Our legal basis for processing your data
Processing is for the direct patient care and GP practices must establish both a lawful basis for processing and a special category condition for processing to comply with the General Data Protection Regulation (GDPR).
The lawful basis for processing is Article 6(1)(e) “necessary in the exercise of official authority vested in the controller” and the special category condition is Article 9(2)(h) “necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services”.
Where disclosures are a legal requirement the lawful basis and special category condition for processing are: Article 6(1)(c) “… for compliance with a legal obligation …” and Article 9(2)(h) “…management of health or social care systems…”
The surgery will always gain your consent before releasing the information for this purpose, the GDPR lawful basis and special category condition are Article 6(1)(e) “… for the performance of a task carried out in the public interest…” and Article 9(2)(j) “…research purposes…”
How we use your personal information
Healthcare professionals who provide you with care maintain records about your health and any treatment or care you have received, for example NHS Trusts, GP Surgeries, Walk-in-Centres etc. These records are used to help to provide you with the best possible healthcare.
NHS healthcare records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. Records this GP Practice hold about you may include the following information:
Details about you, such as your name, address, date of birth, carers, legal representatives and emergency contact details.
Any contact the surgery has with you, such as appointments, visits, telephone calls etc.
Notes and reports about your health.
Details about your treatment and care.
Results of investigations such as laboratory tests, x-rays etc.
Relevant information from other health professionals, relatives or those who care for you.
Risk stratification data tools are increasingly being used in the NHS to help determine a person’s risk of suffering a particular condition, preventing an unplanned or (re)admission and identifying a need for preventive intervention. Information about you is collected from a number of sources including NHS Trusts and from this GP Practice. A risk score is then arrived at through an analysis of your de-identified information using software, and is only provided back to your GP as data controller in an identifiable form. Risk stratification enables your GP to focus on preventing ill health and not just the treatment of sickness. If necessary your GP may be able to offer you additional services. Please note that you have the right to opt out of your data being used in this way.
The Practice may conduct Medicines Management Reviews of medications prescribed to its patients. This service performs a review of prescribed medications to ensure patients receive the most appropriate, up to date and cost effective treatments. This service is provided to practices within North Yorkshire through NHS Vale of York CCG.
Disclosures which are required by law or clinical audit requirements
In order to comply with its legal obligations this practice may send data to NHS Digital when directed by the Secretary of State for Health under the Health and Social Care Act 2012 and the practice contributes to national clinical audits and will send the data which are required by NHS Digital when the law allows. This may include demographic data, such as date of birth and information about your health which is recorded in coded form.
Disclosures for medical research or health management purposes
The surgery will always gain your consent before releasing the information for this purpose, the practice contributes to medical research and may send relevant information to medical research databases when consent is obtained and the law allows.
Your GP Practice supports a medicines management review service of medications prescribed to its patients. This service involves a review of prescribed medications to ensure patients receive the most appropriate, up to date and cost-effective treatments. This service is provided by qualified and registered healthcare professionals from within the GP practice, our NHS Primary Care Network, NHS Vale of York Clinical Commissioning Group or by external partners approved by the GP practice. Patient identifiable information does not leave the practice system but is accessed to ensure only appropriate clinical recommendations or decisions are made for each patient. Each patient can opt out of (or back into) the practice using their data for anything other than specified purposes or where there is a lawful requirement to do so.
How do we maintain the confidentiality of your records?
We are committed to protecting your privacy and will only use information collected lawfully in accordance with:
EU General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR)
Human Rights Act 1998
Common Law Duty of Confidentiality
Health and Social Care Act 2012
NHS Codes of Confidentiality, Information Security and Records Management
Information: To Share or Not to Share Review
Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential.
We will only every use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (eg life or death situations), where the law requires information to be passed on and/or in accordance with the information sharing principle following Dame Fiona Caldicott’s information sharing review (Information to share or not to share) where “The duty to share information can be as important as the duty to protect patient confidentiality”. This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles. They should be supported by the policies of their employers, regulators and professional bodies.
Who are our partner organisations?
We may also have to share information, subject to strict agreements on how it will be used, with the following organisations:
NHS Trusts/Foundation Trusts
WoNE York Primary Care Network
NHS Commissioning Support Units
Independent Contractors such as dentists, opticians, pharmacists
Private Sector Providers
Voluntary Sector Providers
Clinical Commissioning Groups
Social Care Services
Fire and Rescue Services
Police & Judicial Services
Other “data processors” which you will be informed of
You will be informed who your data will be shared with and in some cases asked for explicit consent for this to happen when required.
We may also use external companies to process personal information, such as for archiving purposes. These companies are bound by contractual agreements to ensure information is kept confidential and secure.
The Yorkshire & Humber Care Record
The Yorkshire & Humber Care Record is a shared system that allows Healthcare staff within the Humber, Coast and Vale Health and Social Care community to appropriately access the most up-to-date and correct information about patients, to deliver the best possible care.
The Yorkshire & Humber Care Record Guarantee is our commitment that we will use records about you in ways that respect your rights and promote your health and wellbeing.
If you would like any further information, or would like to discuss this further, please contact the Practice Manager, or click on the following link: YHCR toolkit
Your rights in relation to your data
Right to Access – please see the “access to personal information” section below.
Right of rectification – right for individuals to have inaccurate personal data rectified.
Right to object – you have the right to object to the processing of your data at anytime.
Access to personal information
You have a right under General Data Protection Regulation to request access to view or to obtain copies of what information the surgery holds about you and to have it amended should it be inaccurate. This is known as “subject access request” (SAR) and in order to request this you need to do the following:
Your request can be made verbally or in writing to the GP Practice – for information from the hospital or other healthcare provider you should write direct to them.
No charge will be made to provide the information.
We are required to respond to you within 30 days of receipt of request.
You will need to give adequate information (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified and your records located.
How long data will be retained
We will hold, protect and maintain your data for as long as the patient/doctor relationship is in place, this will either be until your death or if you decide to move to another GP practice, if you do move your data will follow you.
Cookies allow websites to, amongst other things, remember if you have logged in or not, remember your preferences and tailor your experience of the website. We use the following cookies:
Session (Transient) cookies: These cookies are erased when you close your browser, and do not collect information from your computer. They typically store information in the form of a session identification that does not personally identify the user.
Persistent (Permanent or Stored) cookies: These cookies are stored on your hard drive until they expire (i.e. the are based on a set expiration date) or until you delete them. These cookies are used to collect identifying information about the user, such as Web surfing behavior or user preferences for a specific site.
You can choose to decline or accept cookies. Most web browsers automatically accept cookies, but you can usually modify your browser settings to decline cookies if you prefer; however, this may prevent you from taking full advantage of the functionality of a website. Please see aboutcookies.org for more detailed information about cookies.
Change of Details
It is important that you inform us if any of your details such as your name or address have changed or if any of your details such as date of birth is incorrect in order for this to be amended. You have a responsibility to inform us of any changes so our records are accurate and up to date.
GDPR requires organisations to register a notification with the Information Commissioner to describe the purposes for which they process personal and sensitive information.
The information is publicly available on the Information Commissioners Office website www.ico.org.uk.
This Practice is registered with the Information Commissioners Office (ICO).
Who is the Data Controller?
The Data Controller, responsible for keeping your information secure and confidential is:
The Old School Medical Practice
If you are happy for your data to be extracted and used for the purposes described in this privacy notice then you do not need to do anything. If you have any concerns about how your data is shared or information managed then please contact the Practice Manager:
Practice Manager, The Old School Medical Practice, Horseman Lane, Copmanthorpe, York, YO23 3UA
If you are still unhappy following a review by the Practice, you can then complain to the Information Commissioners Office (ICO) www.ico.gov.uk, telephone 0303 123 1113 (local rate) or 01625 545 745.