What is GDPR?
On 25th May 2018 the General Data Protection regulations (GDPR) came into force in the UK. The GDPR builds on the current Data Protection Act 1998 (DPA) and will strengthen the legislation, giving individuals more rights and protections.
What are your rights?
Under GDPR individuals have the following rights:
- The right to be informed about the collection and use of their personal data.
- The right of access to their personal data and supplementary information and the right to obtain confirmation that their data is being processed
- The right to rectification, i.e. the right to have inaccurate personal data rectified, or completed if it is incomplete. In certain circumstances a request for rectification can be refused.
- The right to erasure, also known as ‘the right to be forgotten’. This right is not absolute and only applies in certain circumstances.
- The right to request the restriction or suppression of their personal data. When processing is restricted, it is permitted to store the personal data, but not to use it. This right is not absolute and only applies in certain circumstances.
- The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. This right only applies to information an individual has provided to a controller.
- The right to object to:
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- direct marketing (including profiling); and
- processing for purposes of scientific/historical research and statistics.
- Rights in relation to automated decision making (i.e.without any human involvement) and profiling (automated processing of personal data to evaluate certain things about an individual). This applies to all automated individual decision-making and profiling. This type of decision-making can only be carried out where the decision is:
- necessary for the entry into or performance of a contract; or
- authorised by Union or Member state law applicable to the controller; or
- based on the individual’s explicit consent.
What is the lawful basis for Fairfield Park to process your data?
There are six available lawful bases for processing. The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery, and in support of direct care elsewhere, is supported under the following Article 6 and 9 conditions of the GDPR:
- Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
- Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”
We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”
What information will we collect from you?
GP Records are stored electronically and on paper and include personal details about you such as your address, carers, legal representatives, emergency contact details, as well as:
- Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments and telephone calls
- Notes and reports about your health
- Details about your treatment and care
- Details about any medication you are taking
- Results of investigations such as laboratory tests, x-rays
- Relevant information from other health professionals, relatives or those who care for you
Why do we collect this information?
Your records are used to ensure you receive the best possible care from our nurses and doctors. It enables the staff to see previous treatments, medications and enables them to make informed decisions about future decisions about your care. It helps the doctors to see lists of previous treatments and any special considerations which need to be taken into account when care is provided.
Important information is also collected to help us to remind you about specific treatment which you might need, such as health checks, or reminders for screening appointments such as cytology reminders.
Information held about you may be used to help protect the health of the public and to help us to improve NHS services. Information may be used within the GP practice for clinical audit to monitor the quality of the service provided.
Staff at the practice use your information to help deliver more effective treatment to you and to help us to provide you with proactive advice and guidance.
How will Fairfield Park Health Centre use your data?
- We will handle all medical records according to the laws on data protection and confidentiality.
- We share medical records with health professionals who are involved in providing you with care and treatment. This is on a need to know basis and event by event.
- Some of your data is automatically copied to the Shared Care Summary Record
- We may share some of your data with local out of hours, urgent or emergency care services
- Data about you is used to manage national screening campaigns such as Flu, Cervical cytology and Diabetes prevention.
- Data about you, usually anonymised, is used to manage the NHS and make payments.
- We share information when the law requires us to do, for instance when we are inspected or reporting certain illnesses or safeguarding vulnerable people.
- Your data is used to check the quality of care provided by the NHS.
- We may sometimes share medical records, usually anonymised, for medical research.
Circumstances under which we may share your data include:
The delivery of direct patient care.
We keep data on you relating to who you are, where you live, what you do, your family, possibly your friends, your employers, your habits, your problems and diagnoses, the reasons you seek help, your appointments, where you are seen and when you are seen, who by, referrals to specialists and other healthcare providers, tests carried out here and in other places, investigations and scans, treatments and outcomes of treatments, your treatment history, the observations and opinions of other healthcare workers, within and without the NHS as well as comments and aide memoires reasonably made by healthcare professionals in this practice who are appropriately involved in your health care.
When registering for NHS care, all patients who receive NHS care are registered on a national database, the database is held by NHS Digital, a national organisation which has legal responsibilities to collect NHS Data.
GPs have always delegated tasks and responsibilities to others that work with them in their surgeries. On average an NHS GP has between 1,500 to 2,500 patients for whom he or she is accountable. It is not possible for the GP to provide hands on personal care for each and every one of those patients. For this reason GPs share your care with others, predominantly within the surgery but occasionally with outside organisations.
If your health needs require care from others outside this practice we will exchange with them whatever information about you is necessary for them to provide that care. When you make contact with healthcare providers outside the practice but within the NHS it is usual for them to send us information relating to that encounter. We will retain part or all of those reports. Normally we will receive equivalent reports of contacts you have with non NHS services but this is not always the case.
Your consent to this sharing of data, within the practice and with those others outside the practice is assumed and is allowed by the Law.
People who have access to your information will only normally have access to that which they need to fulfil their roles, for instance admin staff will normally only see your name, address, contact details, appointment history and registration details in order to book appointments, the practice nurses will normally have access to your immunisation, treatment, significant active and important past histories, your allergies and relevant recent contacts whilst the GP you see or speak to will normally have access to everything in your record.
You have the right to object to our sharing your data in these circumstances but we have an overriding responsibility to do what is in your best interests.
There are occasions when intervention is necessary in order to save or protect a patient’s life or to prevent them from serious immediate harm, for instance during a collapse or diabetic coma or serious injury or accident. In many of these circumstances the patient may be unconscious or too ill to communicate. In these circumstances we have an overriding duty to try to protect and treat the patient. If necessary we will share your information and possibly sensitive confidential information with other emergency healthcare services, the police or fire brigade, so that you can receive the best treatment.
The law acknowledges this and provides supporting legal justifications.
Individuals have the right to make pre-determined decisions about the type and extent of care they will receive should they fall ill in the future, these are known as “Advance Directives”. If lodged in your records these will normally be honoured despite the observations in the first paragraph.
As part of national screening programmes.
The NHS provides national screening programmes so that certain diseases can be detected at an early stage. These currently apply to bowel cancer, breast cancer, aortic aneurysms and diabetic retinal screening service. The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme.
For regulatory inspection by the Care Quality Commiission (CQC).
The Care Quality Commission (CQC) is an organisation established in English law by the Health and Social Care Act. The CQC is the regulator for English health and social care services to ensure that safe care is provided. They inspect and produce reports on all English general practices in a rolling 5 year program. The law allows CQC to access identifiable patient data as well as requiring this practice to share certain types of data with them in certain circumstances, for instance following a significant safety incident.
For more information about the CQC see: https://www.cqc.org.uk/
For planning and commissioning services locally.
The records we keep enable us to plan for your care.
This practice keeps data on you that we apply searches and algorithms to in order to identify possible preventive interventions.
This means using only the data we hold or in certain circumstances linking that data to data held elsewhere by other organisations, and usually processed by organisations within, or bound by contracts with, the NHS.
If any processing of this data occurs outside the practice your identity will not be visible to the processors. Only this practice will be able to identify you and the results of any calculated factors, such as your risk of having a heart attack in the next 10 years or your risk of being admitted to hospital with a complication of chest disease
You have the right to object to our processing your data in these circumstances and before any decision based upon that processing is made about you. Processing of this type is only lawfully allowed where it results in individuals being identified with their associated calculated risk. It is not lawful for this processing to be used for other ill defined purposes, such as “health analytics”.
Despite this we have an overriding responsibility to do what is in your best interests. If we identify you as being at significant risk of having, for example a heart attack or stroke, we are justified in performing that processing.
This practice does not currently participate in research. If we do participate in research at any time in the future we will only agree to participate in a project if there is an agreed clearly defined reason for the research that is likely to benefit healthcare and patients. Such proposals will normally have a consent process, ethics committee approval, and will be in line with the principles of Article 89(1) of GDPR.
Research organisations do not usually approach patients directly but will ask us to make contact with suitable patients to seek their consent. Occasionally research can be authorised under law without the need to obtain consent. This is known as the section 251 arrangement1. We may also use your medical records to carry out any research that we may agree to participate in within the practice in the future.
In the interests of Public Health.
Public health encompasses everything from national smoking and alcohol policies, the management of epidemics such as flu, the control of large scale infections such as TB and Hepatitis B to local outbreaks of food poisoning or Measles. Certain illnesses are also notifiable, i.e. the doctors treating the patient are required by law to inform the Public Health Authorities, for instance Scarlet Fever.
This will necessarily mean the subjects personal and health information being shared with the Public Health organisations.
In the interests of safeguarding.
Some members of society are recognised as needing protection, for example children and vulnerable adults. If a person is identified as being at risk from harm we are expected as professionals to do what we can to protect them. In addition we are bound by certain specific laws that exist to protect individuals. This is called “Safeguarding”.
Where there is a suspected or actual safeguarding issue we will share information that we hold with other relevant agencies whether or not the individual or their representative agrees.
There are three laws that allow us to do this without relying on the individual or their representatives agreement (unconsented processing), these are:
- Section 47 of The Children Act 1989 :
- Section 29 of Data Protection Act (prevention of crime)
- Section 45 of the Care Act 2014
In addition there are circumstances when we will seek the agreement (consented processing) of the individual or their representative to share information with local child protection services, the relevant law being Section 17 Childrens Act 1989
For NHS payments processes
Contract holding GPs in the UK receive payments from their respective governments on a tiered basis. Most of the income is derived from baseline capitation payments made according to the number of patients registered with the practice on quarterly payment days. These amounts, paid per patient, per quarter vary according to the age, sex and other demographic details for each patient. There are also graduated payments made according to the practice’s achievement of certain agreed national quality targets known as the Quality and Outcomes Framework (QOF), for instance the proportion of diabetic patients who have had an annual review. Practices can also receive payments for participating in agreed national or local enhanced services, for instance opening early in the morning or late at night or at the weekends. Practices can also receive payments for certain national initiatives such as immunisation programs and practices may also receive incomes relating to a variety of non-patient related elements such as premises. Finally there are short term initiatives and projects that practices can take part in. Practices or GPs may also receive income for participating in the education of medical students, junior doctors and GPs themselves as well as research.
In order to make patient based payments basic and relevant necessary data about you needs to be sent to the various payment services. The release of this data is required by English laws.
Reporting via NHS Digital
NHS Digital is the secure haven for NHS patient data, a single secure repository where data collected from all branches of the NHS is processed. NHS Digital provides reports on the performance of the NHS, statistical information, audits and patient outcomes (https://digital.nhs.uk/data-and-information). Examples include; A&E and outpatient waiting times, the numbers of staff in the NHS, percentage target achievements, payments to GPs etc and more specific targeted data collections and reports such as the Female Genital Mutilation, general practice appointments data and English National Diabetes Audits. GPs are required by the Health and Social Care Act to provide NHS Digital with information when instructed. This is a legal obligation which overrides any patient wishes. These instructions are called “Directions”.
For maintaining the Summary Care Record.
The Summary Care Record consists of a basic medical record held on a central government database on every patient registered with a GP surgery in England. The basic data is automatically extracted from your GP’s electronic record system and uploaded to the central system. GPs are required by their contract with the NHS to allow this upload. The basic upload consists of current medication, allergies and details of any previous bad reactions to medicines, the name, address, date of birth and NHS number of the patient
As well as this basic record additional information can be added, and this can be far reaching and detailed. However, whereas the basic data is uploaded automatically any additional data will only be uploaded if you specifically request it and with your consent.
Summary Care Records can only be viewed within the NHS on NHS smartcard controlled screens or by organisation, such as pharmacies, contracted to the NHS.
How long will my data be kept for?
Data will be retained in accordance with the Records Management Code of Practice for Health and Social Care 2016 which sets out how long records should be retained, either due to their ongoing administrative value or as a result of statutory requirement. For example:
GP patient records
10 years after the death of the patient
Adult Health & Social care records
Until 25th birthday
Mental Health records
20 years (or 8 years after the patient’s death)
Maternity (ante-natal & post-natal)
30 years after diagnosis (or 8 years after the patient’s death)
8 years (or 10 years if an implant or device has been fitted)
The full list of retention periods for all data is available on request from the Practice Manager.
If you are unhappy with how we handle your data:
The Data Protection Officer (DPO) for Fairfield Park Health Centre is Dr Laurence Heywood and he is based at Banes Enhanced Medical Services (BEMS+) Tel: 01225 560805 or firstname.lastname@example.org
Alternatively, you can complain by following the Practice’s complaints procedure. Details of how to raise a complaint with the Practice are contained in our complaints leaflet, available from the surgery or on our website.
If you are still not happy once we have responded to your complaint regarding how we process your data, you can raise your concern with the Information Commissioners Office (ICO) at:
Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number