1 Introduction
1.1 Policy statement
This policy has been created as an easy read guide to understand how this organisation deals with patient data in accordance with the Data Protection Act 2018 and especially Part 2, Chapter 2 of the legislation that is the UK GDPR.
It can be read in conjunction with the organisation’s UK General Data Protection Regulation (UK GDPR) Policy.
1.2 Status
The organisation aims to design and implement policies and procedures that meet the diverse needs of our service and workforce, ensuring that none are placed at a disadvantage over others, in accordance with the Equality Act 2010. Consideration has been given to the impact this policy might have regarding the individual protected characteristics of those to whom it applies.
2 Compliance
2.1 Data Protection Act 2018 and UK GDPR
The General Data Protection Regulation (GDPR) became law on 24 May 2016. This was a single EU-wide regulation for the protection of confidential and sensitive information. It entered into force in the UK on the 25 May 2018, repealing the Data Protection Act (1998).
Following Brexit, the GDPR became incorporated into the Data Protection Act 2018 (DPA18) at Part 2, Chapter 2 titled The UK GDPR.
This organisation will ensure that any personal data is processed in accordance with Article 5 of the UK GDPR and information about how this is done will be provided to applicants in a format that is compliant with Article 12 of the UK GDPR.
2.2 Communicating privacy information
This organisation must provide information about how data is processed in the form of a privacy notice. An easy read privacy notice template is available at Annex A.
Furthermore, the Information Commissioner’s Office (ICO) has provided a Privacy Notice Checklist.
2.3 How we use your data
This practice keeps medical records confidential and complies with the General Data Protection Regulation (GDPR) and Data Protection Act 2018. We hold your medical record so that we can provide you with safe care and treatment. We will also use your information so that this practice can check and review the quality of the care we provide. This helps us to improve our services to you.
The confidentiality of your information is very important to us and we comply with data protection legislations and medical confidentiality guidelines of our professional bodies (namely the General Medical Council).
- We will share relevant information from your medical record with other health care professionals when they provide you with care. For example, when you are referred to a consultant, or when we send details about your prescription to your chosen pharmacy. We recommend that we share the care given to you here with your NHS GP; however, we will only do this with your consent and would provide you with copies of all correspondence.
- You have the right to object to information being shared for your own care. Please speak to the practice manager if you wish to object. You also have the right to have any mistakes or errors corrected.
Other important information about how your information is used to provide you with healthcare at The Hill Practice.
Registering for care at The Hill Practice.
All patients who receive care are registered on our computer system.
This database holds your name, address, date of birth, telephone number, e-mail address,
confirmation that ID has been checked and your regular (NHS) GP recorded – you will be asked to indicate if you consent to The Hill Practice sharing clinical information with your regular GP (please note you may change this decision at any time). This database does not hold information about the care you receive. The information is only accessible to authorised practice members.
The database is held by The Hill Practice. Personal data about you is held in the practice’s
computer system. The information is only accessible to authorised practice members. Our
computer system has secure audit trails and we back up information routinely. The practice has a confidentiality policy that all staff adhere to.
The data is stored on a cloud-based practice management system called Semble, that is fully complaint with the General Data Protection Regulation (GDPR) and Data Protection Act 2018. The privacy policy can be found on the following link; Privacy Policy. The servers they use for our Services are located in London, UK. Whenever they transfer your personal data out of the EEA, they ensure a similar degree of protection is afforded to it by ensuring safeguards are implemented.
What personal data do we hold apart from that collected when registering at The Hill Practice?
As a medical practice we will hold medical records and information about you in order to treat you appropriately and in a timely manner. To provide patients with a high standard of medical care, we need to hold personal information. This personal data can include:
- Past and current medical conditions; personal details such as age, address, telephone number, e-mail, next of kin, NHS GP (as outlined above in the ‘Registering for care’ section)
- X-rays and clinical photographs 3 C03b Patient Privacy Policy and Process V1
- Information about your treatment that we have provided or propose and its cost
- Notes of conversations or incidents that might occur for which a record needs to be kept
- Records of consent to treatment
- Any correspondence relating to you from yourself or other health care professionals
Why do we hold information about you?
We need to keep comprehensive and accurate personal data about patients to provide you with safe and appropriate medical care. We will ask you yearly to update your medical history and contact details.
Identifying patients who might be at risk of certain diseases Your medical records will be searched by a computer programme, so that we can identify patients who might be at risk from certain diseases or conditions such as diabetes or hypertension. This means we can offer patients additional care or support as early as possible. Information which identifies you will only be seen by this practice. This information will also be anonymised for audit purposes to monitor and measure the quality of the care we deliver. For more information please speak to the Practice Manager.
Safeguarding
Sometimes we need to share information so that other people, including healthcare staff, children or others with safeguarding needs, are protected from risk of harm. These circumstances are rare. We do not need your consent or agreement to do this. Please ask the practice manager for information regarding our safeguarding policies. We will readily supply you with a copy and is available from reception on demand.
Annex A – Easy read privacy noticeder
What is a privacy notice?
A privacy notice helps this surgery to tell you how we use the information it has about you. The data could be name, address, date of birth and, importantly, the clinical records that a clinician may write about you in your healthcare record.
Why do we need one?
By law, this practice needs a privacy notice. This is detailed within the Data Protection Act 2018 and is part of the UK General Data Protection Regulation (or UK GDPR for short).
What is the UK GDPR?
The UK GDPR is part of a law that states that the information about you must remain secure. All staff at the surgery must follow these rules and keep your information safe.
How can I learn more about the privacy notice?
This surgery has lots of information about privacy on our website telling you how we use the information we have about you. You can also ask a member of the staff should you have any questions about your data.
The UK GDPR details what needs to be provided within the privacy notice, this is:
- What information we hold about you
- How we keep this especially important information safe and secure and where we keep it
- How we use your information
- Who we share your information with
- What your rights are
- When the law gives us permission to use your information
What information do we collect about you?
Personal information is anything that identifies you as a person and we all have personal information. Personal information that tells us something about you includes:
- Your name
- Address
- Mobile and/or home telephone number
- Information about your parent(s) or person with parental responsibility
- All your health records
- Appointment records
- Treatments you have had
- Medicines prescribed for you and any other information to help us to look after you
How do we use your information?
Your information is taken to help us to provide your care. We might need to share this information with other medical teams. We only usually use your information to help us to care for you. That means we might need to share your information with other people who are concerned and involved with looking after your health, such as hospitals if you need to be seen there.
We might also need to share your information with the police, courts, social services, solicitors and other people who have a right to your information, but we always make sure that they have a legal right to see it (or have a copy of it) before we provide it to them. The law gives us permission to use your information in situations when we need it to take care of you. Because information about your health is very personal, sensitive and private to you, the law is very strict about how we use it. So, before we can use your information in the ways we have set out in this privacy notice, we have to have a good reason in law which is called a ‘lawful basis’.
Not only do we have to do that, but we also have to show that your information falls into a special group or category because it is very sensitive. By doing this, the law makes sure we only use your information to look after you and that we do not use it for any other reason.
If you would like more information about this, please ask to speak to our Data Protection Officer (DPO) who is mentioned in this privacy notice who will explain this in more detail.
How do we keep your information safe?
We know that it is really important to protect the information we have about you. Therefore, we will follow the rules that are written in the Data Protection Act and the Chapter that details the UK GDPR. The law says that we must do all we can to keep your information private, safe and secure.
We use secure computer systems and we make sure that any written information held about you is kept securely and we train our staff to respect your privacy and deal with your information in a manner that makes sure it is always kept and dealt with in a safe way.
What if I have a long-term medical problem?
If you have a long-term medical problem then we know it is important to make sure your information is shared with other healthcare workers to help them to help you, making sure you get the care you need when you need it.
Who else will see my information?
Usually, only staff at this practice are allowed to see your information. Should you need to go to the hospital then we may be asked to share your information with them, but this is only so that we can take care of you.
Sometimes we might be asked to take part in medical research that could help you in the future. We will always ask you or your parent(s) or an adult with parental responsibility if we can share your information if this happens.
Possibly the police, social services, the courts or other organisations may have a legal right to see your information.
What if I don’t want to opt out of sharing my medical information?
England: All our patients, no matter what their age, can say that they don’t want to share their information. If you’re under 13 this is something that your parents or an adult with parental responsibility will have to decide. If you’re over 13 and need help, then it may make sense to discuss this with those who care for you.
Should you want to discuss this further, then you can discuss any concerns that you have with a member of staff at the surgery.
You have a right to ask us not to share your information. Should you want to talk to us about not sharing your information, even if this means you do not want us to share your information with your parent(s) or an adult with parental responsibility, please let us know.
How to access my records?
If you want to see what is written about you, you have a right to access the information we hold about you, but you will need to complete a Subject Access Request (SAR). There are some rules on this.
- If you are under 16, your parents or adults with parental responsibility can do this on your behalf.
- If you are over 12, you may be classed as being competent and may be able to do this yourself.
- If you are over 16 and need help in understanding what to do, then you can still ask the person who cares for you to do it on your behalf.
You may also be able to access your records online and you can discuss this with a member of staff at the surgery.
What if there is something wrong in my record?
If you believe that there are any errors in the information that we hold about you, then you can ask us to correct it.
Can I get anything removed from my record?
Legally, we cannot remove any of the information we hold about you as we need all this information to take care of you.
What to do if I have a question?
Should you have any questions about this privacy policy or the information we hold about you, you can discuss this with a member of staff, or your parents or adults with parental responsibility, or the person who cares for you.
They will advise you to either:
- Contact the organisation via email at dr.barzin@thehillpractice.com
- Write to the data protection officer at dr.barzin@thehillpractice.com
- Ask to speak to the Practice Manager Dr Mona Barzin
Please note that the DPO is specially trained in data management.
What if I have a complaint about how my information is being managed?
If you are unhappy with any element of our data processing methods, contact the Practice Manager in the first instance. If you feel that we have not addressed your concern appropriately, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).
For further details, visit https://ico.org.uk/for-the-public/ and select “Make a complaint” or telephone: 0303 123 1113 (Monday to Friday 9am to 5pm). A complaint may also be made via the ICO live chat service.
The ICO is the regulator for the UK GDPR and offers independent advice and guidance on the law and personal data including your rights and how to access your personal information.
