Fair Processing Notice

St James Medical Centre – Your information, what you need to know

 (If you want to speak to us about your data, please see our contact page)

This notice describes why we collect information about you, how your information will be used and your rights in respect of your data.

Why we collect information about you

Your records are used to ensure you get the best possible care.  Your information helps them to make the best decisions about your care and helps provide you with proactive advice and guidance.  Important information is also collected to help us to remind you about specific treatment which you might need, such as health checks, immunisations for children and reminders for screening appointments.  We work with other NHS services to co-ordinate these.

Information held about you may be used to help protect the health of the public and to help us to improve NHS services. Information may be used within the GP practice to monitor the quality of the service provided (known as ‘clinical audit’).

What data do we collect and receive about you?

Records are stored electronically and on paper and include personal details about you such as your address, carers, legal representatives, emergency contact details, as well as:

  • Any appointments, visits, emergency appointments
  • Notes and reports about your health
  • Details about your diagnosis, treatment and care
  • Details about any medication you are taking
  • Results of investigations such as laboratory tests, x-rays
  • Relevant information from health  and care professionals, relatives or carers

We also receive information from other organisations that are caring for you that we hold in your record.  This will include letters and test results.

How we use your information:  For providing your care

Prescriptions

Where you have agreed we will send information on your prescriptions to pharmacies, either by electronic systems or by paper.

 

Test requests and results

Where we undertake tests on you, such as blood tests, we will send the sample and details of the tests we are requesting to the most appropriate pathology laboratory.  The data shared with the laboratory will include your NHS number, name, the type of test requested and any health information relevant to doing the test and producing the result or report.  We will receive the test results back from the laboratory electronically and these will be stored in your patient record.

Extended services and out of hours

We work closely with neighbouring practices and ‘out of hours’ providers including NHS 111 to ensure that if you need care from a doctor outside of normal hours that they have access to your records when needed to give you the best possible care.  This may be delivered over the phone or via video consultation as appropriate.  Services may be run by ‘GP Federations’ and ‘Primary Care Networks’.

Patient referrals

With your agreement, your GP or Nurse may refer you to other services not provided by the practice, or they may work with other services to provide your care in the practice.  Information will be shared by letters, emails and shared record systems.

Once you have been seen, the other care agency will tell us about the treatment they have provided for you and any support which your GP needs to provide. This information is then included in your record.  Referrals can be to lots of different services, such as smoking cessation services, social prescribers, voluntary services and other health and care agencies, as appropriate, for your care.

Hospital, Community or Social Care Services

Sometimes the staff caring for you need to share some of your information with others who are also supporting you. This could include hospital or community based specialists, nurses, health visitors, therapists or social care services.  Information will be shared to organisations where you receive care, whether that is local or further away, if you need specialist care or emergency care in another.

 

Shared computer systems

Health and Social care services are developing shared systems to share data efficiently and quickly.  It is important for anyone treating you to be able to access your shared record so that they have all the information they need to care for you. This will be during your routine appointments and also in urgent situations such as going to A&E, calling 111 or going to an Out of hours appointment.  It is also quicker for staff to access a shared record than to try to contact other staff by phone or email.

 

Only authorised staff can access the systems and the information they see is carefully checked so that it relates to their job.  Systems do not share all your data, just data which services have agreed is necessary to include.

 

For more information about shared care records, please visit:  The SIDeR Website

 

Clinical Digital Tools

We also use a range of digital tools to support improved patient care.  These digital tools may relate to very specific conditions and use of them supports diagnosis, clinical decision making, prescribing and management of a condition.  Often these digital tools are developed and managed by third parties who are contracted by the NHS for the provision of this very specific work to ensure best patient care.   Your information may be shared with these organisations where it is relevant to your care.

 

Safeguarding of children or vulnerable adults

If we have significant concerns or hear about an individual child or vulnerable adult being at risk of harm, we may share relevant information with other organisations, such as local authorities and the Police, involved in ensuring their safety.

 

Ensuring medicines work well

We work with the local Medicines Management team of the Clinical Commissioning Group to help get the best out of medicines for patients and ensure they are effective in managing conditions.  This generally uses anonymous data, but occasionally they will assist in reviews of medication for patients with complex needs.  Doctors may also seek advice and guidance on prescribing queries.

 

Identifying health risks

Systems known as ‘risk stratification tools’ are used to help determine a person’s risk of suffering particular conditions and enable us to focus on preventing ill health before it develops.  Information in these systems comes from a number of sources, such as hospitals and the practice.  This can help us identify and offer you additional services to improve your health.

 

Population Health Management

Health and care services work together as ‘Integrated Care Systems (ICS)’ and share data for the following reasons:

  • Understanding the health and care needs of the care system’s population, including health inequalities
  • Provide support to where it will have the most impact
  • Identify early actions to keep people well, not only focusing on people in direct contact with services but, looking to join up care across different partners.

 

Multi-disciplinary team meetings

We work closely with a range of other care providers to deliver the best care possible for you. Multi-disciplinary teams are our way of bringing together care providers for conversations in a confidential environment about care arrangements for you, where this is appropriate; for example, if you have a number of long term conditions and would benefit from additional support. Where possible, we will let you know if your care is going to be discussed in this type of forum. However, on occasions where informing you is not possible, we will consider your best interests and will share information on this basis.

 

National Services (including screening programmes)

There are some national services like National Diabetes Audit and the National Cancer Screening Programmes that collect and keep information from across the NHS. This is how the NHS knows when to contact you about services like cervical, breast or bowel cancer screening.

 

You can find out more about how the NHS holds and shares your information for national programmes on the NHS Screening Website.  Please visit:  NHS Screening Website

Data may also be shared on anyone who contracts a ‘communicable disease’, such as Covid 19, in order to manage public health and safety.

How we use your information:  beyond providing your care

The information collected about you when you use our services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

 

  • improving the quality and standards of care
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning new services
  • public health screening
  • assisting the Care Quality Commission with any investigations
  • investigating fraud

 

Wherever possible data used for these purposes is anonymised so that you cannot be identified.  If information cannot be completely anonymous, then this may only take place when the law allows the information to be used.  All these uses help to provide better health and care for you, your family and future generations.

Statutory disclosures

Sometimes we are duty bound by laws to disclose information to organisations such as the Care Quality Commission, the Driver and Vehicle Licencing Agency, the General Medical Council, Her Majesty’s Revenue and Customs and Counter Fraud services.  In these circumstances we will always try to inform you before we are required to disclose and we only disclose the minimum information that the law requires us to do so.

Objecting to the of use of data for purposes beyond your care

The NHS Constitution states ‘You have a right to request that your personal and confidential information is not used beyond your own care and treatment and to have your objections considered’. For further information please visit:  The NHS Constitution Website

 

National data opt-out

The national data opt-out enables patients to opt-out from the use of their personal confidential data for research or planning purposes.  To find out more or to register to opt out, please visit:  NHS Your Data Matters Website

If you have any concerns about use of your data not covered by the National Data Opt out, please contact the practice.

How long do we hold information for?

Records are kept for the lifetime of the patient.  If you move to a new practice, your record will be transferred.  If the practice you have left need to access your record, for example to deal with a historic complaint, they will let you know.  When information has been identified for destruction or deletion it will be disposed of using approved confidential disposal procedures.

Your rights:

Data Protection laws give you a number of rights, including access to your data, correction, erasure, objection and restriction of use of your data.  Details on how to request access to your data are set out below.   If you have any concerns about the accuracy and use of your records, please contact us.

Right of Access to your information (Subject Access Request)

You have the right to have a copy of the information we hold about you.  There are some safeguards regarding what you will have access to and you may find information has been removed for the following reasons.

  • Where your doctor has decided that some information may cause significant harm to you or someone else
  • Where the information is about someone else (third party) and is confidential to them

You can make a request by asking or writing to the practice. We may ask you to complete a form so that we have a record of your request.  You will need to provide proof of identity.

If you would like to access your GP record online please visit: St James Medical Centre

 

Lawful basis for processing:

The use of personal data for providing care is supported under the following Article 6 and 9 conditions of the GDPR:

 

  • Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and
  • Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”

Change of Details

It is important that you tell us as soon as you can if any of your details such as your name or address, email address or mobile number have changed.  This is to make sure no information about you is sent to an old address.

Mobile telephone number

If you provide us with your mobile phone number, we may use this to send you text reminders about your appointments or other health screening information.  Please let us know if you do not wish to receive text reminders on your mobile.

Email address

Where you have provided us with your email address we will use this to send you information relating to your health and the services we provide.  If you do not wish to receive communications by email, please let us know.

 

Any changes to this notice will be published on our website and in a prominent area at the Practice.

Data Protection Officer

Should you have any questions or concerns about your data, please contact our Data Protection Officer Kevin Caldwell via the following:

 

Email: [email protected]

Telephone: 01935 384000

Right to complain

If you have concerns or are unhappy about any of our services, please contact the 01823 285400 or email the practice: [email protected]

For full information on our complaints procedure and our formal complaint form please view this document St James Medical Centre and Orchard Medical Centre complaints form.

For independent advice about data protection, privacy and data-sharing issues, you can contact:

 

The Information Commissioner

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

 

Phone: 0303 123 1113 Visit the ICO  Website:  Information Commissioners Office Website

 

The following table builds upon the information in our Fair Processing notice and is published to ensure transparency.  This list is not exhaustive.  Where the offering of a service to a patient will inform them about the sharing of their data, e.g. support from smoking cessation services, it is not necessarily included here.  This list does not set out uses of anonymous data where identity has been completely removed (such as anonymised data to the Department for Work and Pensions on provision of ‘fit notes’).

Organisation/Activity Rationale
Shared Care Records – Somerset Integrated Digital electronic Record (SIDeR)

 

Purpose

To ensure you receive effective, safe care, we will, through digital means enable your record to be available to those providing your care in whichever care setting you are seen, such as an A&E attendance, a physiotherapy appointment, a social care needs assessment.

 

In order to achieve this, the aim of Shared Care Records is to enable health and care staff to view your information, to save valuable time in getting you the right treatment. Your information will only be available to the staff involved in your direct care, and not at any other time, or for any other reason.

 

Further information can be found here The SIDeR Website

 

Legal Basis – Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’

 

Processor – Black Pear

 

Summary Care Record Purpose – The NHS in England uses a national electronic record called the Summary Care Record (SCR) to support patient care. It contains key information from your GP record. Your SCR provides authorised healthcare staff with faster, secure access to essential information about you in an emergency or when you need unplanned care, where such information would otherwise be unavailable.

 

Legal Basis – Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’

 

Further information can be found NHS Summary Care Record Website

 

Controller of summary care record data – NHS Digital

 

Test requests and results Purpose – Some basic identifying details, the type of test requested and if required any relevant health information is shared with Pathology Laboratories when tests such as blood or urine tests need to be undertaken.  The laboratory will also hold the details of the request and the result.  The result/report will be sent electronically to the practice who will hold it in the patient’s record.

 

Legal Basis – Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’

 

Controller of test data – The laboratory that process the request and result are a controller of the data generated by the test process.

Somerset Pathology Services

 

 

Research Purpose – We may share personal confidential or anonymous information with research companies. Where you have opted out of having your identifiable information shared for this purpose then it will not be used.  Details on how to opt out are on the NHS Sharing Data Website.

 

Legal Basis – consent is required to share confidential patient information for research.

 

The organisation leading the research will be the controller of data disclosed to them.

 

Individual Funding Requests Purpose – We may need to process your personal information where we are required to apply for funding for a specific treatment for you for a particular condition that is not routinely available.

 

Legal Basis – The clinical professional who first identifies that you may need the treatment will explain to you the information that is needed to be collected and processed in order to assess your needs and commission your care; they will gain your explicit consent to share this. You have the right to withdraw your consent at any time.  If you are happy for the request to be made, the basis for processing your data is:  Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’

 

Your data will be disclosed to the Clinical Commissioning Group who manages the individual funding request process.

 

Child Health Information Service Purpose – South, Central and West Child Health Information Services (SCW CHIS) is commissioned by NHS England to support the monitoring of care delivered to children. Personal data is collected from the child’s GP record to enable health screening, physical examination and vaccination services to be monitored to ensure that every child has access to all relevant health interventions.

For more information: Fair Processing Notice Child Health Information Services – NHS SCW Support and Transformation for Health and Care (scwcsu.nhs.uk)

Legal Basis – Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”

Processor – SCW, Apollo Medical Software Solutions, System C

 

Risk Stratification – Preventative Care Purpose – ‘Risk stratification for case finding’ is a process for identifying and managing patients who have or may be at-risk of health conditions (such as diabetes) or who are most likely to need healthcare services (such as people with frailty). Risk stratification tools used in the NHS help determine a person’s risk of suffering a particular condition and enable us to focus on preventing ill health before it develops.

 

Information about you is collected from a number of sources including NHS Trusts and your GP Practice. A risk score is then arrived at to help us identify and offer you additional services to improve your health.

 

In addition data with your identity removed is used to inform the development and delivery of services across the local area.

 

If you do not wish information about you to be included in any risk stratification programmes, please let us know. We can add a code to your records that will stop your information from being used for this purpose. Please be aware that this may limit the ability of healthcare professionals to identify if you have or are at risk of developing certain serious health conditions.

 

Legal Basis

Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’.

 

Risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority (approval reference (CAG 7-04)(a)/2013)) and this approval has been extended to the end of September 2020. Visit:  NHS England Risk Stratification webpage  which gives us a statutory legal basis under Section 251 of the NHS Act 2006 to process data for risk stratification purposes which sets aside the duty of confidentiality. We are committed to conducting risk stratification effectively, in ways that are consistent with the laws that protect your confidentiality.

 

Controller to which data is disclosed:

Somerset NHS Foundation Trust

Somerset County Council (Anonymised Data Only)

(NB identifiable data is not disclosed to other controllers)

 

Clinical Digital Tools Purpose – A variety of clinical digital tools are used at GP practices to support clinicians managing patients with very specific conditions or to identify patients who may be at risk of health conditions in the future.   These digital tools enable clinicians to focus on preventative care or very specialist care for specific conditions.

 

Prior to introducing clinical digital tools to NHS services,  a strict process of assessment is undertaken to ensure that NHS criteria are met – Digital technology assessment criteria.

 

Where relevant to use of a digital tool, your patient information is collected from your record held at the GP practice.  This data is processed by the authorised third-party supplier and the results are made available to the healthcare professional at the Practice and linked to your patient record.

 

The use of clinical digital tools is often linked with ‘risk stratification for case finding’ (please see above section) enabling resources to be used efficiently and effectively for patient care in GP practices.

 

Although digital technology is used to support healthcare professionals in their work, decisions about patient care are made by a person and not automated.

 

Digital support tools are being developed/updated and introduced to NHS services regularly.  Examples that may be used in GP practices are:

 

·         Support for anticoagulation management plans and medications for a specific cohort of patients

·         A clinical decision support tool to identify potential patients who may benefit from additional health care services or support to help keeping them well and avoiding admission to hospital

·         A clinical decision support tool that identifies patients at higher risk of cancer at the earliest stage

 

We will use and share your information using these digital tools for your direct care purposes.

 

If you have concerns about how your data is used, please let us know, noting if you do object this may limit our ability to identify if you have or are at risk of developing certain serious health conditions or be included in specialised monitoring of specific conditions.

 

Legal Basis

Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’.

 

Population Health Management

(N.B include this section if your practice is taking part in PHM initiatives – such as Brave AI, Optum, etc.)

Purpose – Health and care service providers across Somerset work together as ‘Integrated Care Systems’ (ICS) and are sharing data in order to:

·         Understanding the health and care needs of the care system’s population, including health inequalities

·         Provide support to where it will have the most impact

·         Identify early actions to keep people well, not only focusing on people in direct contact with services but, looking to join up care across different partners.

 

Type of Data – Identifiable/Pseudonymised/Anonymised/Aggregate Data.  NB only organisations that provide your individual care will see your identifiable data.

 

Legal Basis – Article 6(1)(e); “necessary… in the exercise of official authority vested in the controller’ And Article 9(2)(h) Provision of health and care

 

Processor to which data is disclosed: 

Somerset Informaiton Sharing Protocol

MyWay Diabetes

NHS Diabetes Prevention Programme

Ardens Manager (anonymised)

CTheSigns

MiQuest (Pseudonymised)

Child Health information Service

NHS Somerset CCG

Somerset cardiovascular disease (CVD) dashboard (pseudonymised)

 

 

 

 

 

Population Health Management also incorporates the use of risk stratification tools as an integral part of the purpose (please see the risk stratification section of this notice above).

 

Public Health

Screening programmes (identifiable)

Notifiable disease information (identifiable)

Smoking cessation (anonymous)

Sexual health (anonymous)

 

 

Purpose – The NHS provides national screening programmes so that certain diseases can be detected at an early stage. These currently apply to bowel cancer, breast cancer, aortic aneurysms and diabetic retinal screening service. The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme. Personal identifiable and anonymous data is shared.  More information can be found visit website: Population Screening Explained Website or speak to the practice

Legal Basis

Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’.

 

Controller to which data is disclosed: 

Public Health Services (England),

Somerset County Council (Anonymised data only)

 

NHS Trusts Purpose – Personal information is shared with Hospitals, Community Services, Mental Health Services and others in order to provide you with care services. This could be for a range of services, including treatment, operations, physio, and community nursing, ambulance service.

 

Legal Basis

Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’.

 

Controller to which data is disclosed: 

Royal United Hospitals Bath NHS Foundation Trust

South Central Ambulance Service NHS Foundation Trust

South Western Ambulance Service NHS Foundation Trust

Southern Health NHS Foundation Trust

Somerset NHS Foundation Trust

Yeovil District Hospital NHS Foundation Trust

University Hospitals Bristol and Weston NHS Foundation Trust

 

Care Quality Commission Purpose – The CQC is the regulator for the English Health and Social Care services to ensure that safe care is provided. They will inspect and produce reports back to the GP practice on a regular basis. The Law allows the CQC to access identifiable data but only where it is needed to conduct their services.

 

More detail on how they ensure compliance with data protection law (including GDPR) and their privacy statement is available on the CQC website: Care Quality Commission Privacy Statement

 

Legal Basis – Article 6(1)c “processing is necessary for compliance with a legal obligation to which the controller is subject.” And Article 9(2)h ‘management of health and care services’

 

Controller data is disclosed to – Care Quality Commission

 

Payments Purpose – Payments to the practice come in many different forms.  Some payments are based on the number of patients that receive specific services, such as diabetic reviews and immunisation programmes. In order to make patient based payments basic and relevant necessary data about you needs to be sent to the various payment services, this data contains limited identity if needed, such as your NHS number. The release of this data is required by English laws.

 

Legal Basis – Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.” And Article 9(2)(h) ‘as stated below

 

Controllers that data is disclosed to – NHS England, CCG, Public Health

 

Patient Record data base support Purpose – The practice uses electronic patient records.  Our supplier of the electronic patient record system is EMIS Ltd

 

Our supplier does not access identifiable records without permission of the practice and this is only given where it is necessary to investigate issues on a particular record

 

Legal Basis

Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘management of health and care services’.

 

 

Medicines optimisation Purpose – We use software packages linked to our patient record system to aid when prescribing drugs. These ensure that prescribing is effective.  We do not share your identifiable data with the companies that provide these packages

 

Legal Basis

Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’.

 

 

Multi-Disciplinary Teams Purpose – We work closely with a range of other care providers to deliver the best care possible for you.  Multi-disciplinary teams are our way of bringing together care providers for conversations in a confidential environment about care arrangements for you where this is appropriate.  For example, if you have a number of long term conditions and would benefit from additional support.  Where possible, we will inform you that your care will be discussed in this type of forum.  However, if this may not always be possible and in these circumstances, we will consider your best interests and will share information on this basis.

 

Legal Basis

Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘Provision of health and care’.

 

Clinical Audit Purpose – Information will be used by the CCG for clinical audit to monitor the quality of the service provided to patients with long term conditions. When required, information will be held centrally and used for statistical purposes (e.g. the National Diabetes Audit). When this happens, strict measures are taken to ensure that individual patients cannot be identified from the data.

 

Legal Basis

Article 6(1)e ‘exercise of official authority’ and article 9(2)h ‘management of health and care services’.

 

Controller – Somerset Clinical Commissioning Group

National Fraud Initiative – Cabinet Office Purpose – The use of data by the Cabinet Office for data matching is carried out with statutory authority. It does not require the consent of the individuals concerned under Data Protection legislation. Data matching by the Cabinet Office is subject to a Code of Practice. For further information visit web site:

Code of Data Matching Practice for the National Fraud Initiative

 

NFI activities vary each year, so data would only be disclosed if required by the focus of their activities

 

Legal Basis – Part 6 of the Local Audit and Accountability Act 2014

 

Controller – Cabinet Office

National Registries Purpose – National Registries (such as the Learning Disabilities Register) have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user.

 

Legal Basis – Section 251 of the NHS Act 2006

 

Police Purpose – The police may request information in relation to on-going enquiries, all requests are reviewed and only appropriate information will be shared under legislation.

 

Legal Basis

Article 6(1)e – task carried out in the public interest

Article 9(2)c – Vital Interests

Article 9(2)f – Legal claims or judicial acts

Article 9(2)g – Reasons of substantial public interest

 

Controller disclosed to – Police

Reviews of and Changes to our Privacy Notice

We will keep our Privacy Notice under regular review. This notice was last reviewed June 2022.