Introduction

This policy sets out our Practice’s approach to Clinical Governance.

Implementing Clinical Governance applies throughout the Practice and is designed to ensure the safety and well-being of our patients and improve the service that they receive from us.

Policy

Summary Statement.

The Practice will always do its utmost to provide the highest quality treatment and care it can to its patients, ensuring always that it works with the most up-to-date clinical information and current best practice guidelines.

1.   Patient involvement.

We will encourage and actively seek patient participation, ensuring there is a system in place which enables patients to provide feedback and make suggestions and be actively involved in deciding how the health services they use should develop.

This system will be supported and promoted through open dialogue, in person and / or in writing, and also through the use of the Practice’s Patient Participation Group, whose aim is to give patients an opportunity to meet, exchange ideas and information to improve the running of the Practice and ensure we are listening and responding to the needs and concerns of our patients.

2.   Patient experience.

We will discuss feedback received from patients and publicise both suggestions and the practice response. Whenever an identifiable patient suggests, the Practice will ensure s/he will receive a personal response.

We will view the practice from the patient perspective (from formal patient survey results) and actively seek to try and implement feasible and beneficial ideas.

3.   Health & Safety and Risk Control.

The Practice implements a robust framework for ensuring it adheres to Health and Safety legislation, both for staff working within the Practice premises and environment, as well as preventing harm to patients when they attend the surgery. The Practice considers the guidelines in the revised version of the GMC document “Raising and acting on concerns about patient safety”, effective 12 March 2012, a copy of which can be downloaded here:

Dr Bapu Sathyajith is the Practice Health & Safety Lead who has overall responsibility for ensuring the Practice Premises are a safe environment for staff and patients using the service.

We operate an open system of Significant Event Reporting which ensures we review, obtain and provide feedback and learn from such incidents. Each Significant Event is discussed in detail and agreed action documented in a Significant Event Review / Clinical Policy Review Meeting.

4.   Clinical Audit.

The Practice undertakes regular clinical audits, carefully and accurately recording the results and taking appropriate action so that we can effectively plan for the implementation of changes / improvements for the benefit of our Patients.

Our administrative procedures are also audited on a regular basis to ensure they are operating effectively.

5.   Evidence-based medical treatment.

The Practice will develop, refine and maintain an awareness of the latest developments, research results and advances in medical treatment and assess the impact of this information on our established and proven methods of working.

To encourage discussion and learning, we will ensure that expertise and opinion is shared both within the Practice and between clinicians.

6.   Information and its use.

The Practice is committed to making maximum use of both electronic and paper-based information in clinical and non-clinical decision making and will share best practice with others both internally and externally.

We will aim to continuously improve data quality and encourage patients to participate in their own clinical treatment and be involved in making the decisions which affect them.

7.   Staff and staff management.

To encourage team working throughout the Practice, we will operate “no-blame” learning culture which will provide all Staff with an open and equal working relationship.

We aim to work towards the “Investor in People” standard, by encouraging staff training and development whilst also supporting devolution of control and empowerment.

8.   Education, Training and Continuing Professional Development (CPD).

All Practice Staff, Clinical and Non-clinical take part in an annual appraisal system which links into their personal development programme.

GPs and nurses are obliged professionally to maintain their CPD to ensure their clinical skills are as up to date as possible and they can continue to practise. All their CPD activity will be documented as an integral part of their learning portfolio (GPs a minimum of 50 learning credits per year and Nurses a minimum of 35 hours of learning activity relevant to their practice every three years).

We ensure all Doctors benefit from CPD by undertaking revalidation, attending a variety of clinical treatment updates, GP registrar training sessions, and resuscitation training days and organising regular in-house clinical seminars from specialist consultants and in-house trainers.

Our Nurses attend training in clinical areas such as the new trends in treatment and care of patients undergoing the menopause, a diploma in chronic obstructive pulmonary disease, up dates in travel and childhood immunisation, and care of the diabetic patient.

All Non-clinical staff are encouraged to attend events related to their own specialism or professional development need, as identified by the appraisal system.

The Practice closes for Four hours each month to allow all staff to take part in protected learning sessions, including updates on basic life support, health and safety, appraisal skills, team building and information governance.

These sessions also provide the opportunity to review departmental policies and procedures, to examine any critical incidents that have occurred and to review the feedback from the annual patient survey in order to implement any changes that may be necessary as a result of its findings and recommendations.

9.  Strategic approach.

We will operate a 5-year strategic plan based on projected patient needs, being mindful of both the current and projected National and Local healthcare situation.

We will actively participate in the Clinical Commissioning Group and focus on activity which creates resources to help achieve both immediate and longer-term patient clinical needs.

Implementation

Dr Bapu Sathyajith is the Clinical Governance Lead(s) for the Practice, having responsibility for:

• Overseeing the management of the key provisions of this Policy.
• Provision of clinical governance leadership and advice.
• Promotion of quality care within the practice.
• Acting as an expert resource and advisor in the examination and review of significant events.
• Initiating and reviewing clinical audits.
• Keeping up to date with research and governance recommendations and communicating these accordingly.

Plashet Harmony Practice Complaints procedure

Receiving of complaints

The Practice may receive a complaint made by, or (with his/her consent) on behalf of a patient, or former patient, who is receiving or has received treatment at the Practice, or:

(a) where the patient is a child:

• by either parent, or in the absence of both parents, the guardian or other adult who has care of the child;
• by a person duly authorised by a local authority to whose care the child has been committed under the provisions of the Children Act 1989;
• by a person duly authorised by a voluntary organisation by which the child is being accommodated

(b) where the patient is incapable of making a complaint, by a relative or other adult who has an interest in his/her welfare.

All complaints, written and verbal will be recorded, and written complaints will be acknowledged in writing within 3 working days of receipt. Patients will be encouraged to complain in writing where possible. The reply to the patient should be made within 20 working days, or the patient should be provided with an update and an estimate timescale.

Period within which complaints can be made

The period for making a complaint is normally:

(a) 12 months from the date on which the event which is the subject of the complaint occurred; or

(b) 12 months from the date on which the event which is the subject of the complaint comes to the complainant’s notice.

The Complaints Manager or lead GP has the discretion to extend the time limits if the complainant has good reason for not making the complaint sooner, or where it is still possible to properly investigate the complaint despite extended delay.

When considering an extension to the time limit it is important that the Complaints Manager takes into consideration that the passage of time may prevent an accurate recollection of events by the clinician concerned or by the person bringing the complaint. The collection of evidence, Clinical Guidelines or other resources relating to the time when the complaint event arose may also be difficult to establish or obtain. These factors may be considered as suitable reason for declining a time limit extension.

Action upon receipt of a complaint

Complaints may be received either verbally or in writing and must be forwarded to the Complaints lead, (or the nominated person), who must:

• acknowledge in writing within the period of 3 working days beginning with the day on which the complaint was made or, where that is not possible, as soon as reasonably practicable. Include an offer to discuss the matter in person. The discussion will include agreement with the patient as to how they wish the complaint to be handled.
• Advise the patient of potential timescales and the next steps.
• provide a written response to the patient as soon as reasonably practicable ensuring that the patient is kept up to date with progress as appropriate. Where a response is not possible within 20 working days provide an update report to the patient with an estimate of the timescale. The final reply will include a full report and a statement advising them of their right to take the matter to the Ombudsman if required.

Final Response

This will include:

• A clear statement of the issues, investigations and the findings, giving clear evidence-based reasons for decisions if appropriate
• Where errors have occurred, explain these fully and state what will be done to put these right, or prevent repetition
• A focus on fair and proportionate the outcomes for the patient, including any remedial action or compensation
• A clear statement that the response is the final one, or that further action or reports will be send later
• An apology or explanation as appropriate
• A statement of the right to escalate the complaint, together with the relevant contact detail

The following information should also be provided in the final response, where applicable:

Independent Advice and Advocacy support

You can get free support, at any time, from your local independent complaints advocacy service.

Newham

This is provided by Healthwatch Newham NHS Complaints Advocacy Service which is an Independent Complaints Advocacy Service. You can contact them by telephone:- 020 3828 8245 or by email:advocacy@healthwatchnewham.co.uk.They can write letters for you and help you present your case, if you wish.

I hope the above information has provided answers to the concerns you raised, however if you are not happy with my final response to your complaint and would like to take the matter further, you can contact the Parliamentary and Health Service Ombudsman (PHSO). The Ombudsman makes final decisions on complaints that have not been resolved by the NHS, government departments and some other public organisations. The service is free for everyone.

To take a complaint to the Ombudsman, go to www.ombudsman.org.uk/making-complaintor call 0345 015 4033. It is important that you make the complaint as soon as you receive our final response, as there are time limits for the Ombudsman to look into complaints.

The Ombudsman may be contacted as follows:

In writing to:

Millbank Tower
Millbank
London
SW1P 4QP

Telephone: 0345 015 4033

Email: phso.enquiries@ombudsman.org.uk

If patients do not wish to complain directly to the practice, they can contact the commissioners please find their contact details:

Complaints Team

NHS North East London
Email: nelondonicb.complaints@nhs.net

Telephone : 0208 221 5750

Unfortunately, the NHS complaints regulations do not allow for a complaint to be re-investigated by NHS North East London in circumstances where the complainant has already received a response from a provider

Review of Complaints

The complaints will be reviewed regularly in the practice meetings and the learnings shared.

Confidentiality
All complaints must be treated in the strictest confidence

Where the investigation of the complaint requires consideration of the patient’s medical records, the Complaints Manager must inform the patient or person acting on his/her behalf if the investigation will involve disclosure of information contained in those records to a person other than the Practice or an employee of the Practice.

The practice must keep a record of all complaints and copies of all correspondence relating to complaints, but such records must be kept separate from patients’ medical records.

Introduction

The Data Protection Act 2018 (DPA) is a UK Act of Parliament that brings the European General Data Protection Regulations (GDPR) into British Law and updates the Data Protection Act 1998. The DPA requires a clear direction on policy for security of information held within the practice and provides individuals with a right of access to a copy of information held about them.

The practice needs to collect personal information about people with whom it deals in order to carry out its business and provide its services.  Such people include patients, employees (present, past and prospective), suppliers and other business contacts.  The information we hold will include personal, sensitive and corporate information.  In addition, we may occasionally be required to collect and use certain types of such personal information to comply with the requirements of the law.  No matter how it is collected, recorded and used (e.g. on a computer or on paper) this personal information must be dealt with properly to ensure compliance with the Data Protection Act 2018.

The lawful and proper treatment of personal information by the practice is extremely important to the success of our business and in order to maintain the confidence of our service users and employees.  We ensure that the practice treats personal information lawfully and correctly.

This policy provides direction on security against unauthorised access, unlawful processing, and loss or destruction of personal information.

See also: Access to Medical Records policy, which covers Subject Access Requests under the Data Protection Act.

1.0      Data Protection Principles

We support fully and comply with the six principles of the Act which are summarised below:

1. Personal data shall be processed fairly and lawfully.

• Personal data shall be obtained/processed for specific lawful purposes and will only be used for the purpose for which it was collected.

• Personal data held must be adequate, relevant and not excessive.

• Personal data must be accurate and kept up to date, and every reasonable step will be taken to ensure any personal data that is inaccurate is erased or rectified without delay.

• Personal data shall not be kept for longer than necessary.

• Personal data shall be processed in a manner that ensures appropriate security of the personal data.

• Employee Responsibilities

All employees will, through appropriate training and responsible management:

• comply at all times with the above Data Protection Act principles

• observe all forms of guidance, codes of practice and procedures about the collection and use of personal information

• understand fully the purposes for which the practice uses personal information

• collect and process appropriate information, and only in accordance with the purposes for which it is to be used by the practice to meet its service needs or legal requirements

• ensure the information is correctly input into the practice’s systems

• ensure the information is destroyed (in accordance with the provisions of the Act) when it is no longer required

• on receipt of a request from an individual for information held about them by or on behalf of immediately notify the practice manager

• not send any personal information outside of the United Kingdom without the authority of the Caldicott Guardian / IG Lead

• understand that breaches of this Policy may result in disciplinary action, including dismissal

• Practice Responsibilities

The practice will:

• Ensure that there is always one person with overall responsibility for data protection.  Currently this person is Dr Bapu Sathyajith, should you have any questions about data protection. Jasvinder Tooray will take on these responsibilities if the first named individual is absent with illness or on annual leave.

• Maintain its registration with the Information Commissioner’s Office

• Ensure that all subject access requests are dealt with as per our Access to Medical Records policy

• Provide training for all staff members who handle personal information

• Provide clear lines of report and supervision for compliance with data protection and also have a system for breach reporting

• Carry out regular checks to monitor and assess new processing of personal data and to ensure the practice’s notification to the Information Commissioner is updated to take account of any changes in processing of personal data

• Develop and maintain DPA procedures to include roles and responsibilities, notification, subject access, training and compliance testing

•  Display a poster in the waiting room explaining to patients the practice policy (see

below) plus a copy of the Information Commissioners certificate

• Make available a leaflet and or a poster in reception on Access to Medical Records for the information of patients. Also display the certificate of registration with the Information Commissioners office.

• Take steps to ensure that individual patient information is not deliberately or accidentally released or (by default) made available or accessible to a third party without the patient’s consent, unless otherwise legally compliant. This will include training on confidentiality issues, DPA principles, working security procedures, and the application of best practice in the workplace.

• Undertake prudence in the use of, and testing of, arrangements for the backup and recovery of data in the event of an adverse event.

• Maintain a system of “Significant Event Reporting” through a no-blame culture to capture and address incidents which threaten compliance.

•  Include DPA issues as part of the practice general procedures for the management of risk.

•  Ensure confidentiality clauses are included in all contracts of employment.

•  Ensure that all aspects of confidentiality and information security are promoted to all staff.

•  Remain committed to the security of patient and staff records.

• Ensure that any personal staff data requested by the CCG or NHS, i.e. age, sexual orientation and religion etc., is not released without the written consent of the staff member

Not all services at the Practice are available under the NHS.

Where patients request NON-NHS items or services, a Private Fee may be payable.

This poster lists those fees, which are payable in advance.

Privacy Notice

We understand how important it is to keep your personal information safe and secure and we take this very seriously. We have taken steps to make sure your personal information is looked after in the best possible way and we review this regularly.

Please read this privacy notice (‘Privacy Notice’) carefully, as it contains important information about how we use the personal and healthcare information we collect on your behalf.

1. WHY WE ARE PROVIDING THIS PRIVACY NOTICE

We are required to provide you with this Privacy Notice by Law. It explains how we use the personal and healthcare information we collect, store and hold about you. If you are unclear about how we process or use your personal and healthcare information, or you have any questions about this Privacy Notice or any other issue regarding your personal and healthcare information, then please do contact our Data Protection Officer (details below).

The Law says:

1. We must let you know why we collect personal and healthcare information about you;

• We must let you know how we use any personal and/or healthcare information we hold on you;

• We need to inform you in respect of what we do with it;

• We need to tell you about who we share it with or pass it on to and why; and

• We need to let you know how long we can keep it for.

• THE DATA PROTECTION OFFICER

The Data Protection Officer at the Surgery is Dr Sathyajith. You can contact them at/on 020 8586 6555 if:

• You have any questions about how your information is being held;

• If you require access to your information or if you wish to make a change to your information;

• If you wish to make a complaint about anything to do with the personal and healthcare information we hold about you;

• Or any other query relating to this Policy and your rights as a patient.

• ABOUT US

We, at the Dr Sathyajith’s Practice situated at East Ham Memorial Hospital, are a Data Controller of your information. This means we are responsible for collecting, storing and handling your personal and healthcare information when you register with us as a patient.

There may be times where we also process your information. That means we use it for a particular purpose and, therefore, on those occasions we may also be Data Processors. The purposes for which we use your information are set out in this Privacy Notice.

• INFORMATION WE COLLECT FROM YOU

The information we collect from you will include:

1. Your contact details (such as your name and email address, including place of work and work contact details);

• Details and contact numbers of your next of kin;

• Your age range, gender, ethnicity;

• Details in relation to your medical history;

• The reason for your visit to the Surgery;

• Medical notes and details of diagnosis and consultations with our GPs and other health professionals within the Surgery involved in your direct healthcare.

• INFORMATION ABOUT YOU FROM OTHERS

We also collect personal information about you when it is sent to us from the following:

1. a hospital, a consultant or any other medical or healthcare professional, or any other person involved with your general healthcare.

• YOUR SUMMARY CARE RECORD

Your summary care record is an electronic record of your healthcare history (and other relevant personal information) held on a national healthcare records database provided and facilitated by NHS England.

This record may be shared with other healthcare professionals and additions to this record may also be made by relevant healthcare professionals and organisations involved in your direct healthcare.

You may have the right to demand that this record is not shared with anyone who is not involved in the provision of your direct healthcare. If you wish to enquire further as to your rights in respect of not sharing information on this record then please contact our Data Protection Officer.

To find out more about the wider use of confidential personal information and to register your choice to opt out if you do not want your data to be used in this way, please visit www.nhs.uk/my-data-choice.

Note if you do choose to opt out, you can still consent to your data being used for specific purposes. However, if you are happy with this use of information you do not need to do anything. You may however change your choice at any time.

• WHO WE MAY PROVIDE YOUR PERSONAL INFORMATION TO, AND WHY

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care Services, important information about you is collected to help ensure you get the best possible care and treatment. This information may be passed to other approved organisations where there is a legal basis, to help with planning services, improving care, research into developing new treatments and preventing illness. All of this helps in proving better care to you and your family and future generations. However, as explained in this privacy notice, confidential information about your health and care is only used in this way where allowed by law and would never be used for any other purpose without your clear and explicit consent.

We may pass your personal information on to the following people or organisations, because these organisations may require your information to assist them in the provision of your direct healthcare needs. It, therefore, may be important for them to be able to access your information in order to ensure they may properly deliver their services to you:

1. Hospital professionals (such as doctors, consultants, nurses, etc);

• Other GPs/Doctors;

• Pharmacists;

• Nurses and other healthcare professionals;

• Dentists;

• Any other person that is involved in providing services related to your general healthcare, including mental health professionals.

• OTHER PEOPLE WHO WE PROVIDE YOUR INFORMATION TO

1. Commissioners;

• Clinical Commissioning Groups;

• Local authorities;

• Community health services;

• For the purposes of complying with the law e.g. Police, Solicitors, Insurance Companies;

• Anyone you have given your consent to, to view or receive your record, or part of your record. Please note, if you give another person or organisation consent to access your record we will need to contact you to verify your consent before we release that record. It is important that you are clear and understand how much and what aspects of, your record you give consent to be disclosed.   

• Extended Access – we provide extended access services to our patients which means you can access medical services outside of our normal working hours. In order to provide you with this service, we have formal arrangements in place with the Clinical Commissioning Group and with other practices whereby certain key “hub” practices offer this service on our behalf for you as a patient to access outside of our opening hours. This means, those key “hub” practices will have to have access to your medical record to be able to offer you the service. Please note to ensure that those practices comply with the law and to protect the use of your information, we have very robust data sharing agreements and other clear arrangements in place to ensure your data is always protected and used for those purposes only.

The key Hub practices are as follows:

Glen Road Medical Centre

Plashet Medical Centre

Westbury Road Surgery

• Data Extraction by the Clinical Commissioning Group – the clinical commissioning group at times extracts medical information about you, but the information we pass to them via our computer systems cannot identify you to them. This information only refers to you by way of a code that only your practice can identify (it is pseudo-anonymised). This therefore protects you from anyone who may have access to this information at the Clinical Commissioning Group from ever identifying you as a result of seeing the medical information and we will never give them the information that would enable them to do this.

There are good reasons why the Clinical commissioning Group may require this pseudo-anonymised information, these are as follows:

Flu Vaccinations

Childhood Immunisations

• ANONYMISED INFORMATION

Sometimes we may provide information about you in an anonymised form. If we do so, then none of the information we provide to any other party will identify you as an individual and cannot be traced back to you.

1. YOUR RIGHTS AS A PATIENT

The Law gives you certain rights to your personal and healthcare information that we hold, as set out below:

1. Access and Subject Access Requests

You have the right to see what information we hold about you and to request a copy of this information.

If you would like a copy of the information we hold about you please email our Data Protection Officer. We will provide this information free of charge however, we may in some limited and exceptional circumstances have to make an administrative charge for any extra copies if the information requested is excessive, complex or repetitive.

We have one month to reply to you and give you the information that you require. We would ask, therefore, that any requests you make are in writing and it is made clear to us what and how much information you require.

• Online Access

You may ask us if you wish to have online access to your medical record. However, there will be certain protocols that we have to follow in order to give you online access, including written consent and production of documents that prove your identity.

Please note that when we give you online access, the responsibility is yours to make sure that you keep your information safe and secure if you do not wish any third party to gain access.

• Correction

 We want to make sure that your personal information is accurate and up to date. You may ask us to correct any information you think is inaccurate. It is very important that you make sure you tell us if your contact details including your mobile phone number has changed.

• Removal

You have the right to ask for your information to be removed however, if we require this information to assist us in providing you with appropriate medical services and diagnosis for your healthcare, then removal may not be possible.

• Objection

We cannot share your information with anyone else for a purpose that is not directly related to your health, e.g. medical research, educational purposes, etc. We would ask you for your consent in order to do this however, you have the right to request that your personal and healthcare information is not shared by the Surgery in this way. Please note the Anonymised Information section in this Privacy Notice.

• Transfer

You have the right to request that your personal and/or healthcare information is transferred, in an electronic form (or other form), to another organisation, but we will require your clear consent to be able to do this.

1. THIRD PARTIES MENTIONED ON YOUR MEDICAL RECORD

Sometimes we record information about third parties mentioned by you to us during any consultation. We are under an obligation to make sure we also protect that third party’s rights as an individual and to ensure that references to them which may breach their rights to confidentiality, are removed before we send any information to any other party including yourself. Third parties can include: spouses, partners, and other family members.

1. HOW WE USE THE INFORMATION ABOUT YOU

We use your personal and healthcare information in the following ways:

1. when we need to speak to, or contact other doctors, consultants, nurses or any other medical/healthcare professional or organisation during the course of your diagnosis or treatment or on going healthcare;

• when we are required by Law to hand over your information to any other organisation, such as the police, by court order, solicitors, or immigration enforcement.

We will never pass on your personal information to anyone else who does not need it, or has no right to it, unless you give us clear consent to do so.

1. LEGAL JUSTIFICATION FOR COLLECTING AND USING YOUR INFORMATION

The Law says we need a legal basis to handle your personal and healthcare information.

CONTRACT: We have a contract with NHS England to deliver healthcare services to you. This contract provides that we are under a legal obligation to ensure that we deliver medical and healthcare services to the public.

CONSENT: Sometimes we also rely on the fact that you give us consent to use your personal and healthcare information so that we can take care of your healthcare needs.

Please note that you have the right to withdraw consent at any time if you no longer wish to receive services from us.

NECESSARY CARE: Providing you with the appropriate healthcare, where necessary. The Law refers to this as ‘protecting your vital interests’ where you may be in a position not to be able to consent.

LAW: Sometimes the Law obliges us to provide your information to an organisation (see above).

1. SPECIAL CATEGORIES

The Law states that personal information about your health falls into a special category of information because it is very sensitive. Reasons that may entitle us to use and process your information may be as follows:

PUBLIC INTEREST: Where we may need to handle your personal information when it is considered to be in the public interest. For example, when there is an outbreak of a specific disease and we need to contact you for treatment, or we need to pass your information to relevant organisations to ensure you receive advice and/or treatment;

CONSENT: When you have given us consent;

VITAL INTEREST: If you are incapable of giving consent, and we have to use your information to protect your vital interests (e.g. if you have had an accident and you need emergency treatment);

DEFENDING A CLAIM: If we need your information to defend a legal claim against us by you, or by another party;

PROVIDING YOU WITH MEDICAL CARE: Where we need your information to provide you with medical and healthcare services

1. HOW LONG WE KEEP YOUR PERSONAL INFORMATION

We carefully consider any personal information that we store about you, and we will not keep your information for longer than is necessary for the purposes as set out in this Privacy Notice.

1. UNDER 16s

There is a separate privacy notice for patients under the age of 16, a copy of which may be obtained on request.

1. IF ENGLISH IS NOT YOUR FIRST LANGUAGE

If English is not your first language you can request a translation of this Privacy Notice. Please contact our Data Protection Officer.

1. COMPLAINTS

If you have a concern about the way we handle your personal data or you have a complaint about what we are doing, or how we have used or handled your personal and/or healthcare information, then please contact our Data Protection Officer.

However, you have a right to raise any concern or complaint with the UK information regulator, at the Information Commissioner’s Office: https://ico.org.uk/.

1. OUR WEBSITE

The only website this Privacy Notice applies to is the Surgery’s website. If you use a link to any other website from the Surgery’s website then you will need to read their respective privacy notice. We take no responsibility (legal or otherwise) for the content of other websites.

• COOKIES

The Surgery’s website uses cookies. For more information on which cookies we use and how we use them, please see our Cookies Policy.

• SECURITY

We take the security of your information very seriously and we do everything we can to ensure that your information is always protected and secure. We regularly update our processes and systems and we also ensure that our staff are properly trained. We also carry out assessments and audits of the information that we hold about you and make sure that if we provide any other services, we carry out proper assessments and security reviews.

• TEXT MESSAGING AND CONTACTING YOU

Because we are obliged to protect any confidential information we hold about you and we take this very seriously, it is imperative that you let us know immediately if you change any of your contact details.

We may contact you using SMS texting to your mobile phone in the event that we need to notify you about appointments and other services that we provide to you involving your direct care, therefore you must ensure that we have your up to date details. This is to ensure we are sure we are actually contacting you and not another person.

• WHERE TO FIND OUR PRIVACY NOTICE

You may find a copy of this Privacy Notice in the Surgery’s reception, on our website, or a copy may be provided on request.

• CHANGES TO OUR PRIVACY NOTICE

We regularly review and update our Privacy Notice. This Privacy Notice was last updated on in April 2019 and will be reviewed again in April 2020.

To read the privacy notice for our ICS please CLICK HERE

Please click here to download a copy of our Information Governance leaflet for patients.

Your Data

In order to comply with data protection legislation, this notice has been designed to inform you of what you need to know about the personal information we process. This is your assurance that we are complying with our legal obligation to you and a good opportunity for you to understand or exercise your information rights.

We are legally required to tell you:

•  What personal information we use

•  Why we need your personal information

•  The lawful basis for processing your personal information i.e. legitimate reasons for collecting, keeping, using and sharing it

•  How we use, store, protect and dispose of your personal information

•  How long we keep it for and who we may share it with

•  About your information rights

•  How to report a complaint or concern

Your Personal Information

When we say personal information, we are referring to any information that can identify a specific person, either on its own or together with other information. The obvious examples are name, address and date of birth; however this could include other forms for data, such as email address, car registration, specific physical feature, NHS number, pictures, images and so forth.

Most of the personal information we process is confidential or sensitive because of the nature of our business activities (health and social care). This could be used in a discriminatory way and is likely to be of a private nature, so greater care is needed to ensure this is processed securely. Confidential or sensitive information includes the racial or ethnic origin of the data subject, political opinions, religious beliefs or other beliefs of a similar nature, Trade Union membership, physical or mental health or condition, sexual life, commission, alleged commission of or proceeding for any offence.

Anonymised data is not personal information. This is any information that cannot reasonably identify you, so it cannot be personal, confidential or sensitive. Anonymisation requires the removal of personal information that might identify you.

The personal information we collect may be used for any of the following specific purposes:

•  Health care for patients – diagnosis, treatment and referral

•  Accounting, financial management and auditing

•  Education and training

•  Consultancy and Advisory services

•  Human resources and staff administration

•  Crime prevention and prosecution

•  Health administration and services management

•  Business activity information and databank administration

•  Contractual arrangements for data processing by third parties

•  Occupational Health referrals

•  Research, national surveys

•  Security services e.g CCTV monitoring, confidentiality audits

Without your personal information, we cannot:

•  Direct, manage and deliver the health care you may require

•  Ensure we have accurate and up to date information to assess and provide what you require

•  Provide the appropriate level of assistance or adequate guidance

•  Refer you to a specialist or another service

•  Protect the general public or promote public health

•  Manage, develop or improve our services

•  Investigate complaints or proceed with legal actions for claims

•  Employ you to join our workforce

•  Procure products and services

•  Commission business activities

•  Comply with a court order

•  Comply with regulatory requirements

•  Meet some of our legal obligations

•  Compile statistics to review our performance

•  Educate and train our workforce

•  Undertake clinical trials and research studies you have consented to

•  Complete occupational health checks you have consented to

•  Keep you and other service users safe on our premises

Lawful Basis for Processing your Personal Information

We do not rely on consent to use your personal information as a ‘lawful basis for processing’ regarding using your information for healthcare instead follow guidance issued by the British Medical Association (BMA).

We rely on the following specific provisions under Articles 6 (Lawful Processing) and 9 (Processing of Special Categories of Personal Data) of the GDPR:

For your personal information

Article 6 (1c) ‘processing is necessary for compliance with a legal obligation…’

Article 6 (1e) ‘…a task carried out in the public interest or in the exercise of official authority vested in the controller.’

For your special category information

Article 9 (2b) ‘…for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…’

Article 9 (2h) ‘processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…’

Article 9 (2i) ‘processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices…’

Please note: You do have the right to say ‘NO’ to our use of your personal information but this may have an impact on our ability to provide appropriate care or services.

Please speak a member of the Practice or our Data Protection Officer.

We never use your personal information for advertising, marketing and public relations or insurance purposes without your consent.

Retention and Disposal of Personal Information

Your personal information may be written down (manual), digitised or held on computers (electronic) centrally within or outside of the Practice. These may be paper records, scans, photographs, slides, CCTV images, microform (i.e. fiche/film), audio, video, emails, computerised records on IT systems, or scanned documents etc. which we process securely in accordance with data protection legislation and store in conjunction with the Records Management code of Practice.

Records Management Code of Practice 2016

Keeping your Personal Information Safe

We are committed to keeping your information secure and have operational policies, procedures and technical measures in place to protect your information whether it is in a hardcopy, digital or electronic format.

We are registered to the Information Commissioner’s Office: registration number: Z6733449

Mandatory training and regular audits are in place to ensure that only authorised personnel with the absolutely necessary need to know your personal information can use it.

When there are data protection breaches (for example – unauthorised access, inappropriate use, failure to secure and keep personal information secure or accurate), these are reported and investigated, with appropriate action (disciplinary, legal, lessons learned, re-training etc.) taken.

Sharing Personal Information

We may need to share your personal information with another organisation e.g. NHS organisations, health and social care organisations, public bodies (Social Services, Probation Service, Police, Regulatory Authorities) or third party providers commissioned to process personal information on our behalf.

This is because of our duty to share which is equally as important as our duty of confidentiality. We may also share your personal information for planning services across the NHS. This is vital to delivering better healthcare and improving our services.

You have the right to say no and to opt out of or restrict this sharing.  Your right to opt out for reasons other than direct care (e.g. planning and research purposes) is managed through the National Data Opt-Out Programme (search online or contact NHS Digital on 0300 303 5678 to find out more).

Your Information Rights

You have the right to:

•  Be informed about the processing of your personal information by the Practice (done through this notice)

•  Access the information we hold about you (paper, digital or electronic copies)

•  Ask the Practice to correct or complete your personal information

•  Ask the Practice to restrict the processing of your personal information under certain circumstances

•  Ask the Practice to move, copy and transfer your personal information which you have provided to the Practice, in a commonly-used/machine readable format and securely, for your own purpose

•  Ask us not to process your personal information

•  Ask us not to use your personal information for public interests, direct marketing, automated decision-making, profiling, research or statistical purposes

•  Receive a response to your access or change request within a calendar month

Requests for information

Please complete a Request for Access to Records form which is available from our admin team. We will require proof of identity before we can disclose any personal information.

Report Complaint or Concern

We try to meet the highest standards when processing personal information. You should let us know when we get something wrong.

The Practice employs an independent Data Protection Officer (DPO). The role our DPO is to examine our information handling practices and ensure we operate within the law.

These services are provided by Umar Sabat from IG-Health. He can be contacted on dpo.th@nhs.net. He can only assist with complaints about your personal information. All other complaints should be directed to the Practice.