Privacy Notice?

A Privacy Notice (or ‘Fair Processing Notice’) is an explanation of what information the Practice collects on patients, and how it is used. Being transparent and providing clear information to patients about how a Practice uses their personal data is an essential requirement of the new General Data Protection Regulations (GDPR).

Under the GDPR, the Practice must process personal data in a fair and lawful manner, and applies to everything that is done with patient’s personal information. In practice, this means that the Practice must:

• have legitimate reasons for the use or collection of personal data
• not use the data in a way that may cause adverse effects on the individuals (e.g. improper sharing of their information with third parties)
• be transparent about how you the data will be used, and give appropriate privacy notices when collecting their personal data
• handle personal data only as reasonably expected to do so
• make no unlawful use of the collected data

Legal justification for collecting and using your information

The Law says we need a legal basis to handle your personal and healthcare information.

• Contract – we have a contract with NHS England to deliver healthcare services to you. This contract provides that we are under a legal obligation to ensure that we deliver medical and healthcare services to the public.
• Consent – Sometimes we also rely on the fact that you give us consent to use your personal and healthcare information so that we can take care of your healthcare needs. Please note that you have the right to withdraw consent at any time if you no longer wish to receive services from us
• Necessary Care – Providing you with the appropriate healthcare, where necessary. The Law refers to this as ‘protecting your vital interests’ where you may be in a position not to be able to consent.
• Law – Sometimes the Law obliges us to provide your information to an organisation

Special Categories

The Law states that personal information about your health falls into a special category of information because it is very sensitive. Reasons that may entitle us to use and process your information may be as follows:

• Public Interest – Where we may need to handle your personal information when it is considered to be in the public interest. For example, when there is an outbreak of a specific disease and we need to contact you for treatment, or we need to pass your information to relevant organisations to ensure you receive advice and/or treatment.
• Consent – When you have given us consent.
• Vital Interest – If you are incapable of giving consent and we have to use your information to protect your vital interests (eg. if you have had an accident and you need emergency treatment)
• Defending a Claim – If we need your information to defend a legal claim against us by you, or by another party
• Providing You with Medical Care – where we need your information to provide you with medical and healthcare services

Who is the Data Controller?

The Ryeland Surgery is registered as a Data Controller under the Data Protection Act 1998. The registration number is Z6820810 and can be viewed online in the public register at the ICO. This means we are responsible for collecting, storing and handling your personal and healthcare information when you register with us as a patient.

There may be times when we also process your information. That means we use it for a particular purpose and, therefore, on those occasions we may also be Data Processors. The purposes for which we use your information are set out in this Privacy Notice.

Fair Processing

Personal data must be processed in a fair manner – the GDPR says that information should be treated as being obtained fairly if it is provided by a person who is legally authorised or required to provide it. Fair Processing means that the Practice has to be clear and open with people about how their information is used.

This privacy notice explains why we as a Practice collect information about our patients and how that information may be used.

The Ryeland Surgery manages patient information in accordance with existing laws and with guidance from organisations that govern the provision of healthcare in England such as the Department of Health and the General Medical Council.

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

• General Data Protection Regulations
• Data Protection Act 1998
• Human Rights Act 1998
• Common Law Duty of Confidentiality
• Health and Social Care Act 2012
• NHS Codes of Confidentiality and Information Security

In practice, this means ensuring that your personal confidential data (PCD) is handled clearly and transparently, and in a reasonably expected way.

The Health and Social Care Act 2012 changed the way that personal confidential data is processed, therefore it is important that our patients are aware of and understand these changes, and that you have an opportunity to object and know how to do so.

The health care professionals who provide you with care maintain records about your health and any NHS treatment or care you have received (e.g. NHS Hospital Trust, GP Surgery, Walk-in clinic, etc.). These records help to provide you with the best possible healthcare.

NHS health records may be processed electronically, on paper or a mixture of both; and we use a combination of working practices and technology are used to ensure that your information is kept confidential and secure.

How we use the information about you

We use your personal and healthcare information in the following ways:

• When we need to speak to, or contact other doctors, consultants, nurses or any other medical/healthcare professional or organisation during the course of your diagnosis or treatment or ongoing healthcare.
• When we are required by Law to hand over your information to any other organisation, such as the police, by court order, solicitors or immigration enforcement.

We will never pass on your personal information to anyone else who does not need it, or has no right to it, unless you give us clear consent to do so.

Under the General Data Protection Regulations (GDPR), we will be lawfully using you information in accordance with:

• Article 6, e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• Article 9, (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical 4 diagnosis, the provision of health or social care or treatment or the management of health or social care systems

There are times that we may want to use your information to contact you or offer you services not directly about your healthcare. In these instances we will always gain your consent to contact you. We would however like to use your name, contact details and email address to inform you of other services that may benefit you; we will only do this with your consent. There may be occasions where authorised research facilities would like you to take part in innovations, research, improving services or identifying trends; you will be asked to opt in to such programmes.

At any stage where we would like to use your data for anything other than the specified purposes and where there is no lawful requirement for us to share or process your data, we will ensure that you have the ability to consent and opt out prior to any data processing taking place.

This information is not shared with third parties or used for any marketing and you can unsubscribe at any time via phone, email or by informing the practice DPO as below.

How long will we keep your personal information

We are required under UK law to keep your information and date for the full retention periods as specified gy the NHS Records Management Code of Practice for Health and Social Care and national archives requirements.

More information on records retention can be found here

Where do we store your information electronically?

All the personal data we process is processed by our staff in the UK. However for the purposes of IT hosting and maintenance this information may be located on servers within the European Union.

No third parties have access to your personal data unless the law allows them to do so and appropriate safeguards have been put in place. We have a Data Protection regime in place to oversee the effective and secure processing of your personal and/or special category (sensitive, confidential) data.

The Practice uses a clinical system provided by a Data Processor called EMIS. With effect from 10th June 2019, EMIS will start storing your practice’s EMIS Web data in a highly secure, third party cloud hosted environment, namely Amazon Web Services (“AWS”).

The data will remain in the UK at all times and will be fully encrypted both in transit and at rest. In doing this, there will be no change to the control of access to your data and the hosted service provider will not have any access to the decryption keys. AWS is one of the world’s largest cloud companies, already supporting numerous public sector clients (including the NHS), and it offers the very highest levels of security and support.

Information we collect from you

• Records held by this GP practice may include the following information:
• Your contact details (such as your name, address and email address including place of work and work contact details)
• Details and contact numbers of your next of kin
• Your age range, gender, ethnicity
• Details in relation to your medical history
• The reason for your visit to the surgery
• Any contact the practice has had with you, including appointments (emergency or scheduled), clinic visits, etc.
• Notes and reports about your health, details of diagnosis and consultations with our GPs and other Health Professionals within the surgery involved in your direct healthcare
• Details about treatment and care received  Results of investigations, such as laboratory tests, x-rays, etc.
• Relevant information from other health professionals, relatives or those who care for you

Recordings of telephone conversations between yourself and the practice

• Information about you from others We also collect personal information about you when it is sent to us from the following:
• A hospital, a consultant or any other medical or healthcare professional, or any other person involved with your general healthcare
• DVLA requests
• Firearms applications
• Immigration matters
• Court Orders
• Safeguarding and Child Protection communications

The practice collects and holds data for the sole purpose of providing healthcare services to our patients and we will ensure that the information is kept confidential. However, we can disclose personal information if:

• It is required by law
• You provide consent – either implicitly or for the sake of their own care, or explicitly for other purposes
• It is justified to be in the public interest

To ensure you receive the best possible care, your records are used to facilitate the care you receive. Information held about you may be used to help protect the health of the public and to help us manage the NHS.

Information may be used for clinical audit purposes to monitor the quality of service provided, and may be held centrally and used for statistical purposes. Where we do this we ensure that patient records cannot be identified.

Sometimes your information may be requested to be used for clinical research purposes – the practice will always endeavour to gain your consent before releasing the information.

Improvements in information technology are also making it possible for us to share data with other healthcare providers with the objective of providing you with better care.

Patients can choose to withdraw their consent to their data being used in this way. When the practice is about to participate in any new data-sharing scheme we will make patients aware by displaying prominent notices in the surgery and on our website at least four weeks before the scheme is due to start. We will also explain clearly what you have to do to ‘opt-out’ of each new scheme.

A patient can object to their personal information being shared with other health care providers but if this limits the treatment that you can receive then the doctor will explain this to you at the time.

How do we maintain the confidentiality of your records?

We are committed to protecting your privacy and will only use information collected lawfully in accordance with the General Data Protection Regulations (which is overseen by the Information Commissioner’s Office), Human Rights Act, the Common Law Duty of Confidentiality, and the NHS Codes of Confidentiality and Security. Every staff member who works for an NHS organisation has a legal obligation to maintain the confidentiality of patient information.

All of our staff, contractors and locums receive appropriate and regular training to ensure they are aware of their personal responsibilities and have legal and contractual obligations to uphold confidentiality, enforceable through disciplinary procedures. Only a limited number of authorised staff have access to personal information where it is appropriate to their role and is strictly on a need-to-know basis. If a sub-contractor acts as a data processor for the Practice, an appropriate contract (Article 24-28) will be established for the processing of your information.

We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), where the law requires information to be passed on and / or in accordance with the information sharing principle following Dame Fiona Caldicott’s information sharing review (Information: to share or not to share) where “The duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles.

Our practice policy is to respect the privacy of our patients, their families and our staff and to maintain compliance with the General Data Protection Regulations (GDPR) and all UK specific Data Protection Requirements. Our policy is to ensure all personal data related to our patients will be protected.

In certain circumstances you may have the right to withdraw your consent to the processing of data. Please contact the Data Protection Officer in writing if you wish to withdraw your consent. If some circumstances we may need to store your data after your consent has been withdrawn to comply with a legislative requirement.

Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified. Sometimes your information may be requested to be used for research purposes – the surgery will always gain your consent before releasing the information for this purpose in an identifiable format. In some circumstances you can Opt-out of the surgery sharing any of your information for research purposes.

Who we may provide your personal information to and why?

Whenever you use a health or care service, such as attending Accident and Emergency or using Community Care Services, important information about you is collected to help ensure you get the best possible care and treatment. This information may be passed to other approved organisations where there is a legal basis, to help with planning services, improving care, research into developing new treatments and preventing illness. All of this helps in providing better care to you and your family and future generations. However, as explained in this Privacy Notice, confidential information about your health and care is only used in this way where allowed by law and would never be used for any other purpose without your clear and explicit consent.

We may pass your personal information on to the following people or organisations, because these organisations may require your information to assist them in the provision of your direct healthcare needs. It, therefore, may be important for them to be able to access your information in order to ensure they may properly deliver their services to you:

• Hospital professionals (such as doctors, consultants, nurses, etc)
• Other GPs / Doctors
• Specialist Trusts
• Primary Care Network
• NHS Commissioning Support Units
• Independent Contractors such as dentists, opticians, pharmacists
• Any other person that is involved in providing services related to your general healthcare, including mental health professionals
• Private Sector Providers including pharmaceutical companies to allow for the provision of dressings, hosiery etc
• Voluntary Sector Providers
• Ambulance Trusts
• Clinical Commissioning Groups
• Social Care Services
• NHS England (NHSE) and NHS Digital (NHSD)
• Multi Agency Safeguarding Hub (MASH)
• Other ‘data processors’ e.g. Diabetes UK
• MJOG and AccuRx messaging services

You will be informed who your data will be shared with and in some cases asked for explicit consent for this to happen when this is required.

Other people to whom we provide your information

• Commissioners
• Clinical Commissioning Groups
•  Local Authorities
• Education Services
• Community Health Services
• Fire & Rescue Services
• For the purposes of complying with the law, eg. Police, Solicitors, Insurance Companies, DVLA
• Anyone you have given your consent to, to view or receive your record, or part of your record – please note, if you give another person or organisation consent to access your record we will need to contact you to verify your consent before we release that record. It is important that you are clear and understand how much and what aspects of your record you give consent to be disclosed.
• Extended Access (Taurus) – we provide extended access services to our patients which means you can access medical services outside of our normal working hours. In order to provide you with this service, we have formal arrangements in place with the Clinical Commissioning Group and with Taurus whereby certain key ‘hub’ practices offer this service on our behalf for you as a patient to access outside of our opening hours. This means those key ‘hub’ practices will have to have access to your medical record to be able to offer you the service. Please note to ensure that those practices comply with the law and to protect the use of your information, we have very robust data sharing agreements and other clear arrangements in place to ensure your data is always protected and used for those purposes only. The key ‘hub’ practices are South Wye Medical Centre, Ryeland Surgery and Pendeen Surgery.
• Data Extraction by the Clinical Commissioning Group – the Clinical Commissioning Group at times extracts medical information about you, but the information we pass to them via our computer systems cannot identify you to them. This information only refers to you by way of a code that only your practice can identify (it is pseudoanonymised). This therefore protects you from anyone who may have access to this information at the Clinical Commissioning Group from ever identifying you as a result of seeing the medical information and we will never give them the information that would enable them to do this.
• Herefordshire One Record – Patients in Herefordshire are able to benefit from the sharing of information to better manage their care via the Herefordshire One Record system. This includes sharing: contact details, diagnosis, medications, allergies, test results, referrals and letters and care plans between health professionals in Herefordshire. Health information is shared with:
  • Wye Valley NHS Trust (including Community Services)
  • St Michael’s Hospice
  • 2Gether NHS Foundation Trust
  • Taurus Healthcare Ltd (as above)

Further information about Herefordshire One Record can be found here

National Opt-Out Facility

You can choose whether your confidential patient information is used for research and planning.

Who can use your confidential patient information for research and planning?

It is used by the NHS, local authorities, university and hospital researchers, medical colleges and pharmaceutical companies researching new treatments.

Making your data opt-out choice.

You can choose to opt out of sharing your confidential patient information for research and planning. There may still be times when your confidential patient information is used: for example, during an epidemic where there might be a risk to you or to other people’s health. You can also still consent to take part in a specific research project.

Will choosing this opt-out affect your care and treatment?

No, your confidential patient information will still be used for your individual care. Choosing to opt out will not affect your care and treatment. You will still be invited for screening services, such as screenings for bowel cancer.

What should you do next?

You do not need to do anything if you are happy about how your confidential patient information is used. If you do not want your confidential patient information to be used for research and planning, you can choose to opt out securely online or through a telephone service. You can change your choice at any time.

Click here find out more or to make your choice or call 0300 303 5678

Third party processors

In order to deliver the best possible service, the practice will share data (where required) with other NHS bodies such as other GP practices and hospitals. In addition, the practice will use carefully selected third party service providers. When we use a third party service provider to process data on our behalf then we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately. Examples of functions that may be carried out by third parties include:

• Companies that provide IT services & support, including our core clinical systems; systems which manage patient facing services (such as our website and service accessible through the same); data hosting service providers; systems which facilitate appointment bookings or electronic prescription services; document management services etc.
• Delivery services (for example if we were to arrange for delivery of any medicines to you).
• Payment providers (if for example you were paying for a prescription or a service such as travel vaccinations).

Further details regarding specific third-party processors can be supplied by the Data Protection Officer on request.

Shared Care

To support your care and improve the sharing of relevant information to our partner organisations (as above) when they are involved in looking after you, we will share information to other systems. The general principle is that information is passed to these systems unless you request that this does not happen, but that system users should ask for your consent before viewing your record.

We may also use external companies to process personal information, such as for archiving purposes. These companies are bound by contractual agreements to ensure information is kept confidential and secure. All employees and sub-contractors engaged by our practice are asked to sign a confidentiality agreement. If a sub-contractor acts as a data processor for Ryeland Surgery an appropriate contract (art 24-28) will be established for the processing of your information.

Anonymised Information

Sometimes we may provide information about you in an anonymised form. If we do so, then none of the information we provide to any other party will identify you as an individual and cannot be traced back to you.

Third Parties mentioned on your medical record

Sometimes we record information about third parties mentioned by you to us during any consultation. We are under an obligation to make sure we also protect that third party’s rights as an individual and to ensure that references to them which may breach their rights to confidentiality, are removed before we send any information to any other party including yourself. Third parties can include: spouses, partners and other family members.

Your rights as a patient

The Law gives you certain rights to your personal and healthcare information that we hold, as set out below:

Access and Subject Access Requests

you have the right to see what information we hold about you and to request a copy of this information. If you would like a copy of the information we hold about you, please contact the Practice Manager in the first instance. We will provide this information free of charge. However, we may in some limited and exceptional circumstances have to make an administrative change for any extra copies if the information requested is excessive, complex or repetitive. We have one month to reply to you and give you the information that you require. We would ask, therefore, that any requests you make are in writing and it is made clear to us what and how much information you require.

Online Access

You may ask us if you wish to have online access to your medical record. However, there will be certain protocols that we have to follow in order to give you online access, including written consent and production of documents that prove your identity. Please note that when we give you online access, the responsibility is yours to make sure that you keep information safe and secure if you do not wish any third party to gain access.

Correction

We want to make sure that your personal information is accurate and up to date. You may ask us to correct any information you think is inaccurate. It is very important that you make sure you tell us if your contact details including your mobile phone number has changed.

Removal

You have the right to ask for your information to be removed. However, if we require this information to assist us in providing you with appropriate medical services and diagnosis for your healthcare, then removal may not be possible.

Objection

We cannot share your information with anyone else for a purpose that it not directly related to your health, eg. medical research, educational purposes etc. We would ask you for your consent in order to do this however, you have the right to request that your personal and healthcare information is not shared by the 11 Surgery in this way. Please note the Anonymised Information section in this Privacy Notice.

Transfer

You have the right to request that your personal and/or healthcare information is transferred, in an electronic form (or other form) to another organisation, but we will require your clear consent to be able to do this.

Sharing your information without consent

We will normally ask you for your consent, but there are times when we may be required by law to share your information without your consent, for example:

• where there is a serious risk of harm or abuse to you or other people;
• safeguarding matters and investigations;
• where a serious crime, such as assault, is being investigated or where it could be prevented;
• notification of new births;
• where we encounter infectious diseases that may endanger the safety of others, such as meningitis or measles (but not HIV/AIDS);
• where a formal court order has been issued;
• where there is a legal requirement, for example if you had committed a Road Traffic Offence

Text messaging and contacting you

Because we are obliged to protect any confidential information we hold about you and we take this very seriously, it is imperative that you let us know immediately if you change any of your contact details.

In the event that we need to notify you about appointments and other services that we provide to you involving your direct care, we may contact you via your mobile phone using the MJOG or AccuRx SMS texting systems. Therefore, you must ensure that we have up to date details. This is to ensure we are sure we are actually contacting you and not another person.

Practice Website

Our Website does use cookies to optimise your experience. Using this feature means you have agreed to the use of cookies as required by the EU Data Protection Directive 95/46/EC. You have the option to decline the use of cookies on your first visit to the website. The only website this Privacy Notice applies to is the Surgery’s website. If you use a link to any other website from the Surgery’s website then you will need to read their respective Privacy Notice. We take no responsibility (legal or otherwise) for the content of other websites.

Risk Stratification

Risk stratification data tools are increasingly being used in the NHS to help determine a person’s risk of suffering a particular condition, preventing an unplanned or re-admission and identifying a need for preventative intervention. Typically this is because patients have a long term condition such as COPD, cancer or other medical condition at risk of sudden worsening.

Information about you is collected from a number of sources including NHS Trusts and from this GP Practice. A risk score is then arrived at through an analysis of your anonymous information using computer programmes. Your information is only provided back to your GP or member of your care team in an identifiable form. Risk stratification enables your GP to focus on preventing ill health and not just the treatment of sickness. If necessary your GP may be able to offer you additional services. Please note that you have the right to opt out of Risk Stratification.

Should you have any concerns about how your information is managed, or wish to opt out of any data collection at the practice, please contact the practice, or your healthcare professional to discuss how the disclosure of your personal information can be limited.

Patients have the right to change their minds and reverse a previous decision. Please contact the practice, if you change your mind regarding any previous choice.

GP Connect

Service The GP Connect service allows authorised clinical staff at NHS 111 to seamlessly access our practice’s clinical system and book directly on behalf of a patient. This means that should you call NHS 111 and the clinician believes you need an appointment with your GP Practice, the clinician will access available appointment slots only (through GP Connect) and book you in. This will save you time as you will not need to contact the practice direct for an appointment.

The practice will not be sharing any of your data and the practice will only allow NHS 111 to see available appointment slots. They will not even have access to your record. However, NHS 111 will share any relevant data with us, but you will be made aware of this. This will help your GP in knowing what treatment / service / help you may require.

Please note if you no longer require the appointment or need to change the date and time for any reason you will need to speak to one of our reception staff and not NHS 111. Medicines Management The Practice may conduct

Medicine Management

Reviews of medications prescribed to its patients. This service performs a review of prescribed medication to ensure patients recent the most appropriate, up to date and cost effective treatments. This service is provided to practices within Herefordshire through Herefordshire Clinical Commissioning Group.

Patient Communication

The Practice would like to use your name, contact details and email address to inform you of NHS services or provide information about your health, information to manage your healthcare or information about the management of the NHS service. There may be occasions were authorised research facilities would like you to take part in research in regard to your particular health issues to try improve your health; your contact details may be used to invite you to receive further information about such research opportunities.

Safeguarding

The Practice is dedicated to ensuring that the principles and duties of safeguarding adults and children are holistically, consistently and conscientiously applied with the wellbeing of all, at the heart of what we do.

Our legal basis for processing for the General Data Protection Regulation (GDPR) purposes is:

• 3 Article 6(1)(e) ‘…exercise of official authority…’.

For the processing of special categories data, the basis is:

• Article 9(2)(b) – ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…’

The data collected by Practice staff in the event of a safeguarding situation will be as much personal information as is necessary or possible to obtain in order to handle the situation. In addition to some basic demographic and contact details, we will also process details of what the safeguarding concern is. This is likely to be special category information (such as health information).

The Practice will either receive or collect information when someone contacts the organisation with safeguarding concerns, or we believe there may be safeguarding concerns and make enquiries to relevant providers.

The information is used by the Practice when handling a safeguarding incident or concern. We may share information accordingly to ensure duty of care and investigation as required with other partners such as local authorities, the police or healthcare professionals (i.e. their GP or mental health team).

Research

Clinical Practice Research Datalink (CPRD) collects de-identified patient data from a network of GP practices across the UK. Primary care data are linked to a range of other health related data to provide a longitudinal, representative UK population health dataset. You can opt out of your information being used for research purposes at any time (see below).

Click here for full details on their wesbite

The legal basis for processing this information

CPRD do not hold or process personal data on patients; however, NHS Digital (formally the Health and Social Care Centre) may process ‘personal data’ for us as an accredited ‘safe haven’ or ‘trusted third-party’ within the NHS when linking GP data with data from other sources. The legal bases for processing this data are:

Medicines and medical device monitoring: Article 6(e) and Article 9(2)(i) – public interest in the area of public health

Medical research and statistics: Article 6(e) and Article 9(2)(j) – public interest and scientific research purposes

Any data CPRD hold or pass on to bona fide researchers, except for clinical research studies, will have been anonymised in accordance with the Information Commissioner’s Office Anonymisation Code of Practice. We will hold data indefinitely for the benefit of future research, but studies will normally only hold the data we release to them for twelve months.

Primary Care Network

The objective of primary care networks is for group practices together to create more collaborative workforces which ease the pressure of GP’s, leaving them better able to focus on patient care. The aim is that, by July 2019, all areas within England will be covered by a PCN.

Primary care networks form a key building block of the NHS long-term plan. Bringing general practices together to work at scale has been a policy priority for some years for a range of reasons, including improving the ability of practices to recruit and retain staff; to manage financial and estates pressures; to provide a wider range of services to patients and to more easily integrate with the wider health and care system.

All GP practices are expected to come together in geographical networks covering populations of approximately 30–50,000 patients by June 2019 if they are to take advantage of additional funding attached to the GP contract. This size is consistent with the size of the primary care homes, which exist in many places in the country, but is much smaller than most GP Federations.

This means the practice may share your information with other practices within the PCN to provide you with your care and treatment.

Invoice Validation

If you have received treatment within the NHS your personal information may be shared within a strictly monitored, secure and confidential environment in order to determine which CCG should pay for the treatment or procedure you have received.

Information such as your name, address and date of treatment may be passed on to enable the billing process – these details are held in a secure environment and kept confidential. This information will only be used to validate invoices, and will not be shared for any further commissioning purposes.

NHS Health Checks

Cohorts of our patients aged 40-74 not previously diagnosed with cardiovascular disease are eligible to be invited for an NHS Health Check. Nobody outside the healthcare team in the practice will see confidential information about you during the invitation process.

Access to your personal information

Data Subject Access Requests (DSAR): You have a right under the Data Protection legislation to request access to view or to obtain copies of what information the surgery holds about you and to have it amended should it be inaccurate. To request this, you need to do the following:

• Your request should be made to the Practice or for information from the hospital you should write direct to them
• There is no charge to have a copy of the information held about you
• We are required to respond to you within one month
• You will need to give adequate information (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified, and your records located information we hold about you at any time.

What should you do if your personal information changes?

You should tell us so that we can update our records. Please contact a member of the Reception Team as soon as any of your details change. This is especially important for changes of address or contact details (such as your mobile phone number). The Practice will from time to time ask you to confirm that the information we currently hold is accurate and up-to-date.

Objections and/or Complaints

Should you have any concerns about how your information is managed at the Practice, please contact the Practice Manager. If you are still unhappy following a review by the GP Practice, you can then complain to the Information Commissioner’s Office (ICO) via their website or Telephone: 0303 123 1113.

The Information Commissioner’s Office is the Regulator for the General Data Processing Regulations and offer independent advice and guidance on the law and personal data, including your rights and how to access your personal information.

If you are happy for your data to be used for the purposes described in this Privacy Notice, then you do not need to do anything. If you have any concerns about how your data is shared or any , then please contact the practice’s Data Protection Officer.

If you would like to know more about your rights in respect of the personal data we hold about you, please contact the Data Protection Officer whose details can be found below.

Data Protection Officer

The Practice Data Protection Officer

Paul Couldrey
PCIG Consulting Limited
7 Westacre Drive
Quarry Bank
West Midlands
DY5 2EE

Further Information

Further information about the way in which the NHS uses personal information and your rights in that respect can be found:

• The NHS Constitution
• NHS Digital’s Guide to Confidentiality in Health & Social Care

Where to find our Privacy Notice

You may find a copy of this Privacy Notice at our Reception Desk, on our website or a copy may be provided on request.

If English is not your first language

If English is not your first language, you can request a translation of this Privacy Notice.

Changes to our Privacy Notice

It is important to point out that we may amend our Privacy Notice from time to time. This Privacy Notice was last updated on 4th September 2019. If you are dissatisfied with any aspect of our Privacy Notice, please contact the Practice Data Protection Officer.

Version 6.0 March 2020

All the health care professionals that look after you maintain records about your health and any treatment or care that you have previously received. This includes hospitals, GP surgeries, walk-in clinics etc. NHS health records may be electronic, paper-base or a mixture of both and we will ensure that all your information is kept confidential and secure.

Information which this GP Practice holds about you may include:

• Details about you, such as your address, carer, legal representative, emergency contacts
• Any contact the surgery has had with you in the past, such as appointments, clinic visits, emergency appointments, etc.
• Notes and reports about your health
• Details about your treatment and care
• Results of investigations such as laboratory tests, x-rays etc
• Relevant information from other health professionals, relatives or those who care for you

Your records are used to ensure you receive the best possible care. Information held about you may also be used to help protect the health of the public and for clinical audit to monitor the quality of the service provided.

Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to make sure that individual patients cannot be identified. Occasionally your information may also be requested for research purposes. The practice will always ask for your consent before agreeing to do this.

Identifying patients’ health risks

Risk identification tools are increasingly being used in the NHS to help understand a patient’s risk of suffering from a particular condition in the future. As once we know this we can offer preventative intervention.

Information about you is collected from a number of sources including NHS Trusts and from this GP Practice. A risk score is then arrived at through an analysis of your de-identified information using software managed by NHS England. Risk stratification enables your GP to focus on preventing ill health and offer you additional services to help you not to become ill in the future.

Please note that you have the right to opt out of your data being used in this way.

To find out more about the benefits of data sharing, how data is protected, or to make/change your opt-out choice click here to visit the NHS Your Data Matters wesbite.

Medicines Management

The Practice may carry out reviews of the medications prescribed to its patients to ensure that all patients are receiving the most appropriate, up to date and cost effective treatments.

How Do We Maintain The Confidentiality Of Your Records?

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

• Data Protection Act 1998
• Human Rights Act 1998
• Common Law Duty of Confidentiality
• Health and Social Care Act 2012
• NHS Codes of Confidentiality, Information Security and Records Management
• Information: To Share or Not to Share Review

Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential.

We will only ever use or pass on information about you if others, involved in your care, have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), where the law requires information to be passed on and / or in accordance with the new information sharing principle following Dame Fiona Caldicott’s information sharing review where “The duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles. They should be supported by the policies of their employers, regulators and professional bodies.

Who Are Our Partner Organisations?

We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations:

• NHS Trusts / Foundation Trusts
• GPs
• NHS Commissioning Support Units
• Independent contractors such as dentists, opticians, pharmacists
• Private sector providers
• Voluntary sector providers
• Ambulance Trusts
• Clinical Commissioning Groups
• Social Care Services
• Health and Social Care Information Centre (HSCIC)
• Local Authorities
• Education Services
• Fire and Rescue Services
• Police & Judicial Services
• Other ‘data processors’ which you will be informed of

You will be informed who your data will be shared with and in some cases asked for explicit consent for this to happen.

We may also use external companies to process personal information, such as for archiving purposes. These companies are bound by contractual agreements to ensure information is kept confidential and secure.

Primary Care Services at Emergency Departments

Your GP surgery is working together with hospitals in the area to make sure you receive the care you need, when you need it. This means that if you ever need to go to the local Accident and Emergency Department, the doctor who sees you will be able to see your GP health record to determine the best way to help you.

Access To Personal Information

You have a right, under the Data Protection Act 1998, to request access to view or to obtain copies of what information the surgery holds about you and to have it amended should it be inaccurate. In order to request this, you need to do the following:

• Your request must be made in writing to the GP – for information from the hospital you should write direct to them
• There may be a charge to receive a printed copy of the information
• We are required to respond to you within 40 days
• You will need to give adequate information (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified and your records located

Objections / Complaints

Should you have any concerns about how your information is managed at the GP, please contact the Practice Manager. If you are still unhappy following a review by the GP practice, you can then complain to the Information Commissioners Office (ICO) via their website. If you are happy for your data to be extracted and used for the purposes described in this privacy notice then you do not need to do anything. If you have any concerns about how your data is shared then please contact the practice.

Change of Details

It is important that you tell the person treating you if any of your details, such as your name or address, have changed or if any of your details such as date of birth is incorrect so that we can amend this. You have a responsibility to inform us of any changes so our records are accurate and up to date for you.

Notification

The Data Protection Act 1998 requires organisations to register the purposes for which they process personal and sensitive information. This information is publicly available on the Information Commissioner’s website. The practice is registered with the Information Commissioners Office (ICO).

Who is the Data Controller?

The Data Controller, responsible for keeping your information secure and confidential

Paul Couldrey
PCIG Consulting Limited
7 Westacre Drive
Quarry Bank
West Midlands
DY5 2EE

Complaints

Should you have any concerns about how your information is managed by the Practice please contact the Practice Manager at Ryeland Surgery, Westfield Walk, Leominster, Herefordshire HR6 8HD. If you are still unhappy following a review by the Practice you can then complain to the Information Commissioners Office (ICO) whose can be contacted at:

• www.ico.org.uk
• casework@ico.org.uk
• Telephone: 0303 123 1113 (local rate) or 01625 545 745

The NHS operate a zero tolerance policy with regard to violence and abuse and the practice has the right to remove violent patients from the list with immediate effect in order to safeguard practice staff, patients and other persons.

Violence in this context includes actual or threatened physical violence or verbal abuse which leads to fear for a person’s safety. In this situation we will notify the patient in writing of their removal from the list and record in the patient’s medical records the fact of the removal and the circumstances leading to it.