Data Protection
GDPR
What is GDPR?
GDPR stands for General Data Protection Regulations and is a new piece of legislation that will supersede the Data Protection Act. It will not only apply to the UK and EU; it covers anywhere in the world in which data about EU citizens is processed.
The GDPR is similar to the Data Protection Act (DPA) 1998 (which the practice already complies with), but strengthens many of the DPA’s principles. The main changes are:
- Practices must comply with subject access requests
- Where we need your consent to process data, this consent must be freely given, specific, informed and unambiguous
What is patient data?
Patient data is information that relates to a single person, such as his/her diagnosis, name, age, earlier medical history etc.
What is consent?
Consent is permission from a patient – an individual’s consent is defined as “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.”
The changes in GDPR mean that we must get explicit permission from patients when using their data. This is to protect your right to privacy, and we may ask you to provide consent to do certain things, like contact you or record certain information about you for your clinical records.
What GDPR will mean for patients
The GDPR sets out the key principles about processing personal data, for staff or patients:
- Data must be processed lawfully, fairly and transparently
- It must be collected for specific, explicit and legitimate purposes
- It must be limited to what is necessary for the purposes for which it is processed
- Information must be ccurate and kept up to date
- Data must be held securely
- It can only be retained for as long as is necessary for the reasons it was collected
There are also stronger rights for patients regarding the information that practices hold about them. These include:
- Being informed about how their data is used
- Patients to have access to their own data
- Patients can ask to have incorrect information changed
- Restrict how their data is used
- Move their patient data from one health organisation to another
- The right to object to their patient information being processed (in certain circumstances)
Children - Guidance on Processing or Access to Data
- Children need particular protection when collecting and processing personal data because they may be less aware of the risks involved.
- When processing children’s personal data care needs to taken in order to protect them from the outset, and practice systems and processes are designed with this in mind.
- Compliance with the data protection principles and in particular fairness is to all processing of children’s personal data.
- There needs to be a lawful basis for processing a child’s personal data. Consent is one possible lawful basis for processing, but it is not the only option. Sometimes using an alternative basis is more appropriate and provides better protection for children.
- If relying on consent as lawful basis for processing personal data, when offering an online service directly to a child, only children aged 13 or over are able provide their own consent.(This is the age proposed in the Data Protection Bill and is subject to Parliamentary approval).
- For children under this age consent needs to be obtained from whoever holds parental responsibility for the child - unless the online service you offer is a preventive or counselling service.
- Decisions based solely on automated processing about children should not be made if this will have a legal or similarly significant effect on them.
- Clear privacy notices for children so that they are able to understand what will happen to their personal data, and what rights they have.
- Children have the same rights as adults over their personal data. These include the rights to access their personal data; request rectification; object to processing and have their personal data erased.
- An individual’s right to erasure is particularly relevant if they gave their consent to processing when they were a child.
Bases for processing a child’s personal data
When relying on consent, we make sure that the child understands what they are consenting to, and we do not exploit any imbalance in power in the relationship between us.
When relying on ‘necessary for the performance of a contract’, we consider the child’s competence to understand what they are agreeing to, and to enter into a contract.
When relying upon ‘legitimate interests’, we take responsibility for identifying the risks and consequences of the processing, and put age appropriate safeguards in place
Subject Access Request Policy
This policy provides the Practice with a process for the management of requests for personal information (for living individuals) under the Data Protection Act (DPA), the General Data Protection Regulations (GDPR) and (for deceased individuals) the Access to Health Records Act 1990.
It defines a process for achieving legislative requirements and ensuring effective and consistent management of such requests.
The policy ensures that all staff are aware of how a subject access request should be made and to respond quickly. Under the Data Protection Act, subject to certain conditions, an individual is entitled to be:
- Told whether any personal data is being processed
- Given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people
- Given a copy of the information comprising the data
- and given details of the source of the data (where this is available).
The Data Protection Act extends equally to all relevant records relating to living individuals, including records held in the private health sector and health professionals’ private practice records.
Who can make an Access Request?
An application for access to personal data may be made to the Practice by any of the following:-
- an individual
- a person authorised by the individual in writing to make the application on an individual’s behalf e.g. solicitor, family member, carer
- a person having parental responsibility for the individual where he/she is a child.
- a person appointed by a court to manage the affairs of an individual who is deemed incompetent
- individuals who hold a health and welfare Lasting Power of Attorney
- where the individual has died, the personal representative and any person who may have a claim arising out of the individual’s death (the executor of the deceased’s will; someone who has been appointed as an Administrator of the Estate by the Courts; someone who has the written consent of either of the above to be given access, someone who is in the process of challenging the deceased’s will)
Police Requests
Police may, on occasion, request access to personal data of individuals. Whilst there is an exemption in the Data Protection Act which permits the Practice to disclose information to support the prevention and detection of crime, the Police have no automatic right to access; however they can obtain a Court Order.
Solicitor Requests
A patient can authorise their solicitor or another third party to make a SAR. As long as the solicitor has provided the patient’s written consent to authorise access to the records, the SAR process should be followed as usual.
Insurance Requests
Insurance companies however do not have the same privileges to access patient records – the ICO has said that insurance companies using SARs to obtain full medical records is an abuse of the process (the DPA 2018 still says that information must be adequate, relevant and not excessive in relation to the purpose the data is processed).
It is a criminal offence to make a SAR to access information about individuals’ convictions and cautions – the law sets out various levels of fines, and a clause in the DPA 2018 will soon be enacted to extend this to cover medical records. If you suspect that a SAR from an insurer is not relevant or excessive then it should be reported to the ICO and the Association of British Insurers
Requests relating to children/young persons
Parental responsibility for a child is defined in the Children’s Act 1989 as ‘all the rights, duties, powers, responsibilities and authority, which by law a parent of a child has in relation to a child and his property’. Although not defined specifically, responsibilities would include safeguarding and promoting a child’s health, development and welfare, including if relevant their employment records. Included in the parental rights which would fulfil the parental responsibilities above are:
- having the child live with the person with responsibility, or having a say in where the child lives
- if the child is not living with her/him, having a personal relationship and regular contact with the child
- controlling, guiding and directing the child’s upbringing.
Foster parents are not ordinarily awarded parental responsibility for a child. It is more likely that this responsibility rests with the child’s social worker and appropriate evidence of identity should be sought in the usual way.
The law regards young people aged 16 or 17 to be adults for the purposes of consent to employment or treatment and the right to confidentiality. Therefore, if a 16 year old wishes HR or a medical practitioner to keep their information confidential then that wish must be respected.
In some certain cases, children under the age of 16 who have the capacity and understanding to take decisions about their own treatment are also entitled to decide whether personal information may be passed on and generally to have their confidence respected.
Where a child is considered capable of making decisions, e.g. about his/her employment or medical treatment, the consent of the child must be sought before a person with parental responsibility may be given access. Where, in the view of the appropriate professional, the child is not capable of understanding the nature of the application, the holder of the record is entitled to deny access if it is not felt to be in the patient’s best interests.
The identity and consent of the applicant must always be established.
The applicant does not have to give a reason for applying for access.
The Practice is a Data Controller and can only provide information held by the organisation. Data controllers in their own right must be applied to directly, the Practice will not transfer requests from one organisation to another.
Application
Individuals wishing to exercise their right of access should:
- Make a written application to the Practice holding the records, including via email
- Provide such further information as the Practice may require to sufficiently identify the individual
An individual may also raise a request using the form in Appendix A, however this is not mandatory.
The Practice as “data controller” is responsible for ascertaining the purpose of the request and the manner in which the information is supplied.
Fees and Response Time
Under GDPR the Practice musts provide information free of charge. However, we can charge a “reasonable fee” when a request is manifestly unfounded or excessive, particularly if it is repetitive.
The fee must be based on the administrative cost of providing the information only.
The request should be initially passed to the Data Protection Officer who will manage Subject Access Request.
If the request involves creating a medical report or interpreting the information in an existing medical record or report, then this would be a request under the Access to Medical Reports Act (AMRA). Unlike a Subject Access Request, these requests will require new material to be created. This would mean that a fee is payable in such circumstances.
Appendix A to this policy prompts the applicant to clarify whether they wish to make this type of request.
The request must be complied with without delay and at least within one calendar month of receipt of the request. This period can be extended for a further two months where requests are complex or numerous, however the Practice must inform the individual within one month of receipt of the request and explain why the extension is necessary.
The identity of an individual who provided/recorded information should not be disclosed, nor should the identity of any other person/s referred to in the record(s) of the individual requesting access, unless explicit consent has been given.
Privacy Notice
How we use your information
This privacy notice explains why the GP Practice collects information about you, and how that information may be used.
As data controllers, GPs have fair processing responsibilities under the Data Protection Act 1998. This means ensuring that your personal confidential data (PCD) is handled in ways that are safe, transparent and what you would reasonably expect.
Health care professionals maintain records about your health and any treatment or care you have received within the NHS (e.g. NHS Hospital Trust, GP Surgery, Walk-in clinic, etc.). These records help to provide the best possible healthcare.
NHS health records may be processed electronically, on paper or a mixture of both, and a combination of working practices and technology are used to ensure that your information is kept confidential and secure. Records held by this GP Practice may include the following information:
- Details about you, such as address and next of kin
- Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments, etc.
- Notes and reports about your health
- Details about your treatment and care
- Results of investigations, such as laboratory tests, x-rays, etc.
- Relevant information from other health professionals, relatives or those who care for you
This GP Practice collects and holds data for the sole purpose of providing healthcare services to our patients and we will ensure that information is kept confidential.
We can disclose personal information if:
- It is required by law
- You consent – either implicitly for the sake of your own care or explicitly for other purposes
- It is justified in the public interest
Some of this information will be held centrally and used for statistical purposes. Where we hold data centrally, we take strict measures to ensure that individual patients cannot be identified.
On some occasions it may be necessary to undertake clinical audits of records to ensure that the best possible care has been provided to you or to prevent the spread of infectious disease, wherever possible this will be done in anonymised form.
Sometimes information about you may be requested to be used for research purposes.
The Practice will always endeavour to gain your consent before releasing the information.
Any patient can choose to withdraw their consent to their data being used in this way.
Improvements in information technology are also making it possible for us to share data with other healthcare providers with the objective of providing you with better care.
When the Practice is about to participate in any new data-sharing scheme we will make patients aware by displaying prominent notices in the surgery and on our website before the scheme is due to start. We will also explain clearly what you have to do to ‘opt-out’ of each new scheme.
A patient can object to their personal information being shared with other health care providers but if this limits the treatment that you can receive then the doctor will explain this to you at the time.
Risk Stratification
Risk stratification is a process for identifying and managing patients who are at a higher risk of emergency hospital admission.
Typically this is because patients have a long term condition such as COPD or cancer.
NHS England encourages GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help prevent avoidable admissions.
Information about you is collected from a number of sources including NHS ICBs (Trusts) and from this GP Practice.
A risk score is then arrived at through an analysis of your anonymous information using computer programmes.
Your information is only provided back to your GP or member of your care team in an identifiable form.
Risk stratification enables your GP to focus on the prevention of ill health and not just the treatment of sickness.
If necessary your GP may be able to offer you additional services.
Please note that you have the right to opt out of Risk Stratification.
Should you have any concerns about how your information is managed, or wish to opt out of any data collection at the Practice, please contact the Practice Manager or your healthcare professional to discuss how the disclosure of your personal information can be restricted.
All patients have the right to change their minds and reverse a previous decision.
Please contact the practice if you change your mind regarding any previous choice.
Invoice Validation
If you have received treatment within the NHS, access to your personal information may be required in order to determine which Clinical Commissioning Group should pay for the treatment or procedure you have received.
This information would most likely include information such as your name, address, date of treatment and may be passed on to enable the billing process. These details are held in a secure environment and kept confidential. This information will only be used to validate invoices, and will not be shared for any further purposes.
NHS Health Checks
All of our patients aged 40-74 not previously diagnosed with cardiovascular disease are eligible to be invited for an NHS Health Check. Nobody outside the healthcare team in the practice will see confidential information about you during the invitation process and only contact details would be securely transferred to a data processor. You may be given the chance to attend your health check either within the practice or at a community venue. If your health check is at a community venue all data collected will be securely transferred back into the practice system and nobody outside the healthcare team in the practice will see confidential information about you during this process.
How do we maintain the confidentiality of your records?
We are committed to protecting your privacy and will only use information collected lawfully in accordance with the Data Protection Act 1998 (which is overseen by the Information Commissioner’s Office), Human Rights Act, the Common Law Duty of Confidentiality, and the NHS Codes of Confidentiality and Security.
All of our staff, contractors and committee members receive appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures. Only a limited number of authorised staff has access to personal information where it is appropriate to their role and is strictly on a need-to-know basis.
We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), or where the law requires information to be passed on.
Who are our partner organisations?
We may also have to share your information, subject to strict agreements on how it will be used. The following are examples of the types of organisations that we are likely to share information with:
- NHS and specialist hospitals, Trusts
- Independent Contractors such as dentists, opticians, pharmacists
- Private and Voluntary Sector Providers
- Ambulance Trusts
- Clinical Commissioning Groups and NHS England
- Social Care Services and Local Authorities
- Education Services
- Police, Fire and Rescue Services
- Other ‘data processors’ during specific project work e.g. Diabetes UK
Access to personal information
You have a right under the Data Protection Act 1998 to access/view information the Practice holds about you, and to have it amended or removed should it be inaccurate. This is known as “the right of subject access”.
If we do hold information about you we will:
- give you a description of it;
- tell you why we are holding it;
- tell you who it could be disclosed to; and
- let you have a copy of the information in an intelligible form.
If you would like to make a ‘subject access request’. please contact the Practice Manager in writing.
Further copies of medical records may incur a charge.
Any changes to this notice will be published on our website and on the Practice notice board.
The Practice is registered as a data controller under the Data Protection Act 1998. The registration number is ZA321622 and can be viewed online in the public register at: Search the register | ICO
Practice Data Protection Officer: Umar Sabat (IG Health)
Practice Caldicot Guardian : Dr Joy Nwufoh (Senior Partner)
Practice IG Lead: Milaine Borthwick-Ezekiel (Practice Manager)
We are committed to protecting your privacy and will only use information collected lawfully in accordance with:
- UK General Data Protection Regulation 2021
- Data Protection Act 2018
- Human Rights Act 1998
- Common Law Duty of Confidentiality
- Health and Social Care Act 2012
- Access to Health Records Act 1990
- NHS Codes of Confidentiality and Information
- Information: To Share or Not to Share Review
Please visit NHS England Digital (formerly known as Health and Social Care Information Centre) website for further information about their work.
We use cookies to make this site work. We'd also like to set optional cookies so we can understand how the site is used and improve it. We will not set optional cookies unless you accept them. You can change your choice at any time from the Cookie settings link in the footer.
Strictly necessary cookies
These cookies are required for the site to work. They store your cookie preferences and keep your session secure. They are exempt from consent under PECR Regulation 6(4) because they are essential to deliver the service you have requested.
Optional cookies
Optional cookies help us understand how the site is used and provide additional features such as analytics, accessibility tools and translation. We will only set them if you accept.