Privacy Policy

On 25 May 2018, the General Data Protection Regulation (GDPR)  will be enforced across Europe, including the UK. The law aims to give citizens more control over their data and to create a uniformity of rules to enforce across the continent. Click here to download the GDPR leaflet.

This privacy notice explains why the GP Practice collects information about you, and how that information may be used.

As data controllers, GPs have responsibilities which are regulated by law under the General Data Protection Regulations. This means ensuring that your personal confidential data (PCD) is handled in ways that are safe, transparent and what you would reasonably expect.

Plain English Explanation

The Care Quality Commission (CQC) is an organisation established in English law by the Health and Social Care Act. The CQC is the regulator for English health and social care services to ensure that safe care is provided. They inspect and produce reports on all English general practice activities in a rolling 5 year program. The law allows CQC to access identifiable patient data as well as requiring College Green Medical Practice to share certain types of data with them in certain circumstances, for instance following a significant safety incident.

For more information about the CQC see: http://www.cqc.org.uk/

1) Data Controller contact detailsCollege Green Medical Practice – Health and Wellbeing Centre, 1 Bristol Rd S, Birmingham B31 2GH
2) Data Protection Officer contact detailsMr Umar Sabat
ourhealthpartnership@nhs.net
3) Purpose of the processingTo provide the Secretary of State and others with information and reports on the status, activity, and performance of the NHS.
4) Lawful basis for processing

The legal basis is:

Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.”

And for Special Category Data

Article 9(2)(h) “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;”

5) Recipient or categories of recipients of the shared dataThe data will be shared with the Care Quality Commission, its officers and staff and members of the inspection teams that visit us from time to time.
6) Rights to objectYou have the right to object to some or all of the information being shared. Please contact our Data Protection Officer.
7) Right to access and correctYou have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
8) Retention periodThe data will be retained for active use during the processing and thereafter according to NHS Policies and the law.
9)  Right to Complain.

You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/

or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)

There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)

Please note the National Data Opt Out does not apply to this sharing of information. For further information please see: https://www.nhs.uk/your-nhs-data-matters/

Date created: 9th February 2022

Last updated: N/A

As employers we need to keep certain information so that we can remain your employer and manage payments. This is a combination of personal and financial information. We are required by law to hold certain types of data on those we employ under the Health and Social Care Act and this data is examined during CQC inspection visits. For more information about the CQC see: http://www.cqc.org.uk/

We are also required to share information about you with NHS Digital under a submission known as the “Workforce Minimum Dataset”. To find out more visit https://digital.nhs.uk/data-and-information/areas-of-interest/workforce/workforce-minimum-data-set-wmds

We are also required by HMRC and various taxation laws, such as “The Income Tax (Pay As You Earn) Regulations 2003” to keep financial records.

Please see our main privacy policy for data processors we use.

1) Data Controller contact details

College Green Medical Practice

1 Bristol Road South

Birmingham

B31 2GH

2) Data Protection Officer contact details

Umar Sabat

ourhealthpartnership@nhs.net

3) Purpose of the processingTo comply with the Health and Social Care Act and taxation law.
4) Lawful basis for processing

The legal basis will be

Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.”

And

Article 9(2)(h) “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;”

5) Recipient or categories of recipients of the shared data

The data will be shared with the Care Quality Commission, its officers and staff and members of the inspection teams that visit us from time to time. Financial data will also be shared with HMRC.

6) Rights to object

You have the right to object to some or all of the information being shared with CQC, please contact our Data Protection Officer. There is no right to have UK taxation related data deleted except after certain statutory periods.

7) Right to access and correctYou have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have records deleted except when ordered by a court of Law.
8) Retention period

The data will be retained for active use during the processing and thereafter according to NHS Policies, taxation and employment law.

9) Right to Complain.

You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/

or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)

There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)/

Please note the National Data Opt Out does not apply to this sharing of information. For further information please see: https://www.nhs.uk/your-nhs-data-matters/

Date created: 9th February 2022

Last updated: N/A

There are occasions when intervention is necessary in order to save or protect a patients life or to prevent them from serious immediate harm, for instance during a collapse or diabetic coma or serious injury or accident. In many of these circumstances the patient may be unconscious or too ill to communicate. In these circumstances we have an overriding duty to try to protect and treat the patient. If necessary we will share your information and possibly sensitive confidential information with other emergency healthcare services, the police or fire brigade, so that you can receive the best treatment.

The law acknowledges this and provides supporting legal justifications.

Individuals have the right to make pre-determined decisions about the type and extend of care they will receive should they fall ill in the future, these are known as “Advance Directives”.  If lodged in your records these will normally be honoured despite the observations in the first paragraph.

1) Data Controller contact details

 

College Green Medical Practice

1 Bristol Road South

Birmingham

B31 2GH

2) Data Protection Officer contact details

 

 

Umar Sabat
ourhealthpartnership@nhs.net
3) Purpose of the processingDoctors have a professional responsibility to share data in emergencies to protect their patients or other persons. Often in emergency situations the patient is unable to provide consent.
4) Lawful basis for processing

This is a Direct Care purpose. There is a specific legal justification;

Article 6(1)(d) “processing is necessary to protect the vital interests of the data subject or of another natural person”

And

Article 9(2)(c) “processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent”

Or alternatively

Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”

We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”.

5) Recipient or categories of recipients of the shared dataThe data will be shared with Healthcare professionals and other workers in emergency and out of hours services and at local hospitals, diagnostic and treatment centres.  (if preferred list actual named services)
6) Rights to object

You have the right to object to some or all of the information being shared with the recipients.

You also have the right to have an “Advance Directive” placed in your records and brought to the attention of relevant healthcare workers or staff.

7) Right to access and correctYou have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law. If we share or process your data in an emergency when you have not been able to consent, we will notify you at the earliest opportunity.
8) Retention periodThe data will be retained in line with the law and national guidance
9)  Right to Complain.

You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/

or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)

There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)

* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

  • where the individual to whom the information relates has consented;
  • where disclosure is in the public interest; and
  • where there is a legal duty to do so, for example a court order.

Please note the National Data Opt Out does not apply to this sharing of information. For further information please see: https://www.nhs.uk/your-nhs-data-matters/

Date created: 22nd January 2022

Last updated: N/A

Plain English Explanation

College Green Medical Practice keeps data on you relating to who you are, where you live, what you do, your family, possibly your friends, your employers, your habits, your problems and diagnoses, the reasons you seek help, your appointments, where you are seen and when you are seen, who by, referrals to specialists and other healthcare providers, tests carried out here and in other places, investigations and scans, treatments and outcomes of treatments, your treatment history, the observations and opinions of other healthcare workers, within and without the NHS as well as comments and aide memoires reasonably made by College Green Medical Practice healthcare professionals who are appropriately involved in your health care.

If your health needs require care from others elsewhere outside College Green Medical Practice we will exchange with them whatever information about you that is necessary for them to provide that care. When you make contact with healthcare providers outside College Green Medical Practice, but within the NHS, it is usual for them to send us information relating to that encounter. We will retain part or all of those reports. Normally we will receive equivalent reports of contacts you have with non-NHS services but this is not always the case.

People who have access to your information will only normally have access to that which they need to fulfil their roles, for instance admin staff will normally only see your name, address, contact details, appointment history and registration details in order to book appointments, the practice nurses will normally have access to your immunisation, treatment, significant active and important past histories, your allergies and relevant recent contacts whilst the GP you see or speak to will normally have access to everything in your record.

You have the right to object to our sharing your data in these circumstances but we have an overriding responsibility to do what is in your best interests. Please see below.

We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.

1) Data Controller contact details

 

 

College Green Medical Practice

1 Bristol Road South

Birmingham

B31 2GH

 

2) Data Protection Officer contact details

 

 

Umar Sabat
ourhealthpartnership@nhs.net
3) Purpose of the processingDirect Care is care delivered to the individual alone, most of which is provided in the surgery. After a patient agrees to a referral for direct care elsewhere, such as a referral to a specialist in a hospital, necessary and relevant information about the patient, their circumstances and their problem will need to be shared with the other healthcare workers, such as specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.
4) Lawful basis for  processing

The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere  is supported under the following Article 6 and 9 conditions of the GDPR:

Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.

Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”

We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”*

 

5) Recipient or categories of recipients of the processed data

The data will be shared with Health and care professionals and support staff in this surgery and at hospitals, diagnostic and treatment centres who contribute to your personal care. [if possible list actual named sites such as local hospital)(s) name]

 

 

6) Rights to object

You have the right to object to some or all the information being processed under Article 21. Please contact the Data Controller. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance.

 

7) Right to access and correct

You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.

 

8) Retention period

The data will be retained in line with the law and national guidance. Please see the NHSx Records Management Code of Practice.

 

9)  Right to Complain.

You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/

or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)

There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)

 

* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

  • where the individual to whom the information relates has consented;
  • where disclosure is in the public interest; and
  • where there is a legal duty to do so, for example a court order.

Please note the National Data Opt Out does not apply to this sharing of information. For further information please see: https://www.nhs.uk/your-nhs-data-matters/

Date created: 9TH February 2022

Last updated: N/A

Plain English Explanation

NHS Digital is the secure haven* for NHS patient data, a single secure repository where data collected from all branches of the NHS is processed. NHS Digital provides reports on the performance of the NHS, statistical information, audits and patient outcomes (https://digital.nhs.uk/data-and-information). Examples include; A/E and outpatient waiting times, the numbers of staff in the NHS, percentage target achievements, payments to GPs etc and more specific targeted data collections and reports such as the Female Genital Mutilation, general practice appointments data and English National Diabetes Audits. GPs are required by the Health and Social Care Act to provide NHS Digital with information when instructed. This is a legal obligation which overrides any patient wishes. These instructions are called “Directions”. More information on the directions placed on GPs can be found at https://digital.nhs.uk/article/8059/NHS-England-Directions- and www.nhsdatasharing.info

1) Data Controller contact details

 

 

College Green Medical Practice

1 Bristol Road South

Birmingham

B31 2GH

2) Data Protection Officer contact details

 

 

Umar Sabat

ourhealthpartnership@nhs.net

3) Purpose of the processingTo provide the Secretary of State and others with information and reports on the status, activity and performance of the NHS. The provide specific reporting functions on indentified
4) Lawful basis for processing

The legal basis will be

Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.”

And

Article 9(2)(h) “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;”

5) Recipient or categories of recipients of the shared dataThe data will be shared with NHS Digital according to directions which can be found at https://digital.nhs.uk/article/8059/NHS-England-Directions-
6) Rights to objectYou have the right to object to some or all of the information being shared with NHS Digital. Contact the Data Controller.
7) Right to access and correctYou have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
8) Retention periodThe data will be retained for active use during the processing and thereafter according to NHS Policies and the law.
9)  Right to Complain.

You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/

or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)

There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)

Please note the National Data Opt Out does not apply to this sharing of information. For further information please see: https://www.nhs.uk/your-nhs-data-matters/

Date created: 9th February 2022

Last updated: N/A

Public health encompasses everything from national smoking and alcohol policies, the management of epidemics such as flu, the control of large scale infections such as TB and Hepatitis B to local outbreaks of food poisoning or Measles. Certain illnesses are also notifiable; the doctors treating the patient are required by law to inform the Public Health Authorities, for instance Scarlet Fever.

This will necessarily mean the subjects personal and health information being shared with the Public Health organisations.

Some of the relevant legislation includes: the Health Protection (Notification) Regulations 2010 (SI 2010/659), the Health Protection (Local Authority Powers) Regulations 2010 (SI 2010/657), the Health Protection (Part 2A Orders) Regulations 2010 (SI 2010/658), Public Health (Control of Disease) Act 1984, Public Health (Infectious Diseases) Regulations 1988 and The Health Service (Control of Patient Information) Regulations 2002

1) Data Controller contact details

College Green Medical Practice

1 Bristol Road South

Birmingham

B31 2GH

2) Data Protection Officer contact details

Umar Sabat

ourhealthpartnership@nhs.net

 

3) Purpose of the processingThere are occasions when medical data needs to be shared with UKHSA, the Local Authority Director of Public Health, or the Health Protection Agency, either under a legal obligation or for reasons of public interest or their equivalents in the devolved nations.
4) Lawful basis for processing

The legal basis will be

Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.”

And

Article 9(2)(i) “processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices,..”

5) Recipient or categories of recipients of the shared dataThe data will be shared with UK Health Security Agency  https://www.gov.uk/government/organisations/uk-health-security-agency and equivalents in the devolved nations.
6) Rights to objectYou have the right to object to some or all of the information being shared with the recipients. Please contact the Data Controller.
7) Right to access and correctYou have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
8) Retention periodThe data will be retained for active use during the period of the public interest and according to legal requirements and Public Health England’s criteria on storing identifiable data
https://www.gov.uk/government/organisations/public-health-england/about/personal-information-charter.
9)  Right to Complain.

You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/

or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)

There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)

Please note the National Data Opt Out does not apply to this sharing of information. For further information please see: https://www.nhs.uk/your-nhs-data-matters/

Date created: 9th February 2022

Last updated: N/A

Plain English explanation

The records we keep enable us to plan for your care.

College Green Medical Practice keeps data on you that we apply searches and algorithms to in order to identify from preventive interventions.

This means using only the data we hold or in certain circumstances linking that data to data held elsewhere by other organisations, and usually processed by organisations within or bound by contracts with the NHS.

If any processing of this data occurs outside College Green Medical Practice your identity will not be visible to the processors. Only College Green Medical Practice will be able to identify you and the results of any calculated factors, such as your risk of having a heart attack in the next 10 years or your risk of being admitted to hospital with a complication of chest disease

You have the right to object to our processing your data in these circumstances and before any decision based upon that processing is made about you. Processing of this type is only lawfully allowed where it results in individuals being identified with their associated calculated risk. It is not lawful for this processing to be used for other ill defined purposes, such as “health analytics”.

Despite this we have an overriding responsibility to do what is in your best interests. If we identify you as being at significant risk of having, for example a heart attack or stroke, we are justified in performing that processing.

We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.

1) Data Controller contact details

 

 

College Green Medical Practice

1 Bristol Road South

Birmingham

B31 2GH

 
2) Data Protection Officer contact detailsUmar Sabat
ourhealthpartnership@nhs.net
 
3) Purpose of the processingCollege Green Medical Practice performs computerised searches of some or all of our records to identify individuals who may be at increased risk of certain conditions or diagnoses i.e. Diabetes, heart disease, risk of falling). Your records may be amongst those searched. This is often called “risk stratification” or “case finding”. These searches are sometimes carried out by Data Processors who link our records to other records that they access, such as hospital attendance records. The results of these searches and assessment may then be shared with other healthcare workers, such as specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care. 
4) Lawful basis for processing

The legal basis for this processing is

Article 6(1)(e); “necessary… in the exercise of official authority vested in the controller’

And

Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”

We will recognise your rights under UK Law collectively known as the “Common Law Duty of Confidentiality”*

 
5) Recipient or categories of recipients of the shared dataThe data will be shared for processing with the CCG for subsequent healthcare 
6) Rights to objectYou have the right to object to this processing where it might result in a decision being made about you. That right may be based either on implied consent under the Common Law of Confidentiality, Article 22 of GDPR or as a condition of a Section 251 approval under the HSCA. It can apply to some or all of the information being shared with the recipients. Your right to object is in relation to your personal circumstances.
7) Right to access and correctYou have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law. 
8) Retention periodThe data will be retained in line with the law and national guidance. Please see the NHSx Records Management Code of Practice. 
9)  Right to Complain.

You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/

or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)

There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)

 

* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

  • where the individual to whom the information relates has consented;
  • where disclosure is in the public interest; and
  • where there is a legal duty to do so, for example a court order.

Please note the National Data Opt Out does not apply to this sharing of information. For further information please see: https://www.nhs.uk/your-nhs-data-matters/

Date created: 9th February 2022

Last updated: N/A

Some members of society are recognised as needing protection, for example children and vulnerable adults. If a person is identified as being at risk from harm we are expected as professionals to do what we can to protect them. In addition we are bound by certain specific laws that exist to protect individuals. This is called “Safeguarding”.

Where there is a suspected or actual safeguarding issue we will share information that we hold with other relevant agencies whether or not the individual or their representative agrees.

There are three laws that allow us to do this without relying on the individual or their representatives agreement (unconsented processing), these are:

Section 47 of The Children Act 1989 :
(https://www.legislation.gov.uk/ukpga/1989/41/section/47),

Section 29 of Data Protection Act (prevention of crime) https://www.legislation.gov.uk/ukpga/1998/29/section/29

and

section 45 of the Care Act 2014 http://www.legislation.gov.uk/ukpga/2014/23/section/45/enacted.

In addition there are circumstances when we will seek the agreement (consented processing) of the individual or their representative to share information with local child protection services, the relevant law being; section 17 Childrens Act 1989 https://www.legislation.gov.uk/ukpga/1989/41/section/17

1) Data Controller contact details

 

College Green Medical Practice

1 Bristol Road South

Birmingham

B31 2GH

2) Data Protection Officer contact details

 

Umar Sabat, Data Protection Officer
ourhealthpartnership@nhs.net

 

3) Purpose of the processingThe purpose of the processing is to protect the child or vulnerable adult.
4) Lawful basis for processing

The sharing is a legal requirement to protect vulnerable children or adults, therefore for the purposes of safeguarding children and vulnerable adults, the following Article 6 and 9 conditions apply:

For consented processing;

6(1)(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes

For unconsented processing;

6(1)(c) processing is necessary for compliance with a legal obligation to which the controller is subject

and:

9(2)(b) ‘…is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of …social protection law in so far as it is authorised by Union or Member State law..’

We will consider your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”*

5) Recipient or categories of recipients of the shared dataThe data will be shared with [insert local safeguarding services names and contact details
6) Rights to object

This sharing is a legal and professional requirement and therefore there is no right to object.

There is also GMC guidance:

https://www.gmc-uk.org/guidance/ethical_guidance/children_guidance_56_63_child_protection.asp

7) Right to access and correctYou have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
8) Retention periodThe data will be retained for active use during any investigation and thereafter retained in an inactive stored form according to the law and national guidance.
9)  Right to Complain.

You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/

or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)

There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)

* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

  • where the individual to whom the information relates has consented;
  • where disclosure is in the public interest; and
  • where there is a legal duty to do so, for example a court order.

Please note the National Data Opt Out does not apply to this sharing of information. For further information please see: https://www.nhs.uk/your-nhs-data-matters/

Date created: 9th February 2022

Last updated: N/A

College Green Medical Practice has the ability to record telephone calls to protect patients and staff and other health workers. Patients are protected by our having a record of our conversations with you, staff and other health workers are protected from potential abuse.

We also occasionally use recordings for staff training and quality control. When you register with us we will make this clear to you and we will also make this clear to you each time you contact us and via our web site and other sources of information Calls that contain only administrative information, such as enquiries about appointments, are only retained for one year and are then will be routinely deleted.

Calls, or transcripts of calls, audio or audio-visual recordings or elements of the discussion you have with the clinicians that contain clinical information may be added to your medical records, but this will be clarified with you at the time. The recordings are stored on the surgery telephone system

1) Data Controller contact details

College Green Medical Practice

1 Bristol Road South

Birmingham

B31 2GH

2) Data Protection Officer contact details

 

Umar Sabat
ourhealthpartnership@nhs.net

 

3) Purpose of the processingTo facilitate your access to care and in the case of telephone or other audio visual consultations for your direct care.
4) Lawful basis for processing

The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:

Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.

Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…” We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality” *

5) Recipient or categories of recipients of the shared dataNecessary data will be shared with Health and care professionals and support staff in this surgery. Clinical data or records of consultations may be transcribed or appended to the records we hold on you and may thence be shared at hospitals, diagnostic and treatment centres who contribute to your personal care. Actual recordings will not be shared with anyone outside the practice. Please see our Privacy Notice for Direct Care. The actual recordings are stored on the telephone system and after a designated period of time will be either deleted or saved, onto the surgery Shared Drive if it is deemed necessary. You will be informed if the recording is to be stored for longer than is set out in this Privacy Notice and you will informed the reasons.
6) Rights to objectYou have the right to object to some or all your information being processed (shared) under current data protection legislation (Article 21 the General Data Protection Regulations 2016, and the Data Protection Act 2018).
7) Right to access and correct

Access You have the right to see the data that is being shared about you. This is known as ‘the right of subject access’. You can make a request for this information from a provider.

If your health or care provider holds information about you, and you make a subject access request they will:

· Give you a description of it

· Tell you why it is being held

· Tell you who it could be shared with

· Let you have a copy of the information in an intelligible form.

To make a Subject Access Request, you will need to contact your health or care provider’s Data Protection Officer in writing. The contact details for the DPO for each organisation can be found in section 2 of this Privacy Notice as displayed by each individual organisation, or on their website.

Rectification

You have the right to have inaccurate personal data rectified, and in some circumstances removed. Requests to amend or delete data should be made to the individual Data Controller via the DPO, as per the contact information in section 2 of this Privacy Notice.

Under current data protection legislation, all data controllers have a responsibility to ensure the information held about you is correct and up to date and must take all reasonable steps to correct or erase incorrect information as soon as possible.

All requests to amend or remove information will be addressed on an individual basis by each Data Controller, however, it should be noted that, for example, information recorded by a health or care professional that is believed to be correct at the time of documentation, even when subsequently updated, is unlikely to be removed.

There is no right to have accurate medical records deleted except when ordered by a Court of Law

8) Retention periodWe will keep recordings up to one year. Clinical data transcribed from your telephone or other electronic consultations may become part of your clinical record and is retained according to relevant rules and regulations, see Privacy Notice on Direct Care.
9)  Right to Complain.

You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/

or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)

There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)

Please note the National Data Opt Out does not apply to this sharing of information. For further information please see: https://www.nhs.uk/your-nhs-data-matters/

Date created: 9th February 2022

Last updated: N/A

On 9th November 2021, the Department of Health and Social Care began the process of making it a legal requirement for any staff working in health and social care settings to be fully vaccinated against COVID-19, unless exempt. This means that each staff member will be required to provide evidence that they have been fully vaccinated against COVID-19, subject to specific exemptions, by no later than 1 April 2022.

This will include front-line workers, as well as non-clinical workers not directly involved in patient care but who nevertheless may have direct, face to-face contact with patients, such as receptionists, ward clerks, porters and cleaners. These regulations will protect vulnerable people and individual workers in health and social care settings, including hospitals, GP practices, dentists, community services and where care is delivered in a person’s home.

In order to monitor compliance with the new regulations, the organisation must collect information about vaccination status of eligible staff and/or any medical exemptions that might apply.

1) Data Controller contact details

College Green Medical Practice

1 Bristol Road South

Birmingham

B31 2GH

2) Data Protection Officer contact details

 

Umar Sabat, Data Protection Officer
ourhealthpartnership@nhs.net

 

3) Purpose of the processingTo comply with Government requirements to ensure patient-facing workers are protected against COVID-19 and to reduce the spread of the virus in the health and social care setting, which includes vulnerable individuals at higher risk of COVID-19.
4) Lawful basis for processing

In order that we can carry out processing of your personal data, we need a lawful basis to do so. The lawful bases for processing, storing and sharing this data under the General Data Protection Regulation (GDPR) are:-

Article 6(1)(e) the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Article 9(2)(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment.

Article 9(2)(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Article 9(2)(h) the processing is necessary for medical diagnosis, the provision of health treatment and management of a health and social care system.

Article 9(2)(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health.

Furthermore, the Health and Safety at Work Act 1974 obliges employers to take reasonable steps to reduce any workplace risks; this duty gives employers justification for encouraging their employees to be vaccinated to protect themselves and everyone else at the workplace. COVID-19 is also a reportable disease under the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (known as RIDDOR) which strengthens employers’ encouragement that employees should agree to vaccination.

In addition, the ‘Notice’ issued by the Secretary of State for Health sets aside the requirements of Common Law Duty of Confidentially for COVID-19 purposes, Regulation 4 Health Service Control of Patient Information Regulations 2002 provides that ‘information may be processed in accordance with these Regulations, notwithstanding any common law obligation of confidence’, meaning that identifiable patient data can be shared with other organisations where it is ‘necessary’ for a COVID-19 purpose.

5) Recipient or categories of recipients of the shared dataYour identifiable data will remain within your employing organisation.
6) Rights to object

You have the right under Article 21 of the GDPR to object to your personal information being processed. Please contact us if you wish to object to the processing of your data. You should be aware that this is a right to raise an objection which is not the same as having an absolute right to have your wishes granted in every circumstance.

You will need to provide information on your specific circumstances which relate to the reasons you are objecting.

7) Right to access and correctYou have the right to access any identifiable data that is being shared and have any inaccuracies corrected.
8) Retention period

Your information will be stored in line with the NHS Records Management Code of Practice 2021. In some circumstances, for example where we are legally required to, we may keep your information for a longer period of time.

Information that identifies you will be stored securely and processed in the UK. We will ensure that there are appropriate security safeguards including strong cyber security.

9)  Right to Complain.

You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/

or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)

There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)

Please note that the COVID-19 vaccination effort is fast-moving and this privacy notice is subject to change.

Date created: 9th February 2022

Last updated: N/A

Plain English explanation

The Practice is supporting the Birmingham and Solihull Shared Care Record initiative. The Birmingham and Solihull Shared Care Record brings together all your separate records from the different organisations involved in your health and care. For further detailed information please visit: https://www.livehealthylivehappy.org.uk/birmingham-and-solihull-shared-care-record/

1) Data Controller contact details

 

College Green Medical Practice

1 Bristol Road South

Birmingham

B31 2GH

2) Data Protection Officer contact details

 

Mr Umar Sabat
ourhealthpartnership@nhs.net

 

3) Purpose of the processingCollege Green Medical Practice works with other health and social care organisations to share information that will form part of your Shared Care Record. The Shared Care Record allows health and care professionals involved in your care to view your records to help them understand your needs and make the best decisions with you, and for you. Information we hold about you will be available, to read only, to other health and care professionals in Birmingham and Solihull, Coventry and Warwickshire, and Herefordshire and Worcestershire when they are involved in your health or social care.
4) Lawful basis for processing

The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:

Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.

Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”

We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality” *

5) Recipient or categories of recipients of the shared dataThe data will be shared with Health and care professionals and support staff in this surgery and at hospitals, diagnostic and treatment centres who contribute to your personal care.
6) Rights to objectYou have the right to object to some or all the information being processed under Article 21. Please refer to https://www.livehealthylivehappy.org.uk/birmingham-and-solihull-shared-care-record/right-to-object/
7) Right to access and correctYou have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
8) Retention periodThe data will be retained in line with the law and national guidance. Please see the NHSx Records Management Code of Practice. https://www.nhsx.nhs.uk/information-governance/guidance/records-management-code/
9)  Right to Complain.

You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/

or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)

There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)

Please note the National Data Opt Out does not apply to this sharing of information. For further information please see: https://www.nhs.uk/your-nhs-data-matters/

Date created: 9th February 2022

Last updated: N/A

Plain English explanation

This privacy notice applies to all employees, workers, contractors on College Green Medical Practice premises.

1) Data Controller contact details

 

College Green Medical Practice

1 Bristol Road South

Birmingham

B31 2GH

2) Data Protection Officer contact details

 

Mr Umar Sabat
ourhealthpartnership@nhs.net

 

3) Purpose of the processingThe Practice operates CCTV in the Practice for the purposes of maintaining the security of property and presmises and for preventing and investigating crime. CCTV may also be used to monitor staff when carrying out work duties.
4) Lawful basis for processingProcessing of this data is necessary to protect the vital interests of the data subject or another person; for compliance with legal obligations; and for the performance of tasks carried out in the public interest in our official functions
5) Recipient or categories of recipients of the shared dataThe data will only be processed by College Green Medical Practice
6) Rights to objectYou have the right to object to some or all of the information being shared
7) Right to access and correctYou have the right to access any CCTV recordings.  Please contact the Practice to request the footage.
8) Retention periodThe data will be retained for 31 days
9)  Right to Complain.

You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/

or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)

There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)

Date created: 9th February 2022

Last updated: N/A

Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come in to such possession. The processing of personal data is governed by the General Data Protection Regulation (the ‘GDPR’).

College Green Medical Practice

1 Bristol Road South | Birmingham | B31 2GH is the data controller. This means it decides how your personal data is processed and for what purposes. The Health and Social Care Act 2012 changed the way that personal confidential data is processed. Therefore, it is important that patients are made aware of, and understand these changes and that you have an opportunity to object if you so wish and that you know how to do so.

Health care professionals maintain records about your health and any treatment or care you have received within the NHS (e.g. NHS Hospital Trust, GP Surgery, Walk-in clinic, etc.). These records help to provide the best possible healthcare.

NHS health records may be processed electronically, on paper or a mixture of both, and a combination of working practices and technology are used to ensure that your information is kept confidential and secure. Records held by this GP Practice may include the following information:

  •   Details about you, such as address, telephone numbers, DOB and next of kin
  •   Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments, etc.
  •   Notes and reports about your health
  •   Details about your treatment and care
  •   Results of investigations, such as laboratory tests, x-rays, etc.
  •   Relevant information from other health professionals, relatives or those who care for you.

This GP Practice collects and holds data for the sole purpose of providing healthcare services to our patients and we will ensure that information is kept confidential. We can disclose personal information if:

  • It is required by law
  • You consent – either implicitly for the sake of your own care or explicitly for other purposes
  • It is justified in the public interest

Some of this information will be held centrally and used for statistical purposes. Where we hold data centrally, we take strict measures to ensure that individual patients cannot be identified.

Sharing your personal data

Sometimes information about you may be requested to be used for research purposes. The Practice will always endeavour to gain your consent before releasing the information.

Under the powers of the Health and Social Care Act 2012 (HSCA) the Health and Social Care Information Centre (HSCIC) can request Personal Confidential Data (PCD) from GP Practices without seeking the patient’s consent. Improvements in information technology are also making it possible for us to share data with other healthcare providers with the objective of providing you with better care.

Any patient can choose to exercise their right of objection specified under the GDPR regarding their PCD being used in this way. When the Practice is about to participate in any new data-sharing scheme we will make patients aware by displaying prominent notices in the surgery and on our website at least four weeks before the scheme is due to start. We will also explain clearly what you have to do to ‘opt-in’ of each new scheme.

Though a patient can object to their personal information being shared with other health care providers but if this limits the treatment that you can receive then the doctor will explain this to you at the time.

Risk Stratification

Risk stratification is a process for identifying and managing patients who are at a higher risk of emergency hospital admission. Typically, this is because patients have a long-term condition such as COPD or cancer. NHS England encourages GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help prevent avoidable admissions.

Information about you is collected from several sources including NHS Trusts and from this GP Practice. A risk score is then arrived at through an analysis of your anonymous information using computer programmes. Your information is only provided back to your GP or member of your care team in an identifiable form. Risk stratification enables your GP to focus on the prevention of ill health and not just the treatment of sickness. If necessary, your GP may be able to offer you additional services.

Under the GDPR we require your explicit consent to be able to perform this process. Please note the purpose of risk stratification is to prevent and detect health issues therefore we will ask our Patients for their consent to be included in this.

Invoice Validation

If you have received treatment within the NHS, access to your personal information may be required to determine which Clinical Commissioning Group should pay for the treatment or procedure you have received.

This information would most likely include information such as your name, address, date of treatment and may be passed on to enable the billing process. These details are held in a secure environment and kept confidential. This information will only be used to validate invoices and will not be shared for any further purposes.

NHS Health Checks

All of our patients aged 40-74 not previously diagnosed with cardiovascular disease are eligible to be invited for an NHS Health Check. Nobody outside the healthcare team in the practice will see confidential information about you during the invitation process and only contact details would be securely transferred to a data processor (if that method was employed). You may be ‘given the chance to attend your health check either within the practice or at a community venue. If your health check is at a community venue all data collected will be securely transferred back into the practice system and nobody outside the healthcare team in the practice will see confidential information about you during this process.

CCTV (Closed Circuit Television)
Images will be retained for 31 days and then deleted.

All images will be held securely, and all access requests and access to images will be documented.

Images may record individuals and / or record incidents. Not all recordings are designed to identify persons.

The lawful basis of recording CCTV images is for legitimate interests. Images are held to improve the personal security of patients and staff whilst on the premises, and for the prevention and detection of crime, and images may be provided to police or other bodies.

Other than in accordance with statutory rights, the release or availability of images will be at the discretion of the Partners of the Practice, who are Data Controllers for the purposes of the Data Protection Act.

Where access is granted in response to an application received, the image may be edited to exclude images of third parties who may be also included within the requested image. This may be necessary to protect the identity of the third parties. In these circumstances the image released as part of the application may record / identify the “data subject” only.

Images will be located by the Data Controller or authorised person.

When assessing the content of the image to be released the decision will be taken by the Data Controllers having due regard to the requirements of the Data Protection Act and Code of Conduct.

Your Care Connected
Your Care Connected (YCC) is an electronic record sharing system that allows authorised health and care staff to securely view key aspects of the GP record, to provide patients with better and safer care.
Please see the following website for further information: https://midlandsyourcareconnected.nhs.uk
‘The lawful basis for processing this data is for the purposes of provision of health care or treatment’ [Article 9(2) of the GDPR].

We are committed to protecting your privacy and will only use information collected lawfully in accordance with the GDPR (which is overseen by the Information Commissioner’s Office), Human Rights Act, the Common Law Duty of Confidentiality, and the NHS Codes of Confidentiality and Security.

All of our staff, contractors and committee members receive appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures. Only a limited number of authorised staff has access to personal information where it is appropriate to their role and is strictly on a need-to-know basis.

We maintain our duty of confidentiality to you always. We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), or where the law requires information to be passed on.

The surgery has the ability to record telephone calls. Calls are recorded for the purpose of training, to protect staff, document information in your medical record or identify any issues in practice processes with a view to improving them.

If you do not wish for the call to be recorded then please tell the member of staff at the time and alternative arrangement will be made.

The recordings are stored securely. They are encrypted and password protected/only accessible by senior staff.  Access can be requested by contacting the practice

Necessary data will be shared with Health and care professionals and support staff in this surgery. Clinical data or records of consultations may be transcribed or appended to the records we hold on you and may thence be shared at hospitals, diagnostic and treatment centres who contribute to your personal care. Call recordings themselves will not be shared outside of the practice, unless we have a legal requirement to do so.

We may also have to share your information, subject to strict agreements on how it will be used. The following are examples of the types of organisations that we are likely to share information with:
• NHS and specialist hospitals, Trusts
• Independent Contractors such as dentists, opticians, pharmacists
• Private and Voluntary Sector Providers
• Ambulance Trusts
• Clinical Commissioning Groups and NHS England
• Social Care Services and Local Authorities
• Education Services
• Police, Fire and Rescue Services
• Other ‘data processors’ during specific project work e.g. Diabetes UK

Your rights and your personal data
Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data: –
• The right to request a copy of your personal data which this practice holds about you;
• The right to request that this practice corrects any personal data if it is found to be inaccurate or out of date;
• The right to request your personal data is erased where it is no longer necessary for the practice to retain such data. Although please note for Patients at this practice, your records will be retained until death;
• The right to withdraw consent to the processing at any time;
• The right to data portability;
• The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed on further processing;
• The right to lodge a complaint with the Information Commissioners Office.

Contact Details
Should you have any concerns about how your information is managed or wish to object to any of the data collection at the Practice, please contact the Practice Manager or your healthcare professional to discuss how the disclosure of your personal information can be restricted. All patients have the right to change their minds and reverse a previous decision. Please contact the practice if you change your mind regarding any previous choice.
If you would like to make a ‘data subject access request’ please contact the practice in writing. We will endeavour to respond to your request within one calendar month or two months if the request is complex.
Any changes to this notice will be published on our website and on the Practice notice board.
Suspected breaches in data protection can be reported to the independent OHP Data Protection Officer Leanne Hoye on 0121 422 1366. Breaches in data protection will result in an incident investigation. Serious breaches will be reported to the ICO.
It is the responsibility of all employees of the practice to report suspected breaches of information security to the Practice lead and Data Protection Officer without delay.
The Practice is registered as a data controller with the ICO. The registration number is Z7394759 and can be viewed online in the public register at: ico.org.uk. You can contact the ICO on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.

Birmingham and Solihull Shared Care Record

College Green Medical Practice works with other health and social care organisations to share information that will form part of your Shared Care Record. The Shared Care Record allows health and care professionals involved in your care to view your records to help them understand your needs and make the best decisions with you, and for you. Information we hold about you will be available, to read only, to other health and care professionals in Birmingham and Solihull, Coventry and Warwickshire, and Herefordshire and Worcestershire when they are involved in your health or social care.

For more information on how your data is used on the Shared Care Record and how to exercise your rights please see the full Privacy Notice or copy and paste this link: www.livehealthylivehappy.org.uk/birmingham-and-solihull-shared-care-record/privacy-notice/.

Sometimes information about you may be requested to be used for research purposes. The Practice will always endeavour to gain your consent before releasing the information.

Under the powers of the Health and Social Care Act 2012 (HSCA) the Health and Social Care Information Centre (HSCIC) can request Personal Confidential Data (PCD) from GP Practices without seeking the patient’s consent. Improvements in information technology are also making it possible for us to share data with other healthcare providers with the objective of providing you with better care.

Any patient can choose to exercise their right of objection specified under the GDPR regarding their PCD being used in this way. When the Practice is about to participate in any new data-sharing scheme we will make patients aware by displaying prominent notices in the surgery and on our website at least four weeks before the scheme is due to start. We will also explain clearly what you have to do to ‘opt-in’ of each new scheme.

Though a patient can object to their personal information being shared with other health care providers but if this limits the treatment that you can receive then the doctor will explain this to you at the time.

Risk stratification is a process for identifying and managing patients who are at a higher risk of emergency hospital admission. Typically, this is because patients have a long-term condition such as COPD or cancer. NHS England encourages GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help prevent avoidable admissions.

Information about you is collected from several sources including NHS Trusts and from this GP Practice. A risk score is then arrived at through an analysis of your anonymous information using computer programmes. Your information is only provided back to your GP or member of your care team in an identifiable form. Risk stratification enables your GP to focus on the prevention of ill health and not just the treatment of sickness. If necessary, your GP may be able to offer you additional services.

Under the GDPR we require your explicit consent to be able to perform this process. Please note the purpose of risk stratification is to prevent and detect health issues therefore we will ask our Patients for their consent to be included in this

If you have received treatment within the NHS, access to your personal information may be required to determine which Clinical Commissioning Group should pay for the treatment or procedure you have received.

This information would most likely include information such as your name, address, date of treatment and may be passed on to enable the billing process. These details are held in a secure environment and kept confidential. This information will only be used to validate invoices and will not be shared for any further purposes.

All of our patients aged 40-74 not previously diagnosed with cardiovascular disease are eligible to be invited for an NHS Health Check. Nobody outside the healthcare team in the practice will see confidential information about you during the invitation process and only contact details would be securely transferred to a data processor (if that method was employed). You may be ‘given the chance to attend your health check either within the practice or at a community venue. If your health check is at a community venue all data collected will be securely transferred back into the practice system and nobody outside the healthcare team in the practice will see confidential information about you during this process

Unless subject to an exemption under the GDPR, you have the following rights with respect to your personal data: –

  • The right to request a copy of your personal data which this practice holds about you;
  • The right to request that this practice corrects any personal data if it is found to be inaccurate or out of date;
  • The right to request your personal data is erased where it is no longer necessary for the practice to retain such data. Although please note for Patients at this practice, your records will be retained until death;
  • The right to withdraw consent to the processing at any time;
  • The right to data portability;
  • The right, where there is a dispute in relation to the accuracy or processing of your personal data, to request a restriction is placed o further processing;

The right to lodge a complaint with the Information Commissioners Office

Should you have any concerns about how your information is managed or wish to object to any of the data collection at the Practice, please contact the Practice Manager or your healthcare professional to discuss how the disclosure of your personal information can be restricted. All patients have the right to change their minds and reverse a previous decision. Please contact the practice if you change your mind regarding any previous choice.

If you would like to make a ‘data subject access request’ please contact the practice in writing. We will endeavour to respond to your request within one calendar month or two months if the request is complex.

Any changes to this notice will be published on our website and on the Practice notice board.

Suspected breaches in data protection can be reported to the independent OHP Data Protection Officer Naomi Frazer or Leanne Hoye on 0121 422 1366. Breaches in data protection will result in an incident investigation. Serious breaches will be reported to the ICO.

It is the responsibility of all employees of the practice to report suspected breaches of information security to the Practice lead and Data Protection Officer without delay.

The Practice is registered as a data controller with the ICO. The registration number is ZA188128 and can be viewed online in the public register at: ico.org.uk. You can contact the ICO on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email/ or at the ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.

This site uses cookies – small text files that are placed on your machine to help the site provide a better user experience. In general, cookies are used to retain user preferences, store information for things like shopping carts, and provide anonymised tracking data to third party applications like Google Analytics. As a rule, cookies will make your browsing experience better. However, you may prefer to disable cookies on this site and on others. The most effective way to do this is to disable cookies in your browser. We suggest consulting the Help section of your browser or taking a look at the About Cookies website which offers guidance for all modern browsers.