GDPR Privacy Notice for Patients
The Oaks Medical Centre
Data Protection Officer
Dr I Galea
How and why we keep information about you and how you can choose who sees it
The General Data Protection Regulation (GDPR) is a single EU-wide regulation on the protection of confidential and sensitive information. It became law on 24th May 2016 and it enters into force in the UK on the 25th May 2018, repealing the Data Protection Act (1998). For the purpose of applicable data protection legislation (including but not limited to the General Data Protection Regulation (Regulation (EU) 2016/679) and the Data Protection Act 2018 (currently in Bill format before Parliament) the practice responsible for your personal data is The Oaks Medical Centre (data controller).
This Notice describes how we collect, use and process your personal data, and how, in doing so, we comply with our legal obligations to you. Your privacy is important to us, and we are committed to protecting and safeguarding your data privacy rights.
How we use your information and the law
The Oaks Medical Centre is what’s known as the ‘Controller’ of the personal data you provide to us.
We collect basic personal data about you which does not include any special types of information or location-based information. This does however include your name, address and contact details such as emails and mobile numbers etc.
During the services we provide to you, and or linked to your healthcare through other health providers, or third parties we will also collect sensitive confidential data known as “special category personal data”. This is in the form of health information, religious belief (if required in a healthcare setting) ethnicity, and sex.
Why do we collect information about you?
In order to support your care, health professionals maintain records about you. We take great care to ensure your information is kept securely, that it is up to date, it is accurate and used appropriately. All of our Practice staff are fully trained to understand their legal and professional obligations to protect your information and will only look at your information if they need to. They will only look at what they need to in order to do things like book you an appointment, give general health advice, provide you with care and if necessary refer you on to other services.
The health care professionals who provide you with care maintain records about your health and any treatment or care you have received previously (e.g. NHS Trust, GP Surgery, Walk-in clinic, etc.). These records help to provide you with the best possible healthcare.
NHS health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure.
What information do we hold about you?
Your DOB/ age, contact details including address and telephone numbers, and next of kin
Carers, emergency contacts, legal representative
Details of your appointments, clinic visits etc.
Records about your health, illness, treatment and care
Results of investigations, like laboratory tests, x-rays, etc.
Information from other health professionals, relatives or those who care for you
Your records are used to facilitate the care you receive to ensure you are provided with the best possible care. Your Information held about you may be used to help protect the health of the public and to help us manage the NHS. Information may be used within the GP practice for clinical Audit to monitor the quality of the service provided.
How do we lawfully use your data?
We need to know your personal, sensitive and confidential data in order to provide you with healthcare services as a General Practice. Under the General Data Protection Regulation we will be lawfully using your information in accordance with: -
Article 6, “e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;”
Article 9, “(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems”.
This Privacy Notice applies to the personal data of our patients and the data you have given us about your carers/family members.
When is your information shared?
We will only use or pass on information about you to other health professionals to support your care. If we feel that it is in your best interests to share your information with someone else, e.g. Social Care or a Voluntary Organisation,that could support you we will ask your permission to do so. Everyone who has access to your information is required by law to keep it confidential. We will not disclose your information to anyone else without your permission unless in exceptional circumstances e.g. a life or death situation. We are also required by law to share certain information such as the birth of a new baby, infectious diseases that may put you or others at risk or where a Court has decided we must.
Who are our partner organisations?
We may share your information, subject to strict agreements on how it will be used, with the following organisations:
NHS Trusts / Foundation Trusts (hospitals)
NHS Commissioning Support Units
Independent Contractors such as dentists, opticians, pharmacists
Private Sector Providers
Voluntary Sector Providers
Clinical Commissioning Groups
Social Care Services
Community care services
NHS England (NHSE) and NHS Digital (NHSD)
Fire and Rescue Services
Police & Judicial Services
Voluntary Sector Providers
Private Sector Providers
Other ‘data processors’ which you will be informed of
You will be informed who your data will be shared with and in some cases asked for consent for this happen when this is required.
You have the choice to share or not to share
You can ask for all or some of your information not to be shared outside of the practice. If you decide not to share at all this will not affect your entitlement to care. However, it may result in the delivery of your care being less efficient as other health professionals will not see your full medical history. If you have any concerns about how your information is shared or held, please contact the Practice Manager. If you dissent to share your information outside the practice please ask reception for an opt out form.
How your records are stored
Our practice uses an electronic clinical records programme called Emis which is where all of your information will be stored unless we hold paper records about you which will remain on paper (see next section). Other services that use Emis will ask your permission to see your information when they first see you. All access to Emis is controlled via NHS smartcards and password. The data is stored off site in an NHS secure location and is not available on the computers without access via a smartcard.
We also have archived paper records. These are stored in a secure records room in the surgery that can only be accessed by staff with appropriate security access. Information from these records are summarised onto the clinical IT system.
All the personal data we process is processed by our staff in the UK however for the purposes of IT hosting and maintenance this information may be located on servers within the European Union.
No 3rd parties have access to your personal data unless the law allows them to do so and appropriate safeguards have been put in place. We have a Data Protection regime in place to oversee the effective and secure processing of your personal and or special category (sensitive, confidential) data.
We are required under UK law to keep your information and data for the full retention periods as specified by the NHS Records Management Code of Practice for health and social care and national archives requirements. More information on records retention can be found online at (https://digital.nhs.uk/article/1202/Records-Management-Code -of-Practice-for-Health-and-Social-Care-2016) .
Right to portability
When you leave our surgery your electronic records are closed and cannot be accessed by surgery staff, without valid reasons, and is transferred securely via IT GP to GP process. Your paper records are sent back to PCSE (primary care services England) for onward transportation to your new practice.
Access to your health information
You have a right to access or view information the practice holds about you, and to have it amended or removed should it be inaccurate. You can make what is called a ‘Subject Access Request’ and we will:
- describe the information we hold about you
- tell you why we are holding that information
- tell you who it might be shared with
- at your request, provide a copy of the information in an easy to read form
There is no charge to have a copy of the information held about you.
If you would like to make a ‘Subject Access Request’, you can request electronically, in person or complete our access request form held at reception.
Can my information be used for any other reason?
The NHS currently uses your information in an anonymous and safe way to:
- protect the health of the public
- help us anticipate, plan and provide care
- audit and monitor the quality of services provided
Information used for these purposes will not identify you but if you would like further details about this, or if you do not want us to use your information in this way, please contact the Data Protection Officer/Practice Manager.
What should you do if your personal information changes?
You should tell us so that we can update our records. Please contact the surgery as soon as any of your details change, this is especially important for changes of address or contact details (such as your mobile phone number). The practice will from time to time ask you to confirm that the information we currently hold is accurate and up-to-date.
Objections / Complaints
If you are happy for your data to be extracted and used for the purposes described in this privacy notice, then you do not need to do anything. If you have any concerns about how your data is managed or shared, then please contact the Practice Data Protection Officer. If you are still unhappy following a review by the GP practice, you have a right to lodge a complaint with a supervisory authority. UK supervisory Authority as below.
Tel: 01625 545745