Coronavirus Notice
During these exceptional circumstances we want to make it easier for you to understand and provide you with more information about how our GP Practice may seek to collect, use, share and hold information about you in relation to the unprecedented challenges we are facing during the Coronavirus pandemic (COVID-19).
We may collect, use and share your information in response to the Coronavirus which is above and beyond what would ordinarily be collected used, accessed and shared. This is because it will allow front line services to manage and contain the virus. Such information will be limited to what is proportionate and necessary.
Summary Privacy/Fair Processing Notice
Caritas GP Partnership has a legal duty to explain how we use any personal information we collect about you, as a registered patient, at the practice. Staff at this practice maintain records about your health and the treatment you receive in electronic and paper format.
What information do we collect about you?
We will collect information such as personal details, including name, address, next of kin, records of appointments, visits, telephone calls, your health records, treatment and medications, test results, X-rays, etc. and any other relevant information to enable us to deliver effective medical care.
It is important that you tell us if any of your details such as your name or address have changed or if any of your details such as date of birth is incorrect in order for this to be amended. You have a responsibility to inform us of any changes so our records are accurate and up to date for you.
How we will use your information
Your data is collected for the purpose of providing direct patient care; however, we can disclose this information if it is required by law, if you give consent or if it is justified in the public interest. The practice may be requested to support research; however, we will always gain your consent before sharing your information with medical research databases where the law allows.
In order to comply with its legal obligations, this practice may send data to NHS Digital when directed by the Secretary of State for Health under the Health and Social Care Act 2012. Additionally, this practice contributes to national clinical audits and will send the data that is required by NHS Digital when the law allows. This may include demographic data, such as date of birth, and information about your health which is recorded in coded form; for example, the clinical code for diabetes or high blood pressure.
Processing your information in this way and obtaining your consent ensures that we comply with Articles 6(1)(c), 6(1)(e) and 9(2)(h) of the General Date Protection Regulations (GDPR).
We may also have to share your information, subject to strict agreements on how it will be used, with the following organizations or receive information from the following organizations:-
- NHS Trusts / Foundation Trusts
- Independent Contractors e.g. dentists, opticians, pharmacists
- Private Sector Providers
- Ambulance Trusts
- Social Care Services
- Local Authorities
- Fire and Rescue Services
- Other ‘data processors’ which you will be informed of
- Other GP Practices and GP Organizations
- NHS Commissioning Support Units
- Voluntary Sector Providers
- Clinical Commissioning Groups
- NHS Digital
- Education Services
- Police & Judicial Services
As part of local initiative, participating GP Practices are working more closely with Stockport Foundation Trust. This will involve clinical information being shared between your GP practice and Stockport Foundation Trust Community Services.
Patients would normally be informed who their data will be shared with and in some cases asked for explicit consent for this to happen when this is required. This will be done at the point of care and you have an option whether or not your information is accessed.
If you change your mind at a later date then you should also inform your GP Practice of this.
As a Practice we are participating in the COVID-19 vaccination program and as a result of this there may be a requirement for your information to be accessed if you are eligible for the vaccine. This information will be accessed for a medical purpose or to book you into one of our clinics. The Practices we work alongside are part of a Primary Care Network and called Victoria PCN and these practices are:
- Caritas GP Partnership
- Stockport Medical Group
- Bracondale Medical Centre
- Adshall Road Medical Practice
If you have any concerns or want to know what information is being recorded on your record please speak to us.
You will be informed who your data will be shared with and in some cases asked for explicit consent for this to happen when this is required.
We may also use external companies to process personal information, such as for archiving purposes. These companies are bound by contractual agreements to ensure information is kept confidential and secure.
Maintaining confidentiality and accessing your records
We are committed to maintaining confidentiality and protecting the information we hold about you. We adhere to the General Data Protection Regulation (GDPR), the NHS Codes of Confidentiality and Security, as well as guidance issued by the Information Commissioner’s Office (ICO). You have a right to access the information we hold about you, and if you would like to access this information, you will need to complete a Subject Access Request (SAR). Please ask at reception for a SAR form and you will be given further information. Furthermore, should you identify any inaccuracies, you have a right to have the inaccurate data corrected.
Risk stratification
Risk stratification is a mechanism used to identify and subsequently manage those patients deemed as being at high risk of requiring urgent or emergency care. Usually this includes patients with long-term conditions, e.g. cancer. Your information is collected by a number of sources; this information is processed electronically and given a risk score which is relayed to your GP who can then decide on any necessary actions to ensure that you receive the most appropriate care.
Invoice validation
Your information may be shared if you have received treatment to determine which Clinical Commissioning Group (CCG) is responsible for paying for your treatment. This information may include your name, address and treatment date. All of this information is held securely and confidentially; it will not be used for any other purpose or shared with any third parties.
Opt-outs
You have a right to object to your information being shared. Should you wish to opt out of data collection, please contact a member of staff who will be able to explain how you can opt out and prevent the sharing of your information; this is done by registering to opt out online (national data opt-out programme) or if you are unable to do so or do not wish to do so online, by speaking to a member of staff.
Retention periods
In accordance with the NHS Codes of Practice for Records Management, your healthcare records will be retained for 10 years after death, or if a patient emigrates, for 10 years after the date of emigration.
Further Information
The practice has prepared a series of Privacy Notices providing more information in relation to how we process your data. For more information please see folder in reception/visit our website. Alternatively, should you have any questions about our privacy policy or the information we hold about you, you can:
- Contact the practice’s Data Protection Officer (DPO), our Data Protection Officer is Paul Couldrey, Managing Director, PCDC. He can be contacted by emailing info@pcdc.org.uk
- The practice is the data controllers for the data held about their patients. You can write to the data controller at either Ellesmere Medical Centre, 262 Stockport Road, Stockport, SK3 0RQ or Dial House Medical Centre, 131 Mile End Lane, Stockport, SK2 6BZ
- Ask to speak to either practice manager Gill Eggleston or Tracy Johnstone.
Complaints
Should you have any concerns about how your information is managed at this Practice, please contact the Practice Manager. If you are still unhappy after we have responded to your concerns, you can then complain to the Information Commissioners Office (ICO) via their website (www.ico.org.uk).
Changes to our privacy policy
We regularly review our privacy policy and any updates will be published on our website, in our newsletter and on posters to reflect the changes.
Privacy Notice – Direct Care, (routine care and referrals)
Caritas GP Partnership
Plain English explanation
This practice keeps data on you relating to who you are, where you live, what you do, your family, possibly your friends, your employers, your habits, your problems and diagnoses, the reasons you seek help, your appointments, where you are seen and when you are seen, who by, referrals to specialists and other healthcare providers, tests carried out here and in other places, investigations and scans, treatments and outcomes of treatments, your treatment history, the observations and opinions of other healthcare workers, within and without the NHS as well as comments and aide memoires reasonably made by healthcare professionals in this practice who are appropriately involved in your health care.
When registering for NHS care, all patients who receive NHS care are registered on a national database, the database is held by NHS Digital a national organisation which has legal responsibilities to collect NH Data.
GPs have always delegated tasks and responsibilities to others that work with them in their surgeries, on average an NHS GP has between 1,500 to 2,500 patients for whom he or she is accountable. It is not possible for the GP to provide hands on personal care for each and every one of those patients in those circumstances, for this reason GPs share your care with others, predominantly within the surgery but occasionally with outside organisations.
If your health needs require care from others elsewhere outside this practice we will exchange with them whatever information about you that is necessary for them to provide that care. When you make contact with healthcare providers outside the practice but within the NHS it is usual for them to send us information relating to that encounter. We will retain part or all of those reports. Normally we will receive equivalent reports of contacts you have with non NHS services but this is not always the case.
Your consent to this sharing of data, within the practice and with those others outside the practice is assumed and is allowed by the Law.
People who have access to your information will only normally have access to that which they need to fulfil their roles
You have the right to object to our sharing your data in these circumstances but we have an overriding responsibility to do what is in your best interests. Please see below.
We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.
Details of the Direct Care (routine care and referrals) privacy notice
1) Data Controller contact details
|
Caritas GP Partnership, 131 Mile End Lane, Stockport, SK2 6BZ
|
2) Data Protection Officers contact details
|
Tracy Johnstone, Ellesmere Medical Centre, 262 Stockport Road, Stockport, SK3 ORQ
Gill Eggleston, Dial House Medical Centre, 131 Mile End Lane, Stockport, SK2 6BZ
|
3) Purpose of the processing
|
Direct Care is care delivered to the individual alone, most of which is provided in the surgery. After a patient agrees to a referral for direct care elsewhere, such as a referral to a specialist in a hospital, necessary and relevant information about the patient, their circumstances and their problem will need to be shared with the other healthcare workers, such as specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.
|
4) Lawful basis for processing
|
The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:
Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”
We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”*
|
5) Recipient or categories of recipients of the processed data
|
The data will be shared with Health and care professionals and support staff in this surgery and at hospitals, diagnostic and treatment centres who contribute to your personal care.
|
6) Rights to object
|
You have the right to object to some or all the information being processed under Article 21. Please contact the Data Controller or the practice. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance
|
7) Right to access and correct
|
You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
|
8) Retention period
|
The data will be retained in line with the law and national guidance. https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016
|
9) Right to Complain.
|
You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/
or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
|
* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.
The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.
In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.
Three circumstances making disclosure of confidential information lawful are:
- where the individual to whom the information relates has consented;
- where disclosure is in the public interest; and
- where there is a legal duty to do so, for example a court order.
Privacy Notice - Direct Care – Emergencies
Caritas GP Partnership
There are occasions when intervention is necessary in order to save or protect a patient’s life or to prevent them from serious immediate harm, for instance during a collapse or diabetic coma or serious injury or accident. In many of these circumstances the patient may be unconscious or too ill to communicate. In these circumstances we have an overriding duty to try to protect and treat the patient. If necessary we will share your information and possibly sensitive confidential information with other emergency healthcare services, the police or fire brigade, so that you can receive the best treatment.
The law acknowledges this and provides supporting legal justifications.
Individuals have the right to make pre-determined decisions about the type and extent of care they will receive should they fall ill in the future, these are known as “Advance Directives”. If lodged in your records these will normally be honoured despite the observations in the first paragraph.
Details of the Direct Care (Emergencies) privacy notice
1) Data Controller contact details
|
Caritas GP Partnership, 131 Mile End Lane, Stockport, SK2 6BZ
|
2) Data Protection Officers contact details
|
Tracy Johnstone, Ellesmere Medical Centre, 262 Stockport Road, Stockport, SK3 ORQ
Gill Eggleston, Dial House Medical Centre, 131 Mile End Lane, Stockport, SK2 6BZ
|
3) Purpose of the processing
|
Doctors have a professional responsibility to share data in emergencies to protect their patients or other persons. Often in emergency situations the patient is unable to provide consent.
|
4) Lawful basis for processing
|
This is a Direct Care purpose. There is a specific legal justification;
Article 6(1)(d) “processing is necessary to protect the vital interests of the data subject or of another natural person”
And
Article 9(2)(c) “processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent”
Or alternatively
Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”
We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”*
|
5) Recipient or categories of recipients of the shared data
|
The data will be shared with Healthcare professionals and other workers in emergency and out of hours services and at local hospitals, diagnostic and treatment centres. (if preferred list actual named services)
|
6) Rights to object
|
You have the right to object to some or all of the information being shared with the recipients. Contact the Data Controller or the practice.
You also have the right to have an “Advance Directive” placed in your records and brought to the attention of relevant healthcare workers or staff.
|
7) Right to access and correct
|
You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law. If we share or process your data in an emergency when you have not been able to consent, we will notify you at the earliest opportunity.
|
8) Retention period
|
The data will be retained in line with the law and national guidance
|
9) Right to Complain.
|
You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/
or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
|
* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.
The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.
In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.
Three circumstances making disclosure of confidential information lawful are:
- where the individual to whom the information relates has consented;
- where disclosure is in the public interest; and
- where there is a legal duty to do so, for example a court order.
Privacy Notice – National Screening Programmes
Caritas GP Partnership
Plain English explanation
The NHS provides national screening programmes so that certain diseases can be detected at an early stage. These currently apply to bowel cancer, breast cancer, cervical cancer, aortic aneurysms and diabetic retinal screening service. The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme.
More information can be found at: https://www.gov.uk/topic/population-screening-programmes
Details of the National Screening Programmes privacy notice
1) Data Controller contact details
|
Caritas GP Partnership, 131 Mile End Lane, Stockport, SK2 6BZ
|
2) Data Protection Officers contact details
|
Tracy Johnstone, Ellesmere Medical Centre, 262 Stockport Road, Stockport, SK3 ORQ
Gill Eggleston, Dial House Medical Centre, 131 Mile End Lane, Stockport, SK2 6BZ
|
3) Purpose of the processing
|
The NHS provides several national health screening programs to detect diseases or conditions earlier such as; cervical and breast cancer, aortic aneurysm and diabetes. More information can be found at https://www.gov.uk/topic/population-screening-programmes The information is shared so as to ensure only those who should be called for screening are called and or those at highest risk are prioritised.
|
4) Lawful basis for processing
|
The sharing is to support Direct Care which is covered under
Article 6(1)(e); “necessary… in the exercise of official authority vested in the controller’
And
Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”
We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”*
|
5) Recipient or categories of recipients of the shared data
|
The data will be shared with relevant health service providers
|
6) Rights to object
|
You have the right to object to this processing of your data and to some or all of the information being shared with the recipients. Contact the Data Controller or the practice. For national screening programmes: you can opt so that you no longer receive an invitation to a screening programme.
See: https://www.gov.uk/government/publications/opting-out-of-the-nhs-population-screening-programmes
|
7) Right to access and correct
|
You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
|
8) Retention period
|
GP medical records will be kept in line with the law and national guidance.
Information on how long records can be kept can be found at:
https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016
|
9) Right to Complain.
|
You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/
or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
|
* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.
The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.
In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.
Three circumstances making disclosure of confidential information lawful are:
- where the individual to whom the information relates has consented;
- where disclosure is in the public interest; and
- where there is a legal duty to do so, for example a court order.
Privacy Notice – Safeguarding
Caritas GP Partnership
Some members of society are recognised as needing protection, for example children and vulnerable adults. If a person is identified as being at risk from harm we are expected as professionals to do what we can to protect them. In addition we are bound by certain specific laws that exist to protect individuals. This is called “Safeguarding”.
Where there is a suspected or actual safeguarding issue we will share information that we hold with other relevant agencies whether or not the individual or their representative agrees.
There are three laws that allow us to do this without relying on the individual or their representatives agreement (unconsented processing), these are:
Section 47 of The Children Act 1989 :
(https://www.legislation.gov.uk/ukpga/1989/41/section/47),
Section 29 of Data Protection Act (prevention of crime) https://www.legislation.gov.uk/ukpga/1998/29/section/29
and
section 45 of the Care Act 2014 https://www.legislation.gov.uk/ukpga/2014/23/section/45/enacted.
In addition there are circumstances when we will seek the agreement (consented processing) of the individual or their representative to share information with local child protection services, the relevant law being; section 17 Children’s Act 1989 https://www.legislation.gov.uk/ukpga/1989/41/section/17
Details of the Safeguarding privacy notice
1) Data Controller contact details
|
Caritas GP Partnership, 131 Mile End Lane, Stockport, SK2 6BZ
|
2) Data Protection Officers contact details
|
Tracy Johnstone, Ellesmere Medical Centre, 262 Stockport Road, Stockport, SK3 ORQ
Gill Eggleston, Dial House Medical Centre, 131 Mile End Lane, Stockport, SK2 6BZ
|
3) Purpose of the processing
|
The purpose of the processing is to protect the child or vulnerable adult.
|
4) Lawful basis for processing
|
The sharing is a legal requirement to protect vulnerable children or adults, therefore for the purposes of safeguarding children and vulnerable adults, the following Article 6 and 9 conditions apply:
For consented processing;
6(1)(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes
For unconsented processing;
6(1)(c) processing is necessary for compliance with a legal obligation to which the controller is subject and:
9(2)(b) ‘...is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of ...social protection law in so far as it is authorised by Union or Member State law..’
We will consider your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”*
|
5) Recipient or categories of recipients of the shared data
|
The data will be shared with Stockport Safeguarding Team.
|
6) Rights to object
|
This sharing is a legal and professional requirement and therefore there is no right to object.
There is also GMC guidance:
https://www.gmc-uk.org/guidance/ethical_guidance/children_guidance_56_63_child_protection.asp
|
7) Right to access and correct
|
The DSs or legal representatives has the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
|
8) Retention period
|
The data will be retained for active use during any investigation and thereafter retained in an inactive stored form according to the law and national guidance
|
9) Right to Complain.
|
You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/
or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
|
* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.
The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.
In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.
Three circumstances making disclosure of confidential information lawful are:
- where the individual to whom the information relates has consented;
- where disclosure is in the public interest; and
- where there is a legal duty to do so, for example a court order.
Privacy Notice – Children
What is a privacy notice?
A privacy notice helps your doctor’s surgery tell you how it uses information it has about you, like your name, address, date of birth and all of the notes the doctor or nurse makes about you in your healthcare record.
Why do we need one?
Your doctor’s surgery needs a privacy notice to make sure it meets the legal requirements which are written in a new document called the General Data Protection Regulation (or GDPR for short).
What is the GDPR?
What a great question! The GDPR is a new document that helps your doctor’s surgery keep the information about you secure. It’s new and will be introduced on the 25th May 2018, making sure that your doctor, nurse and any other staff at the practice follow the rules and keep your information safe.
How do you know about our privacy notice?
At your surgery, we have posters in our waiting room and leaflets to give to children and adults and we also have lots of information about privacy on our website, telling you how we use the information we have about you.
What information do we collect about you?
Don’t worry; we only collect the information we need to help us keep you healthy – such as your name, address, information about your parents or guardians, records of appointments, visits, telephone calls, your health record, treatment and medicines, test results, X-rays and any other information to enable us to care for you.
How do we use your information?
Another great question! Your information is taken to help us provide your care. But we might need to share this information with other medical teams, such as hospitals, if you need to been seen by a special doctor or sent for an X-ray. Your doctor’s surgery may be asked to help with exciting medical research; but don’t worry, we will always ask you, or your parents or adults with parental responsibility, if it’s okay to share your information.
How do we keep your information private?
Well, your doctor’s surgery knows that it is very important to protect the information we have about you. We make sure we follow the rules that are written in the GDPR and other important rule books.
What if I’ve got a long-term medical problem?
If you have a long-term medical problem then we know it is important to make sure your information is shared with other healthcare workers to help them help you, making sure you get the care you need when you need it!
Don’t want to share?
All of our patients, no matter what their age, can say that they don’t want to share their information. If you’re under 16 this is something which your parents or adults with parental responsibility will have to decide. They can get more information from a member of staff at the surgery, who can also explain what this means to you.
How do I access my records?
Remember we told you about the GDPR? Well, if you want to see what is written about you, you have a right to access the information we hold about you, but you will need to complete a Subject Access Request (SAR). Your parents or adults with parental responsibility will do this on your behalf if you’re under 16. But if you are over 12, you may be classed as being competent and you may be able to do this yourself.
What do I do if I have a question?
If you have any questions, ask a member of the surgery team or your parents or adults with parental responsibility. You can:
- Contact the practice’s data controller via email at either GMICB-STO.EmcAdmin@nhs.net (for Ellesmere Medical Centre) or GMICB-STO.P88013-admin@nhs.net for Dial House Medical Centre. GP practices are data controllers for the data they hold about their patients
- Write to the data controller at either Dial House Medical Centre, 131 Mile End Lane, Stockport, SK2 6BZ or Ellesmere Medical Centre, 262 Stockport Road, Stockport, SK3 0RQ
- Ask to speak to the practice manager Gill Eggleston at Dial House or Tracy Johnstone at Ellesmere.
The Data Protection Officers (DPO) for Caritas GP Partnership is Paul Couldrey, Managing Director, PCDC. He can be contacted by emailing: info@pcdc.org.uk. What to do if you’re not happy about how we manage your information
We really want to make sure you’re happy, but we understand that sometimes things can go wrong. If you or your parents or adults with parental responsibility are unhappy with any part of our data-processing methods, you can complain. For more information, visit ico.org.uk and select ‘Raising a concern’.
We always make sure the information we give you is up to date. Any updates will be published on our website and on our posters. This policy will be reviewed on 25 May 2019.
Public Health Privacy Notice
Caritas GP Partnership
Public health encompasses everything from national smoking and alcohol policies, the management of epidemics such as flu, the control of large scale infections such as TB and hepatitis B to local outbreaks of food poisoning or measles. Certain illnesses are also notifiable; the doctors treating the patient are required by law to inform the Public Health Authorities, for instance scarlet fever.
This will mean the subjects personal and health information being shared with the Public Health organisations.
Some of the relevant legislation includes: the Health Protection (Notification) Regulations 2010 (SI 2010/659), the Health Protection (Local Authority Powers) Regulations 2010 (SI 2010/657), the Health Protection (Part 2A Orders) Regulations 2010 (SI 2010/658), Public Health (Control of Disease) Act 1984, Public Health (Infectious Diseases) Regulations 1988 and The Health Service (Control of Patient Information) Regulations 2002
Details of Public Health privacy notice
1) Data Controller contact details
|
Caritas GP Partnership, 131 Mile End Lane, Stockport, SK2 6BZ
|
2) Data Protection Officers contact details
|
Our Data Protection Officer is Paul Couldrey, Managing Director, PCDC. He can be contacted by emailing info@pcdc.org.uk
|
3) Purpose of the processing
|
There are occasions when medical data needs to be shared with Public Health England, the Local Authority Director of Public Health, or the Health Protection Agency, either under a legal obligation or for reasons of public interest or their equivalents in the devolved nations.
|
4) Lawful basis for processing
|
The legal basis will be
Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.”
And
Article 9(2)(i) “processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices,..”
|
5) Recipient or categories of recipients of the shared data
|
The data will be shared with Public Health England https://www.gov.uk/government/organisations/public-health-england and equivalents in the devolved nations.
|
6) Rights to object
|
You have the right to object to some or all of the information being shared with the recipients. Contact the Data Controller or the practice.
|
7) Right to access and correct
|
You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
|
8) Retention period
|
The data will be retained for active use during the period of the public interest and according to legal requirements and Public Health England’s criteria on storing identifiable data https://www.gov.uk/government/organisations/public-health-england/about/personal-information-charter.
|
9) Right to Complain.
|
You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/ or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
|
Privacy Notice – Research
Caritas GP Partnership
Plain English explanation
This practice participates in research. We will only agree to participate in any project if there is an agreed clearly defined reason for the research that is likely to benefit healthcare and patients. Such proposals will normally have a consent process, ethics committee approval, and will be in line with the principles of Article 89(1) of GDPR.
Research organisations do not usually approach patients directly but will ask us to make contact with suitable patients to seek their consent. Occasionally research can be authorised under law without the need to obtain consent. This is known as the section 251 arrangement 1. We may also use your medical records to carry out research within the practice.
You have the right to object to your identifiable information being used or shared for medical research purposes. Please speak to the practice if you wish to object.
Details of the Research privacy notice
1) Data Controller contact details
|
Caritas GP Partnership, 131 Mile End Lane, Stockport, SK2 6BZ
|
2) Data Protection Officers contact details
|
Our Data Protection Officer is Paul Couldrey, Managing Director, PCDC. He can be contacted by emailing info@pcdc.org.uk
|
3) Purpose of the sharing
|
Medical research.
|
4) Lawful basis for processing or sharing
|
Identifiable data will be shared with researchers either with explicit consent or, where the law allows, without consent. The lawful justifications are;
Article 6(1)(a) “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”
or
Article 6(1)(e) may apply “necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”
And in addition there are three possible Article 9 justifications.
Article 9(2)(a) – ‘the data subject has given explicit consent…’
or
Article 9(2)(j) – ‘processing is necessary for… scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member States law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject’.
or
Article 9(2)(h) – ‘processing is necessary for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and services...’
|
5) Recipient or categories of recipients of the shared data
|
The data will be shared with agreed and authorised research organisations
|
6) Rights to object
|
You do not have to consent to your data being used for research. You can change your mind and withdraw your consent at any time. Contact the Data Controller or the practice.
|
7) Right to access and correct
|
You have the right to access any identifiable data that is being shared and have any inaccuracies corrected.
|
8) Retention period
|
The data will be retained for the period as specified in the specific research protocol(s).
|
9) Right to Complain.
|
You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/
or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
|
1, Section 251 and the NHS Act, Health Research Authority.
https://www.dropbox.com/s/sekq3trav2s58xw/Official%20Section%20251%20guidance%20Health%20Research%20Authority.pdf?dl=0
Privacy Notice – Commissioning, Planning, risk stratification, patient identification
Caritas GP Partnership
Plain English explanation
The records we keep enable us to plan for your care.
This practice keeps data on you that we apply searches and algorithms to in order to identify from preventive interventions.
This means using only the data we hold or in certain circumstances linking that data to data held elsewhere by other organisations, and usually processed by organisations within or bound by contracts with the NHS.
If any processing of this data occurs outside the practice your identity will not be visible to the processors. Only this practice will be able to identify you and the results of any calculated factors, such as your risk of having a heart attack in the next 10 years or your risk of being admitted to hospital with a complication of chest disease
You have the right to object to our processing your data in these circumstances and before any decision based upon that processing is made about you. Processing of this type is only lawfully allowed where it results in individuals being identified with their associated calculated risk. It is not lawful for this processing to be used for other ill defined purposes, such as “health analytics”.
Despite this we have an overriding responsibility to do what is in your best interests. If we identify you as being at significant risk of having, for example a heart attack or stroke, we are justified in performing that processing.
We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.
Details of the Commissioning, Planning, Risk Stratification, Patient Certification privacy notice
1) Data Controller contact details
|
Caritas GP Partnership, 131 Mile End Lane, Stockport, SK2 6BZ
|
2) Data Protection Officers contact details
|
Our Data Protection Officer is Paul Couldrey, Managing Director, PCDC. He can be contacted by emailing info@pcdc.org.uk
|
3) Purpose of the processing
|
The practice performs computerised searches of some or all of our records to identify individuals who may be at increased risk of certain conditions or diagnoses i.e. Diabetes, heart disease, risk of falling). Your records may be amongst those searched. This is often called “risk stratification” or “case finding”. These searches are sometimes carried out by Data Processors who link our records to other records that they access, such as hospital attendance records. The results of these searches and assessment may then be shared with other healthcare workers, such as specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.
|
4) Lawful basis for processing
|
The legal basis for this processing is
Article 6(1)(e); “necessary… in the exercise of official authority vested in the controller’
And
Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”
We will recognise your rights under UK Law collectively known as the “Common Law Duty of Confidentiality”*
|
5) Recipient or categories of recipients of the shared data
|
The data will be shared for processing with a relevant authorised data processor and for subsequent healthcare with the local CCG, PCO, frailty service etc.
|
6) Rights to object
|
You have the right to object to this processing where it might result in a decision being made about you. That right may be based either on implied consent under the Common Law of Confidentiality, Article 22 of GDPR or as a condition of a Section 251 approval under the HSCA. It can apply to some or all of the information being shared with the recipients. Your right to object is in relation to your personal circumstances. Contact the Data Controller or the practice.
|
7) Right to access and correct
|
You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
|
8) Retention period
|
The data will be retained in line with the law and national guidance. https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016
|
9) Right to Complain.
|
You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/
or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
|
* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.
The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.
In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.
Three circumstances making disclosure of confidential information lawful are:
- where the individual to whom the information relates has consented;
- where disclosure is in the public interest; and
- where there is a legal duty to do so, for example a court order.
Privacy Notice – Care Quality Commission
Caritas GP Partnership
Plain English explanation
The Care Quality Commission (CQC) is an organisation established in English law by the Health and Social Care Act. The CQC is the regulator for English health and social care services to ensure that safe care is provided. They inspect and produce reports on all English general practices in a rolling 5 year program. The law allows CQC to access identifiable patient data as well as requiring this practice to share certain types of data with them in certain circumstances, for instance following a significant safety incident.
For more information about the CQC see: https://www.cqc.org.uk/
Details of Care Quality Commission privacy notice
1) Data Controller contact details
|
Caritas GP Partnership, 131 Mile End Lane, Stockport, SK2 6BZ
|
2) Data Protection Officers contact details
|
Our Data Protection Officer is Paul Couldrey, Managing Director, PCDC. He can be contacted by emailing info@pcdc.org.uk
|
3) Purpose of the processing
|
To provide the Secretary of State and others with information and reports on the status, activity and performance of the NHS. The provide specific reporting functions on indentified
|
4) Lawful basis for processing
|
The legal basis will be
Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.”
And
Article 9(2)(h) “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;”
|
5) Recipient or categories of recipients of the shared data
|
The data will be shared with the Care Quality Commission, its officers and staff and members of the inspection teams that visit us from time to time.
|
6) Rights to object
|
You have the right to object to some or all of the information being shared with NHS Digital. Contact the Data Controller or the practice.
|
7) Right to access and correct
|
You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
|
8) Retention period
|
The data will be retained for active use during the processing and thereafter according to NHS Policies and the law.
|
9) Right to Complain.
|
You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/ or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)
|
Privacy Notice – Payments
Caritas GP Partnership
Plain English explanation
Contract holding GPs in the UK receive payments from their respective governments on a tiered basis. Most of the income is derived from baseline capitation payments made according to the number of patients registered with the practice on quarterly payment days. These amount paid per patient per quarter varies according to the age, sex and other demographic details for each patient. There are also graduated payments made according to the practice’s achievement of certain agreed national quality targets known as the Quality and Outcomes Framework (QOF), for instance the proportion of diabetic patients who have had an annual review. Practices can also receive payments for participating in agreed national or local enhanced services, for instance opening early in the morning or late at night or at the weekends. Practices can also receive payments for certain national initiatives such as immunisation programs and practices may also receive incomes relating to a variety of non patient related elements such as premises. Finally there are short term initiatives and projects that practices can take part in. Practices or GPs may also receive income for participating in the education of medical students, junior doctors and GPs themselves as well as research2.
In order to make patient based payments basic and relevant necessary data about you needs to be sent to the various payment services. The release of this data is required by English laws1
We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.
Details of Payments privacy notice
1) Data Controller contact details
|
Caritas GP Partnership, 131 Mile End Lane, Stockport, SK2 6BZ
|
2) Data Protection Officers contact details
|
Our Data Protection Officer is Paul Couldrey, Managing Director, PCDC. He can be contacted by emailing info@pcdc.org.uk
|
3) Purpose of the processing
|
To enable GPs to receive payments. To provide accountability.
|
4) Lawful basis for processing
|
The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:
Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.”
And
Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”
|
5) Recipient or categories of recipients of the processed data
|
The data will be shared with Health and care professionals and support staff in this surgery and at hospitals, diagnostic and treatment centres who contribute to your personal care.
|
6) Rights to object
|
You have the right to object to some or all the information being processed under Article 21. Please contact the Data Controller. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance
|
7) Right to access and correct
|
You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
|
8) Retention period
|
The data will be retained in line with the law and national guidance. https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016
|
9) Right to Complain.
|
You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/ or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
|
1, NHS England’s powers to commission health services under the NHS Act 2006 or to delegate such powers to CCGs and the GMS regulations 2004 (73)1
2, For more information about payments the English GPs please see; https://digital.nhs.uk/NHAIS/gp-payments , https://digital.nhs.uk/catalogue/PUB30089 and https://www.nhshistory.net/gppay.pdf
Privacy Notice – NHS Digital
Caritas GP Partnership
NHS Digital is the secure haven* for NHS patient data, a single secure repository where data collected from all branches of the NHS is processed. NHS Digital provides reports on the performance of the NHS, statistical information, audits and patient outcomes (https://digital.nhs.uk/data-and-information). Examples include; A/E and outpatient waiting times, the numbers of staff in the NHS, percentage target achievements, payments to GPs etc and more specific targeted data collections and reports such as the Female Genital Mutilation, general practice appointments data and English National Diabetes Audits. GPs are required by the Health and Social Care Act to provide NHS Digital with information when instructed. This is a legal obligation which overrides any patient wishes. These instructions are called “Directions”. More information on the directions placed on GPs can be found at https://digital.nhs.uk/article/8059/NHS-England-Directions- and www.nhsdatasharing.info
Details of NHS Digital privacy notice
1) Data Controller contact details
|
Caritas GP Partnership, 131 Mile End Lane, Stockport, SK2 6BZ
|
2) Data Protection Officers contact details
|
Our Data Protection Officer is Paul Couldrey, Managing Director, PCDC. He can be contacted by emailing info@pcdc.org.uk
|
3) Purpose of the processing
|
To provide the Secretary of State and others with information and reports on the status, activity and performance of the NHS.
|
4) Lawful basis for processing
|
The legal basis will be
Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.”
And
Article 9(2)(h) “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;”
|
5) Recipient or categories of recipients of the shared data
|
The data will be shared with NHS Digital according to directions which can be found at https://digital.nhs.uk/article/8059/NHS-England-Directions-
|
6) Rights to object
|
You have the right to object to some or all of the information being shared with NHS Digital. Contact the Data Controller.
|
7) Right to access and correct
|
You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
|
8) Retention period
|
The data will be retained for active use during the processing and thereafter according to NHS Policies and the law.
|
9) Right to Complain.
|
You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/ or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
|
* The BMA has serious concerns regarding the status of NHS Digital as a “safe haven” and is not confident it has acted as a secure repository for patient data.
Privacy Notice – Summary Care Record
Caritas GP Partnership
All patients registered with a GP have a Summary Care Record, unless they have chosen not to have one. The information held in your Summary Care Record gives registered and regulated healthcare professionals, away from your usual GP practice, access to information to provide you with safer care, reduce the risk of prescribing errors and improve your patient experience.
Your Summary Care Record contains basic (Core) information about allergies and medications and any reactions that you have had to medication in the past.
Some patients, including many with long term health conditions, previously have agreed to have Additional Information shared as part of their Summary Care Record. This Additional Information includes information about significant medical history (past and present), reasons for medications, care plan information and immunisations.
Change to information held in your Summary Care Record
During the pandemic, the Department of Health and Social Care removed the requirement for a patient’s prior explicit consent to share Additional Information as part of the Summary Care Record.
This is because the Secretary of State for Health and Social Care issued a legal notice to healthcare bodies requiring them to share confidential patient information with other healthcare bodies where this is required to diagnose, control and prevent the spread of the virus and manage the pandemic. This included sharing Additional Information through Summary Care Records, unless a patient objected to this.
If you have already expressed a preference to only have Core information shared in your Summary Care Record, or to opt-out completely of having a Summary Care Record, these preferences will continue to be respected and this change will not apply to you. For everyone else, the Summary Care Record will be updated to include the Additional Information.
This change will be continued after the coronavirus (COVID-19) pandemic period.
Why we have made this change
In order to look after your health and care needs, health and social care bodies may share your confidential patient information contained in your Summary Care Record with clinical and non-clinical staff in other health and care organisations, for example hospitals, NHS 111 and out of hours organisations. These changes will improve the healthcare that you receive away from your usual GP practice.
Your choices in relation to your Summary Care Record
Regardless of your past decisions about your Summary Care Record preferences, you will still have the same options that you currently have in place to opt out of having a Summary Care Record, including the opportunity to opt-back in to having a Summary Care Record or opt back in to allow sharing of Additional Information.
You can exercise these choices by doing the following:
- Choose to have a Summary Care Record with all information shared. This means that any authorised, registered and regulated health and care professionals will be able to see a detailed Summary Care Record, including Core and Additional Information, if they need to provide you with direct care.
- Choose to have a Summary Care Record with Core information only. This means that any authorised, registered and regulated health and care professionals will be able to see limited information about allergies and medications in your Summary Care Record if they need to provide you with direct care.
- Choose to opt-out of having a Summary Care Record altogether. This means that you do not want any information shared with other authorised, registered and regulated health and care professionals involved in your direct care. You will not be able to change this preference at the time if you require direct care away from your GP practice. This means that no authorised, registered and regulated health and care professionals will be able to see information held in your GP records if they need to provide you with direct care, including in an emergency.
To make these changes, you should inform your GP practice or complete this form and return it to your GP practice.
Details of Summary Care Record privacy notice
1) Data Controller contact details
|
Caritas GP Partnership, 131 Mile End Lane, Stockport, SK2 6BZ
|
2) Data Protection Officers contact details
|
Our Data Protection Officer is Paul Couldrey, Managing Director, PCDC. He can be contacted by emailing info@pcdc.org.uk
|
3) Purpose of the processing
|
Upload of basic and detailed additional SCR data
|
4) Lawful basis for processing
|
The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:
Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”
We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”*
|
5) Recipient or categories of recipients of the processed data
|
The data will be shared with Health and care professionals and support staff in this surgery and at hospitals, diagnostic and treatment centres who contribute to your personal care.
|
6) Rights to object
|
You have the right to object to some or all the information being processed under Article 21. Please contact the Data Controller. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance
|
7) Right to access and correct
|
You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
|
8) Retention period
|
The data will be retained in line with the law and national guidance. https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016
|
9) Right to Complain.
|
You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/
or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
|
* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.
The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.
In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.
Three circumstances making disclosure of confidential information lawful are:
- where the individual to whom the information relates has consented;
- where disclosure is in the public interest; and
- where there is a legal duty to do so, for example a court order.
Privacy Notice – Stockport Health and Care Record
Caritas GP Partnership
The Stockport Health & Care Record (SHCR) brings together information from health and care services in Stockport. The main benefit of having a Stockport Health & Care Record is that it will ensure that the health and care professionals helping you will have access to all the information they need quickly so that they can make better, more informed decisions for you. You can be reassured that the record is kept on a secure database and never sent to organisations not involved in your care. Access to the record is restricted to professionals working within Stockport who are directly involved in your care, and is only accessed with your consent. If an emergency situation arises timely access to your health records and medical history will ensure that the professional treating you will at a glance have a complete picture of your care in order to make the best decisions about your diagnosis, treatment and care plan. Your Stockport Health and Care record includes information like test results, medications, allergies and social care or mental health information relevant to you. You can choose whether or not to have a Stockport Health & Care Record. If you choose to have this, you do not need to do anything, this will happen automatically. If you choose not to have a Stockport Health Record, please inform your surgery.
As well as this basic record additional information can be added, and this can be far reaching and detailed. However, whereas the basic data is uploaded automatically any additional data will only be uploaded if you specifically request it and with your consent.
The Stockport Health and Care Record can only be viewed within the NHS on NHS smartcard controlled screens.
You have the right to object to our sharing your data in these circumstances and you can ask your GP to block uploads.
We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.
Details of Stockport Health and Care Record privacy notice
1) Data Controller contact details
|
Caritas GP Partnership, 131 Mile End Lane, Stockport, SK2 6BZ
|
2) Data Protection Officers contact details
|
Our Data Protection Officer is Paul Couldrey, Managing Director, PCDC. He can be contacted by emailing info@pcdc.org.uk
|
3) Purpose of the processing
|
Upload of basic and detailed additional SHCR data
|
4) Lawful basis for processing
|
The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:
Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”
We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”*
|
5) Recipient or categories of recipients of the processed data
|
The data will be shared with Health and care professionals and support staff in this surgery and at hospitals, diagnostic and treatment centres who contribute to your personal care.
|
6) Rights to object
|
You have the right to object to some or all the information being processed under Article 21. Please contact the Data Controller. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance
|
7) Right to access and correct
|
You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
|
8) Retention period
|
The data will be retained in line with the law and national guidance. https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016
|
9) Right to Complain.
|
You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/ or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
|
* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.
The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.
In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.
Three circumstances making disclosure of confidential information lawful are:
- where the individual to whom the information relates has consented;
- where disclosure is in the public interest; and
- where there is a legal duty to do so, for example a court order.
Privacy Notice – GPs as Employers
Caritas GP Partnership
As employers we need to keep certain information so that we can remain your employer and manage payments. This is a combination of personal and financial information. We are required by law to hold certain types of data on those we employ under the Health and Social Care Act and this data is examined during CQC inspection visits. For more information about the CQC see: https://www.cqc.org.uk/
We are also required to share information about you with NHS Digital under a submission known as the “Workforce Minimum Dataset”. To fnd out more visit https://digital.nhs.uk/data-and-information/areas-of-interest/workforce/workforce-minimum-data-set-wmdsWe are also required by HMRC and various taxation laws, such as “The Income Tax (Pay As You Earn) Regulations 2003” to keep financial records.
Details of GPs as Employers privacy notice
1) Data Controller contact details
|
Caritas GP Partnership, 131 Mile End Lane, Stockport, SK2 6BZ
|
2) Data Protection Officers contact details
|
Our Data Protection Officer is Paul Couldrey, Managing Director, PCDC. He can be contacted by emailing info@pcdc.org.uk
|
3) Purpose of the processing
|
To comply with the Health and Social Care Act and taxation law.
|
4) Lawful basis for processing
|
The legal basis will be
Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.”
And
Article 9(2)(h) “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;”
|
5) Recipient or categories of recipients of the shared data
|
The data will be shared with the Care Quality Commission, its officers and staff and members of the inspection teams that visit us from time to time. Financial data will also be shared with HMRC.
|
6) Rights to object
|
You have the right to object to some or all of the information being shared with CQC. Contact the Data Controller or the practice. There is no right to have UK taxation related data deleted except after certain statutory periods.
|
7) Right to access and correct
|
You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have records deleted except when ordered by a court of Law.
|
8) Retention period
|
The data will be retained for active use during the processing and thereafter according to NHS Policies, taxation and employment law.
|
9) Right to Complain.
|
You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/ or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
|
Job Applicant Privacy Notice
Caritas GP Partnership
As part of any recruitment process, the practice collects and processes personal data relating to job applicants and is committed to being transparent about how it collects and uses that data in line with data protection legislation.
What information does the practice collect?
The practice collects a range of information about you. This includes:
- your name, address and contact details, including email address and telephone number;
- details of your qualifications, skills, experience and employment history;
- information about your current level of remuneration, including benefit entitlements;
- whether or not you have a disability for which the practice needs to make reasonable adjustments during the recruitment process;
- information about your entitlement to work in the UK; and
- equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief;
The practice collects this information in a variety of ways, such as:
- Application forms:
- CVs or resumes;
- Copies of your passport and other identity documents;
- Information collected through interviews or other forms of assessment
The practice will also collect personal data about you from third parties, such as:
- References supplied by former employers;
- Information from employment background check providers and information from criminal records checks;
- The practice may seek information from third parties only once a job offer to you has been made and will inform you that it is doing so.
Data will be stored in a range of different places, including:
- Your application record;
- HR management systems;
- IT systems (including email).
Why does the practice process personal data?
The practice needs to process data to take steps at your request prior to entering into a contract with you. It also needs to process your data to enter into a contract with you.
The practice needs to process data to ensure that it complies with its legal obligations such as being required to check a successful applicant's eligibility to work in the UK before employment starts.
The practice has a legitimate interest in processing personal data during the recruitment process and for keeping records of the process. Processing data from job applicants allows the practice to:
- Manage the recruitment process;
- Assess and confirm a candidate's suitability for employment;
- Decide to whom to offer a job;
- Respond to and defend against legal claims.
Where the practice relies on legitimate interests as a reason for processing data, it will consider whether or not those interests are overridden by the rights and freedoms of applicants, employees or workers.
The practice will process health information if it needs to make reasonable adjustments to the recruitment process for candidates who have a disability. This is to carry out its obligations and exercise specific rights in relation to employment. Where the practice processes other special categories of data, such as information about ethnic origin, sexual orientation, health or religion or belief, this is for equal opportunities monitoring purposes.
The practice is obliged to seek information about criminal convictions and offences in line with NHS Employers guidelines on criminal records checks, which you can read at: https://www.nhsemployers.org/your-workforce/recruit/employment-checks/criminal-record-check.
Who has access to data?
Your information will be shared internally for the purposes of the recruitment exercise. This includes:
- Interviewers involved in the recruitment process
- Managers in the area with a vacancy
- IT staff
The practice will not share your data with third parties, unless your application for employment is successful and it makes you an offer of employment. The practice will then share your data with former employers to obtain references for you, employment background check providers to obtain necessary background checks and the Disclosure and Barring Service to obtain necessary criminal records checks.
The practice will not transfer your data outside the European Economic Area.
How does the practice protect data?
The practice takes the security of your data seriously. Internal policies and controls are in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the proper performance of their duties.
For how long does the practice keep data?
If your application for employment is unsuccessful, the practice will hold your data on file for no longer than six months after the end of the relevant recruitment process. At the end of that period your data is deleted or destroyed.
If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your employment. The periods for which your data will be held will be provided to you in a new privacy notice.
Your rights
As a data subject, you have a number of rights. You can:
- access and obtain a copy of your data on request;
- require the practice to change incorrect or incomplete data;
- require the practice to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing;
- object to the processing of your data where the practice is relying on its legitimate interests as the legal ground for processing; and
- ask the practice to stop processing data for a period if data is inaccurate or there is a dispute about whether or not your interests override the practice's legitimate grounds for processing data.
If you would like to exercise any of these rights, please contact the Practice Manager.
If you believe that the practice has not complied with your data protection rights, you can complain to the Information Commissioner.
What if you do not provide personal data?
You are under no statutory or contractual obligation to provide data to the practice during the recruitment process. However, if you do not provide the information, the practice may not be able to process your application properly or at all.
Automated decision-making
The practice does not use any form of automated decision making during the recruitment process.
Privacy Notice – GP Connect
Caritas GP Partnership
Plain English explanation: The GP Connect service allows GP practices and clinical staff to share GP Practice clinical information and data between IT systems, quickly and efficiently via Application Programming Interfaces (APIs).
Details of GP Connect privacy notice
1) Data Controller contact details |
Caritas GP Partnership, 131 Mile End Lane, Stockport, SK2 6BZ |
2) Data Protection Officers contact details |
Our Data Protection Officer is Paul Couldrey, Managing Director, PCDC. He can be contacted by emailing info@pcdc.org.uk |
3) Purpose of the processing |
NHS Digital has been directed under Section 254 of the Health and Social Care Act 2012 by the Department of Health and Social Care to establish and operate the GP Connect Service. Read the signed Direction - Establishment of systems: digital interoperability platform 2019.
To comply with the Direction, NHS Digital is a Controller for the delivery of the GP Connect Service, which means NHS Digital is responsible for establishing and maintaining a service which enables interoperability between GP IT systems. For NHS Digital to support the GP Connect service, Audit data about the message transactions is collected, which is used for operational support by service management. NHS Digital is a Controller for the message Audit data collected on Spine.
To fulfil the role of Controller, NHS Digital is also responsible for the content of the messages as they traverse NHS Digital Infrastructure, and ensuring that they are passed securely, accurately and safely to and from provider and consumer systems for the purposes of Direct Patient Care. The content of the messages is not collected or stored by NHS Digital. NHS Digital processes the messages on behalf of the GP practices, who are Controllers of the GP patient record. |
4) Lawful basis for processing |
In order for your Personal Data to be shared or processed, an appropriate “legal basis” needs to be in place and recorded. The legal bases for direct care via GP Connect is the same as the legal bases for the care you would receive from your own GP, or another healthcare provider:
- for the processing of personal data: Article 6.1 (e) of the UK GDPR: “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.
- for the processing of “Special Category Data” (which includes your medical information): Article 9.2 (h) of the UK GDPR: “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services”.
|
5) Recipient or categories of recipients of the processed data |
We use a facility called GP Connect to support your direct care. GP Connect makes patient information available to all appropriate clinicians when and where they need it, to support direct patients care, leading to improvements in both care and outcomes. GP Connect is not used for any purpose other than direct care.
Authorised Clinicians such as GPs, NHS 111 Clinicians, Care Home Nurses (if you are in a Care Home), Secondary Care Trusts, Social Care Clinicians are able to access the GP records of the patients they are treating via a secure NHS Digital service called GP connect.
The NHS 111 service (and other services determined locally e.g. Other GP practices in a Primary Care Network) will be able to book appointments for patients at GP practices and other local services. |
6) Your rights |
Because the legal bases used for your care using GP Connect are the same as used in other direct care situations, the legal rights you have over this data under UK GDPR will also be the same- these are listed elsewhere in our privacy notice. |
8) Retention period |
The data will be retained in line with the law and national guidance. https://www.nhsx.nhs.uk/information-governance/guidance/records-management-code/ |
9) Right to Complain. |
You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/
or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate) |
Privacy Notice – Call recording
Which calls does this refer to?
This could include any incoming or outgoing telephone calls that are handled by Caritas GP Partnership.
Why are calls recorded?
It has become common practice to record calls due to the growth of business conducted by telephone. Recording conversations allows organisations to assess customer satisfaction, train and develop staff, review call quality, and have access to a verbal record of what is said in the event of a subsequent complaint. It also hopefully means employees feel more protected knowing that any threatening behaviour can be evidenced and acted upon where necessary.
How will call recordings be used?
- Quality monitoring. Written records only provide partial information. A call recording provides a more rounded view and allows us to better understand patient experience and assess the processes applied. This can help us identify any improvement areas.
- Training and Development. Listening to a sample number of calls, allows managers to identify training needs. Sample scenarios are based on the recordings, but any transcripts are anonymised.
- Gaining a better understanding of our customers – Many calls are verbally resolved without the need to complete any records. Listening to sample calls will help us better understand our patients’ needs and gain a more informed view of organisations we signpost to.
- Complaints and disputes. Some calls are verbally resolved. Where information is entered onto an electronic system this becomes the established record. In the event of a complaint or dispute, a call recording (if available), may provide additional information to help us investigate any allegations.
The Practice has a Data Protection Officer who is Paul Couldrey, Managing Director, PCDC and can be contacted on nfo@pcdc.org.uk
How have we informed our customers that we record calls?
Patients who ring the Practice will hear the following message:
‘All calls are recorded for training and monitoring purposes’
Can I request a copy of my call recording?
Call recordings are destroyed after 3 years. If the recording is available, you can request a copy of your conversation by contacting the Practice: gmicb-sto.p88013-admin@nhs.net
This will be provided to you in accordance with the terms of the Data Protection Act 2018 and treated as a Subject Access Request.