WHAT IS A DATA PROTECTION IMPACT ASSESSMENT (DPIA)?

A DPIA is a process designed to help the practice systematically analyse, identify, and minimise the data protection risks of a project or plan. It is a key part of the practice’s accountability obligations under the Data Protection Act 2018, and when done properly helps to assess and demonstrate compliance with all of the practice’s data protection obligations.

It does not have to eradicate all risk but should help you minimise and determine whether or not the level of risk is acceptable in the circumstances, taking into account the benefits of what you want to achieve.

DPIAs are designed to be a flexible and scalable tool that you can apply to a wide range of sectors and projects. Conducting a DPIA does not have to be complex or time-consuming in every case, but there must be a level of rigour in proportion to the privacy risks arising.

IS A DPIA A LEGAL REQUIREMENT?

Yes, is the simple answer, where the processing of personal (including pseudonymised) data is required. The legal responsibility sits with the Practice (the Data Controller). Failure to carry out a DPIA when required may leave the Practice open to enforcement action, including significant fines (10 million euros or 2% global annual turnover if higher).

By considering the risks related to the intended processing before you begin, you also support compliance with another general obligation under Data protection: Data Protection by Design and Default.

In general, consistent use of DPIAs increases the awareness of privacy and data protection issues within the practice. It also ensures that all relevant staff involved in designing projects think about privacy at the early stages and adopt a ‘data protection by design’ approach.

A DPIA also brings broader compliance benefits, as it can be an effective way to assess and demonstrate your compliance with all data protection principles and obligations.

However, DPIAs are not just a compliance exercise. An effective DPIA allows you to identify and fix problems at an early stage, bringing broader benefits for both individuals and your organisation.

WHO COMPLETES THE DPIA?

The practice IG Lead will take the lead on completion of the DPIA.  The DPIA will need to be reviewed by multiple people including the Data Protection Officer, Caldicott Guardian and Senior Information Risk Owner for the Data Controller so it is important that it is in plain English and jargon free. DPIAs are also available to the public under the Freedom of Information Act (a list of completed DPIAs should be included on each data controllers website) and so needs to be understandable to a member of the public who has no knowledge of the service or project!

Once you have provided an overview of what you plan to do this should be submitted to mlcsu.ig@nhs.net On receipt the compliance team will review to ensure that we have all information required. If any further information is needed or clarification, they will come back to you and work through this with you. Once all information is recorded and in a plain English and in an easy to understand form this will be transferred to the Primary Care Information Governance Business Partners.

The Business Partners will work with the project lead at the practice to complete the technical, legal and security requirements. This may require the project lead to discuss further with customers for more information or even system suppliers to answer some of the more technical questions.

Once the Business Partner is happy that the DPIA is filled out as fully as possible they will then send this on to the relevant Data Protection Officer (DPO) who will complete a peer review. The Data Protection Officer will either come back requiring more information or clarification before recommending for approval.

Once the DPO is happy they will recommend that the DPIA is approved by the practice Caldicott Guardian and Senior Information Risk Owner (if applicable).

The Data Protection Officer will review the DPIA through a Data Protection lens, the Caldicott Guardian will review it taking into account the rights and privacy of the individuals whose data is being processed and the Senior Information Risk Owner will review with the risks to the organisation of processing the data for this purpose or conversely the risk of not processing it as their main concern. This gives the Data Controller the greatest depth of review that should something then go wrong they can evidence that all the required steps were taken.

Any information which an individual can be identified or who are identifiable, directly from the information in question or who can be indirectly identified from that information in combination with other information (in yours or their possession).

• Are you planning to process personal or pseudonymised data or make changes to how you process it? If the answer is yes, then you need to speak to IG to see whether a DPIA is required.

• Is your project description easy to understand? Does it meet the ‘family test’ – could a member of your family understand the project description?

• I cannot answer all the questions – what shall I do? A DPIA may not have all the answers! It may identify where further information is needed and may be approved subject to things being implemented in a certain way therefore helping you to design with privacy central to the plans

• Are you carrying out any of the following activities? If the answer is yes to one or more, you need to be aware of when to carry out a DPIA. The IG service can offer full DPIA training to teams that need to know this!

• Evaluation or scoring.
• Automated decision-making with significant effects.
• Systematic monitoring.
• Processing of sensitive data (health data) or data of a highly personal nature.
• Processing on a large scale.
• Processing of data concerning vulnerable data subjects.
• Innovative technological or organisation solutions.
• Processing that involves preventing data subjects from exercising a right or using a service contract

The average pay for GPs working in the practice of TRENTHAM MEWS MEDICAL CENTRE in the last financial year was £40,374 before tax and national insurance.

1 Full Time GP and 2 Part time GPs working in the practice in the last 6 months.

Summary

Information is a vital asset, both in terms of the clinical management of individual patients and the efficient management of services and resources.  It plays a key part in clinical governance, service planning and performance management.

It is therefore of paramount importance to ensure that information is efficiently managed, and that appropriate policies, procedures and management accountability and structures provide a robust governance framework for information management.

The TRENTHAM MEWS MEDICAL CENTRE will establish and maintain this policy and the associated procedures to ensure compliance with the requirements contained in the Data and Security Protection Toolkit (DSPT).

This policy and its supporting procedures are fully endorsed by the Practice Management Team through the production of these documents and their endorsement and approval by the Information Governance Lead and Caldicott Guardian.

Scope

This policy covers all aspects of information within the organisation, including but not limited to:

• Patient/client/service user information
• Personal Information
• Organisational Information

This policy covers all aspects of handling information, including but not limited to:

• Structured record systems – paper and electronic
• Transmission of information – email, other forms of electronic transmission such as FTP, post, and telephone

This policy covers all information systems purchased, developed, and managed by or on behalf of the Practice, and any individual directly employed or otherwise working for the Practice.

The key component underpinning this policy is the annual improvement plan arising from a baseline assessment against the standards set out in the Data Security and Protection Toolkit.

This policy cannot be seen in isolation as information plays a key part in corporate governance, strategic risk, clinical governance, Caldicott principles, service planning, performance, and business management.

The policy therefore links into all these aspects of the Practice and should be reflected in any respective strategies/policies.

Principles

The Practice recognises the need for an appropriate balance between openness and confidentiality in the management and use of information.

All staff should read and sign the Staff Confidentiality Agreement and a copy should be retained on the staff record.

The Practice fully supports the principles of corporate and information governance and recognises its public accountability, but equally places importance on the confidentiality of, and the security arrangements to safeguard, both personal information about patients and staff and commercially sensitive information.

The Practice also recognises the need to share patient information with other health organisations and other agencies in a controlled manner consistent with the interests of the patient and, in some circumstances, the public interest.

The Practice believes that accurate, timely and relevant information is essential to deliver the highest quality health care.  As such it is the responsibility of everyone in the Practice to ensure and promote the quality of information and to actively use information in decision making processes.

The Practice will abide by the Caldicott Principles – these are listed in Appendix A, and the Data Protection Act 2018 principles – these are listed in Appendix B.

There are 5 key interlinked strands to the Information Governance Policy:

• Openness
• Legal Compliance
• Information Security
• Records Management
• Data Quality

Openness

• The Practice recognises the need for an appropriate balance between openness and confidentiality in the management and use of information.
• Non-confidential information about the Practice and its services will be available to the public through a variety of media (e.g., leaflets, Internet, newsletter).
• The Practice regards all identifiable information relating to patients as confidential.  Compliance with legal and regulatory framework will be achieved, monitored, and maintained.
• The Practice regards all identifiable information relating to staff as confidential except where national policy on accountability and openness requires otherwise.

Legal Compliance

• The Practice will establish and maintain policies and procedures to ensure compliance with the Data Protection Act 2018/UK GDPR, Human Rights Act 1998, Common Law Duty of Confidentiality, Freedom of Information Act 2000, and Environmental Information Regulations.
• The Practice will ensure that when personal identifiable information is shared, the sharing complies with the law, guidance, and best practice and both service users’ rights and the public interest are respected.
• Information Governance training including awareness and understanding of Caldicott principles and confidentiality, information security, records management and data protection will be mandatory for all staff.  Information governance will be included in induction training for all new staff.
• The Practice will undertake annual assessments and audits of its policies and arrangements for openness.
• Patients will have ready access to information relating to their own health care, their options for treatment and their rights as patients.
• The Practice will have clear procedures and arrangements for liaison with the press and broadcasting media.
• The Practice will have clear procedures and arrangements for handling queries from patients and the public

• The Practice regards all person identifiable information, including that relating to patients as confidential.
• The Practice will undertake annual assessments and audits of its compliance with legal requirements.
• The Practice regards all identifiable personal information relating to staff as confidential except where national policy on accountability and openness requires otherwise.
• The practice will ensure that data is stored securely and processed in line with relevant legislation in relation to confidentiality. All staff must pay due regard to where they record information, what they record, how they store it and how they share information ensuring they comply with national and local requirements, policies, and procedures.
• The Practice will ensure compliance with the Data Protection Act 2018/UK GDPR, Human Rights Act 1998 and the Common Law Duty of Confidentiality and other relevant legislation (e.g., Health and Social Care Act, Crime and Disorder Act, Protection of Children Act).

Information Security and Incident Reporting

• The Practice will undertake annual assessments and audits of its information and IT security arrangements through the Data Security and Protection Toolkit framework.
• The Practice will promote effective confidentiality and security procedures to its staff through policies, procedures, and training.
• The Practice will ensure that data is stored securely and processed in line with relevant legislation and local policy in relation to confidentiality.  All staff must pay due regard to where they record information, what they record, how they store it and how they share information ensuring they comply with national and local requirements, policies and procedures.
• The Practice will establish and maintain incident reporting procedures and will monitor and investigate all reported instances of actual or potential breaches of confidentiality and security.
• The Practice will log and record all reportable data security and protection incidents via the Data Security and Protection Toolkit reporting tool.
• The Practice will report a notifiable breach to the Information Commissioner’s Office without undue delay, if longer than 72 hours then a specific reason for the delay will be given.

Records Management

•  The Practice will undertake annual assessments and audits of its records management arrangements.
• The Practice will ensure that information is managed throughout its lifecycle of creation, retention, maintenance, use and disposal.
• The Practice will ensure that information is effectively managed so that it is accurate, up to date, secure, retrievable, and available when required.
• All staff have a duty for the maintenance and protection of records they use. Only authorised staff should have access to records.
• The practice will identify and safeguard vital records necessary for business continuity and should include them in the business continuity /disaster recovery plans.
• The practice will record any incidents relating to records, including the unavailability and loss on the Data Security and Protection Toolkit.
• Accuracy of statements i.e., record keeping standards, should pay particular attention to stating facts not opinions.
• The practice will periodically check for records that have reached their minimum retention period and if there is no justification for continuing to hold them, they will be disposed of appropriately.

Data Quality

• It is the responsibility of all staff to ensure the information they generate is legible, complete, accurate, relevant, accessible, and recorded in a timely manner. The quality of information produced can have a significant impact on the quality of services that we provide.
• The practice will ensure the quality of their records to the highest standards and wherever possible, information quality should be assured at the point of collection.

The practice will ensure: 

• That all data must be correct and accurately reflect what happened.  However, it is important to note that the accuracy and timeliness of data does not just relate to patients.
• That data will be within an agreed format which conforms to recognised national or local standards. Codes must map to national values and wherever possible, computer systems should be programmed to only accept valid entries.
• That data will be captured in full.  All mandatory data items within a data set should be completed and default codes will only be used where appropriate, not as a substitute for real data.
• That data will be dealt with in a timely manner and should be collected at the earliest opportunity; recording of timely data is beneficial to the treatment of the patient. All data will be recorded to a deadline which will ensure that it meets national reporting and extract deadlines.
• That data collected should be understood by the staff collecting it and data items should be internally consistent. Data definitions should be reflected in procedure documents.
• That data will reflect the work of the Practice and not go unrecorded.
• That patients should not have duplicated or confused patient records, and where possible data should be recorded once, and staff should know exactly where to access the data. Where a duplicate record is created, for example in the event that a record is misplaced, records should be merged once the original is found.

Responsibilities

The Practice Manager, the designated Information Governance Lead in the Practice, is responsible for overseeing day to day Information Governance issues: developing and maintaining policies; standards, procedures, and guidance; co-ordinating Information Governance in the Practice; raising awareness of Information Governance and ensuring that there is ongoing compliance with the policy and its supporting standards and guidelines.

All staff, whether permanent, temporary or contracted, and contractors are responsible for ensuring that they are aware of the Information Governance responsibilities incumbent upon them and for ensuring that they comply with these on a day-to-day basis.

Dr G R W Thomas has been appointed as Caldicott Guardian for the Practice.  This role is an amalgamation of management and clinical issues which helps to ensure the involvement of healthcare professionals in relation to achieving improved information governance compliance.  The Caldicott Guardian has responsibility for ensuring that all staff comply with the Caldicott Principles and the guidance contained in the NHS Digital document – “A Guide to Confidentiality in Health and Social Care”.

The Caldicott Guardian will guide the Practice on confidentiality and protection issues relating to patient information.  This role is pivotal in ensuring the balance between maintaining confidentiality standards and the delivery of patient care.  The Caldicott Guardian will also advise the Practice Management Team on progress and major issues as they arise.

Hayley Gidman has been appointed as Data Protection Officer.  The role will monitor internal compliance, inform, and advise on data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the supervisory authorities.

Training Awareness

Information governance will be a part of the Practice’s induction process. Records of all inductions will be retained on staff records.

All new and existing staff will receive annual mandatory training and guidance on information governance, which will include coverage of Caldicott and confidentiality, data protection, information security and Freedom of Information to ensure that staff are aware of their responsibilities for: the confidentiality of the information they handle; situations where it is appropriate to disclose information to persons other than the patient; safe haven procedures; quality record keeping; secure storage and disposal of information.

Annually all staff will complete Information Governance Refresher Training.  Records of the staff compliance with training will be kept and monitored and the evidence from the training will be used to support the submission of the Data Security and Protection Toolkit.

Individual Rights

Individuals legally have rights in relation to the data that is processed about them.  The Practice must have processes in place should an individual choose to exercise any of their rights. It is vital that all staff can recognise such requests to allow them to be processed within the timescales set out in law.

Subject Access Requests

The Practice will log and record all Subject Access Requests that are received in line with the Data Protection Act 2018.

A SAR can be made via any of, but not exclusively, the following methods:

• Email
• Post
• Social media
• Practice website

Where an individual is unable to make a written request, it is the Department of Health’s view that in serving the interest of patients it can be made verbally, with the details recorded on the individual’s file.

All requests will be dealt with within one month, as per the legislation.  All information is to be supplied free of charge (although “reasonable” fees can be charged for an excessive request or for further copies).

A request may be received for information relating to a deceased individual.  In this case certain individuals have rights of access to deceased records under the Access to Health Records Act 1990:

• The patient’s personal representative (Executor or Administrator of the deceased’s estate)

• Any person who may have a claim arising out of the patient’s death

A Next of Kin has no automatic right of access, but professional codes of practice allow for a clinician to share information where concerns have been raised. Guidance should be sought from the Caldicott Guardian in relation to requests for deceased records.

The Common Law Duty of Confidentiality extends beyond death.

Right to erasure

The right to erasure is also known as ‘the right to be forgotten’ and means that individuals have the right to have personal data that the Practice holds about them erased and to prevent processing in specific circumstances:

• Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
• If the individual withdraws their consent for the Practice to process their data (if this was the basis on which it was collected).
• The personal data was unlawfully processed (i.e., a breach of UK data protection laws).
• The personal data has to be erased in order to comply with a legal obligation.

The Right to Erasure will be reviewed on a case-by-case basis and will be limited if the information has been processed for the purpose of providing direct care to the individual.

Right to be informed.

Individuals have the right to be informed of the processing the Practice undertakes with their personal data.  The Practice will information all individuals via their Privacy Notice.

The Privacy Notice is available on the Practice website https://www.trenthammewssurgery.nhs.uk/

Right to rectification

If personal data that the Practice holds is found to be inaccurate or incomplete, individuals have the right to have it rectified. This includes any data that the Practice may have passed on to others unless this proves impossible or involves disproportionate effort. If this is the case, the Practice will explain to the individual why this has not been possible.

The individual can make a request for rectification either verbally or in writing and the Practice has one calendar month to respond to such requests.  The right to rectification is not absolute and the Practice has the right to review the request to see if it can be complied with.

Requests which are deemed to be unfounded, excessive, repetitive in nature or required to be maintained legally may be refused.

Right to restrict processing.

Individuals have the right to restrict processing in certain situations.  The data can still be retained by the Practice; however, certain restrictions can be applied.

The situations where processing restrictions may apply are:

• If the individual contests the accuracy of the data the Practice hold about them, the Practice will restrict the processing until the accuracy of the data has been verified.
• If the Practice is processing the individual’s data as it is necessary for the performance of a public interest task and the individual has objected to the processing, the Practice will restrict processing while they consider whether their legitimate grounds for processing are overriding.
• If the processing of the individual’s personal data is found to be unlawful but they oppose erasure and request restriction instead; or
• If the Practice no longer need the data held about the individual, but the individual requires the data to establish, exercise or defend a legal claim.

Requests can be made verbally or in writing to the Practice and the Practice will respond within one month.

Right of data portability

Individuals have the right to request a copy of their data in a portable format if the processing of the personal data is on the legal basis of consent.  If the personal data is being processed for the purpose of providing direct care to the individual, then this right will not apply.

Right to object

Individuals have the right to object to their data being processed if the data is being processed for the performance of a task in the public interest or exercise of official authority.

All objections will be reviewed on an individual basis and objections can be made to the Practice both verbally and in writing.

Right to object to automated decision making and profiling.

Any information processed by the Practice which has been automated, meaning without human involvement will be eligible for this right.

The Practice does not currently use automated decision making or profiling tools.

National Data Opt Out

All health and care organisations must comply with the national data opt-out policy by September 30^th, 2021.

The Practice complies with the national data opt-out policy and the use of the technical services to check for national data opt-outs in line with technical specifications and instructions.

The Practice ensures that if patients do not wish for their confidential patient information to be used for research and planning, they can choose to opt out securely online or through a telephone service by contacting the practice directly.  Further details are made available to the public via the Privacy Notice [insert link to privacy notice]

Freedom of Information Requests

The Practice will deal with all Freedom of Information Requests (FOI) which are received in writing within 40 working days, in line with the Freedom of Information Act 2000.

Although requests will be treated along the lines of openness and transparency, some information may be exempt from release.

The Practice will review all requests and a Public Interest Test will be undertaken before the application of any exemptions for which this applies.

The Practice publication scheme can be found here: [Insert link to organisational publication scheme]

Registration Authority

Smartcards are required to use and access IT systems essential to healthcare provision.

Individuals are granted access to a Smartcard by the organisation’s Registration Authority lead.  The Registration Authority Lead for the practice is [name or organisation]

The Registration Authority Team verify the identity of all healthcare staff who need to have access to patient identifiable or sensitive data. Individuals are granted access based on their work and their level of involvement in patient care.

The use of Smartcards leaves an audit trail.

Staff should be aware that disciplinary action may be taken if inappropriate action or unauthorised data access has been undertaken or Smartcards are shared.

Policy Approval

The Practice will, therefore, ensure that all staff, contractors, and other relevant parties observe this policy in order to ensure compliance with Information Governance and contribute to the achievement of the Primary Care objectives and delivery of effective healthcare to the local population.

Monitoring/Audit

The Practice will monitor this Policy through monthly Practice Management Meetings.  An assessment of compliance with requirements within the Data Security and Protection Toolkit will be undertaken each year.

To ensure that the Policy and other relevant Information Governance documents are being followed and implemented, Confidentiality Spot Check Audits will be undertaken throughout the financial year. These audits will identify any areas for improvement which can be provided to the Management team for implementation or risk assessed.  Any risks which cannot be mitigated will be noted in the Business Continuity Plan.

Information Governance Management

Information Governance Management across the organisation will be co-ordinated by the Practice Management Team.

The responsibilities to the Practice Management Team will include, but not be limited to:

• Recommending for approval policies and procedures to be implemented within the Practice.
• Recommending for approval the annual submission of compliance with requirements in the Data Security and Protection Toolkit and related action plan.
• Co-ordinating and monitoring the Information Governance policy across the Practice.

The Practice Management Team will endorse the Information Governance policy for the Practice.

Non-Compliance

Non-compliance with this code of conduct by any person working for the Practice may result in disciplinary action being taken in accordance with the Practice’s disciplinary procedure, a copy of which can be found [indicate where here]

Review

This policy will be reviewed on an annual basis or earlier if appropriate, to consider any changes to legislation that may occur, and/or guidance from the Department of Health and/or NHS Executive.

Appendix A – Caldicott Principles

Principle 1 – Justify the purpose(s) for using confidential information.

Every proposed use or transfer of personal confidential data within or from an organisation should be clearly defined, scrutinised, and documented, with continuing uses regularly reviewed, by an appropriate guardian.

Principle 2 – Don’t use personal confidential data unless it is absolutely necessary.

Personal confidential data items should not be included unless it is essential for the specified purpose(s) of that flow. The need for patients to be identified should be considered at each stage of satisfying the purpose(s).

Principle 3 – Use the minimum necessary personal confidential data.

Where use of personal confidential data is considered to be essential, the inclusion of each individual item of data should be considered and justified so that the minimum amount of personal confidential data is transferred or accessible as is necessary for a given function to be carried out.

Principle 4 – Access to personal confidential data should be on a strict need-to-know basis

Only those individuals who need access to personal confidential data should have access to it, and they should only have access to the data items that they need to see. This may mean introducing access controls or splitting data flows where one data flow is used for several purposes.

Principle 5 – Everyone with access to personal confidential data should be aware of their responsibilities.

Action should be taken to ensure that those handling personal confidential data – both clinical and non-clinical staff – are made fully aware of their responsibilities and obligations to respect patient confidentiality.

Principle 6 – Comply with the law

Every use of personal confidential data must be lawful. Someone in each organisation handling personal confidential data should be responsible for ensuring that the organisation complies with legal requirements.

Principle 7 – The duty to share information can be as important as the duty to protect patient confidentiality.

Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators, and professional bodies.

Principle 8 – Inform patients and service users about how their confidential information is used.

A range of steps should be taken to ensure there are no surprises for patients and service users, so they can have clear expectations about how and why their confidential information is used, and what choices they have about this.

Appendix B – Data Protection Act 2018 Principles

The Data Protection Act 2018 sets out the framework for data protection law in the UK. It sits alongside the UK General Data Protection Regulations (UK GDPR).  The UK GDPR sets out the key principles, rights, and obligations for most processing of personal data.  The Data Protection Act 2018/UKGDPR sets out seven key principles:

• Lawfulness, fairness, and transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity and confidentiality (security)
• Accountability

Article 5(1) requires that personal data shall be:

“(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’).

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’).

(c) adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’).

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’).

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’).

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”

Article 5(2) adds that:

“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”

Trentham Mews Medical Centre is a GMS practice based in the community of Trentham and Hanford in Stoke on Trent. The registered manager for the service is Dr Jane McPherson. We aim to improve the health and well-being of the practice population by providing general medical practice services to our registered patients living within this area.

We endeavor to provide the following in all the services we offer

Integrity underpins everything we do

Unity we are committed to building organisational unity through teamwork

Individual Worth everyone who contributes to our work is significant and their contribution is valued

Stewardship we all need to use our resources as effectively and efficiently as possible

Accountability we are accountable to each other, our patients and the NHS for the work we do

Quality we are committed to quality through continuous improvement in all that we do

Service we are committed to making every encounter with the practice a positive experience

We try hard to provide you with a good service, but we recognise that we do not get things right every time. If you have any suggestions of how we can improve our services please fill in one of Friends and Family Slips which are located in reception. Any formal feedback should be addressed to Donna Thomas (the Practice Manager) either by telephone or by letter.

Complaints

Most issues can be resolved without having to make a formal complaint.  If you wish to make a verbal complaint or have an informal chat with your GP, a member of staff or the Practice Manager we will be able to arrange this for you. For more serious complaints you may put your complaint in writing to the Practice Manager.

If you feel that you cannot approach the practice you can either contact:

Patient Advice and Liaison Service (PALS)  

Bellringer Road, Trentham, Stoke-On-Trent
Staffordshire, ST4 8HH Tel: 0800 389 9676

PALS has been introduced to ensure that the NHS listens to patients, their relatives, carers and friends and answers their questions and resolves their concerns as quickly as possible.

You can talk to PALS who provide confidential advice and support to patients families and their carers, and can provide information on the NHS and health related matters.  The Trust has a PALS Office which you can contact directly via the FREEPHONE number above.  Most of our teams also have a PALS Lead with responsibility for promoting PALS to clients and colleagues, and we expect all our staff to ‘be a PAL’

An answer phone service is available out of office hours – please leave a message if no-one is available to take your call and PALS will get back to you. You can also email them at patientexperienceteam@combined.nhs.uk

What to expect – You should expect an acknowledgement and the offer of a discussion about the handling of your complaint within three working days of receiving your complaint.

Patient Advice and Liaison Service (PALS)  

Bellringer Road, Trentham, Stoke-On-Trent
Staffordshire, ST4 8HH

Tel: 0800 389 9676

Mon to Fri 9.00am to 5.00pm

NHS England Alternatively you may wish to take your complaint directly to NHS England which commissions primary care services, including GPs, dentists, opticians and pharmacies. Send your complaint to: NHS England, PO BOX 16738, Redditch, B97 9PT.

From 1st July 2023 the

Staffordshire and Stoke-on-Trent ICB Complaints team will be available.

New Beacon Building

Stafford Education and enterprises Park

Weston road

Stafford ST18 OBF

Freephone: 0808 196 8861

Email:    PatientExperienceTeam@staffsstoke.icb.nhs.uk

Also you can contact the

Parliamentary and Health service Ombudsman to consider your complaint further

Telephone 0345 015 4033

Email: phso.enquirieso@mbudsman.or.uk

Website; www.enquiries’ombudsman.org.uk

This Children’s Privacy Notice is a way of telling you about what happens to the information that your GP practice collects about you whenever you come to see us. It also tells you how we make sure your information it is kept safe.

What do we collect? 

We collect information about you such as:

• Your Name
• Your birthday and year you were born
• Your address and contact information
• The name of the person who will generally bring you to your appointments
• The reason that you are coming to see us
• Any information that you or your family gives us
• Any other people we may need to send you to see to make sure you have the best care possible (such as hospital doctors, specialists etc.)
• What we do to care for you

Why do we collect it? 

TRENTHAM MEWS MEDICAL CENTRE’s main purpose is to deliver healthcare to the people within this area.

We collect the data we need to care for you in the best way. We ask for your address so that we know where we can contact you. We ask for your date of birth as your age may be important to your care. Each time you come to see us we will write down things that you tell us, things that we tell you and any medicines we may need to give to you. That way, we can look back at what we have done for you to make sure we are treating you in the best way.

What do we do with it? 

We keep the information we collect electronically and on paper. All of this information together is called your Health Record. When you first see us your Health Record will be given a number. Everyone’s Health Record number will be different. Anyone involved in caring for you at TRENTHAM MEWS MEDICAL CENTRE can see what has been collected. This way we can all make the right decisions about your care with all of the information you have given us.

 Who do we share it with?

We will share the information we record about you with the doctors within the practice. That way they are kept up to date on what we are doing for you. Your parents/guardians should get a copy of any letters we send to your doctor about your care. We might share it with other health professionals involved in your care. We might share it with your school if we think it is important for them to know. If you have a social worker, we will share it with them too. If you tell us something that makes us worried about your safety or the safety of someone else you know, we might have to share this with other people outside of the hospital – even if you don’t want us to. This is part of our job to keep you and others safe.

We also need to share information with the Care Quality Commission who regulates healthcare providers. For more information click here on the link below: https://www.cqc.org.uk/about-us/our-policies/privacy-statement

Keeping your records safe

Everyone working in our practice understands that they need to keep your information safe. This is called keeping your information confidential or protecting your privacy. They have training every year to remind them of this. We tell them that they are only allowed to look at your information if they are involved in your care or to help us run our practice. They understand that they must keep any information safe. Especially the information that identifies you; this might be your name or address and anything you come to see us about. We are not allowed to give any of this type of information to anyone who shouldn’t see it. This includes talking to them about it.

We sometimes might have Doctors and Nurses Students who are at University or College and want to work in a doctor’s practice sometimes spend time with us. This is so that we can teach them how to look after patients and their families. They are also told how to keep information we collect safe.

Checking we are doing our best

All doctor’s practices are checked by organisations to make sure they are treating and caring for patients and families in the best way they can. The people who inspect us may ask to see a small number of Health Records. They check that notes are written clearly and are kept safe to ensure that we are recording and storing your information safely.

How long do we keep the information for?

All doctor’s practices treating children must keep their information for the rest of their lives and then for 10 years after you die.   If we have an incident or complaint, sometimes we need to use patient information to help us investigate incidents, complaints or legal claims. If this relates to you we will make sure we let you and your parents/guardians know.

Am I able to see the information you collect about me?

Yes! As one of our patients you are able to see the records that relate to you and you only. You or your family will need to ask your doctor first though as there may be things that we would need to explain to you such as abbreviations or medical words.

Can I have a copy of my records? 

Yes! Your parent/ guardian will need to write to us (they can email us) to tell us what they want to see – it may just be part of your record, for example, an x ray or a report. We will check they are who they say they are to make sure we are not sharing your information with anyone who shouldn’t see it.

If I think some of my information is wrong can I do anything about it? 

Yes! Your parent or guardian needs to contact The Practice Manager at the practice telling them what it is that you think is wrong.

If I’m unhappy with the way you’ve used some of my information can I do anything? 

Yes! Let us know by contacting the Practice Manager, the person responsible for helping to run the practice, or you can contact the Information Commissioners Office.

We hope this notice tells you what you need to know about the information we collect about you.

If you want to know anything else, please contact the practice and we will make sure we listen you very carefully and look after your needs the best that we can.

Introduction

This privacy notice lets you know what happens to any personal data that you give to us, or any information that we may collect from you or about you from other organisations.

This privacy notice applies to personal information processed by or on behalf of TRENTHAM MEWS MEDICAL CENTRE.

This Notice explains:

• Who we are and how we use your personal information?
• Information about our Data Protection Officer
• What kinds of personal information we hold about you and what information we use
• The legal grounds for processing your personal information, including when we share it with other organisations.
• What to do if your personal information changes
• For how long your personal information is retained for/stored by us
• What your rights are under Data Protection laws

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA18) became law on 25th May 2018. The GDPR is a single EU-wide regulation on the protection of confidential and sensitive information and the DPA18 implements the regulations into comprehensive UK legislation. Following the decision for the UK to leave the European Union and following the end of the transition period, from January 1^st, 2021 the UK has been subject to an Adequacy Agreement which will allow data to continue to be shared with European Union Countries without further safeguarding being necessary.  This is to allow the European Commission suitable time to grant the UK with adequacy status, meaning they have met the required standards in ensuring data transfers to and from the UK are safe.  All references to GDPR will now be referred to as UK GDPR.

For the purpose of applicable data protection legislation (including UK GDPR) and the Data Protection Act 2018 the practice responsible for your personal data, and referred to at the Data Controller, is TRENTHAM MEWS MEDICAL CENTRE.

This Notice describes how we collect, use, and process your personal data, and how in doing so, we comply with our legal obligations to you. Your privacy is important to us, and we are committed to protecting and safeguarding your data privacy rights.

How we use your information and the law

TRENTHAM MEWS MEDICAL CENTRE will be the “Data Controller” of your personal data.

We collect basic personal data about you, which includes name, address, telephone number, email address, date of birth, next of kin information, NHS number etc.

We will also collect sensitive confidential data known as “special category personal data”, in the form of health information, religious beliefs, (if required in a healthcare setting) ethnicity, sexuality etc.  and we may also receive this information about you from other health providers or third parties.

Your rights over your personal information

As an individual you have the following rights over your persona information:

Right to be informed – you have the right to be informed on how we handle, process, and share your personal information; this privacy notice ensures as a practice we satisfy this right.

Right to access your personal information – you can request access to and/or copies of the personal data we hold about you, free of charge (subject to exemptions) within one calendar month.  Such requests can be made verbally or in writing, but we do request that you provide us with adequate information to process your request, such as providing full name, address, date of birth, NHS number and details of your request and, where necessary, any documents to verify your identity.

On processing a request there may be occasions when information may be withheld if we as a practice believe that releasing the information to you could cause serious harm or distress. Information may also be withheld if another person (i.e., third party) is identified in the record, and they do not want their information disclosed to you. However, if the other person mentioned in your records was acting in their professional capacity in caring for you, in normal circumstances they could not prevent you from having access to that information.

To request a copy or request access to information we hold about you and/or to request information to be corrected if it is inaccurate, please contact:

Right to rectification – The correction of personal data when incorrect, out of date or incomplete will be acted upon within one calendar month of receipt of such a request.  Please ensure TRENTHAM MEWS MEDICAL CENTRE has the correct contact details for you at all times.

Right to erasure – Under Article 17 of the UK GDPR individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances, for example when your personal data is no longer necessary for the purpose which it was originally collected or processed for, or if you wish to withdraw your consent after you have previously given your consent.

Right to restrict processing – Article 18 of the UK GDPR gives individuals the right to restrict the processing of their personal data in certain circumstances. This means that you can limit the way that the practice uses your data. This is an alternative to requesting the erasure of your data. Individuals have the right to restrict the processing of their personal data where they have a particular reason for wanting the restriction.

Right to data portability – The right to data portability gives individuals the right to receive personal data they have provided to the Practice in a structured, commonly used, and machine-readable format (i.e., email, upload to a portable device etc.).

Right to object to processing – you have the right to object to processing, however, please note if we can demonstrate compelling legitimate grounds which outweighs your interest, then processing can continue.  If we did not process any information about you and your health care if would be very difficult for us to care and treat you.

Rights in relation to automated decision making and profiling – Automated individual decision-making is a decision made by automated means (i.e., a computer system) without any human involvement.  If any of the processes we use rely on automated decision making, you do have the right to ask for a human to review any computer-generated decision at any point.

Why we need your information.

The healthcare professionals who provide you with care maintain records about your health and any treatment or care you have received previously.  These records help to provide you with the best possible healthcare and treatment.

NHS health records may be electronic, paper-based or a mixture of both.  We use a combination of working practices and technology to ensure that your information is kept confidential and secure.

Records about you may include the following information:

• Details about you, such as your address, your carer or legal representative and emergency contact details.
• Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments.
• Notes and reports about your health.
• Details about your treatment and care.
• Results of investigations such as laboratory tests, x-rays etc.
• Relevant information from other health professionals, relatives or those who care for you.
• Contact details (including email address, mobile telephone number and home telephone number)

To ensure you receive the best possible care, your records are used to facilitate the care you receive, including contacting you. Information held about you may be used to help protect the health of the public and to help us manage the NHS and the services we provide. Limited information may be used within the GP practice for clinical audit to monitor the quality of the service we provided.

How we lawfully use your data.

We need your personal, sensitive, and confidential data in order to provide you with healthcare services as a General Practice, under the UK GDPR we will be lawfully using your information in accordance with:

Article 6 (1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Article 9 (2) (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems. 

This Privacy Notice applies to the personal data of our patients and the data you have given us about your carers/family members.

Risk Stratification  

Risk stratification data tools are increasingly being used in the NHS to help determine a person’s risk of suffering a condition, preventing an unplanned or (re)admission and identifying a need for preventive intervention. Information about you is collected from several sources including NHS Trusts and from this GP Practice. The identifying parts of your data are removed, analysis of your data is undertaken, and a risk score is then determined. This is then provided back to your GP as data controller in an identifiable form. Risk stratification enables your GP to focus on initiatives for preventing ill health and not just the treatment of sickness, so being far more proactive in an ever-changing health climate.  As a result of risk stratification, your GP may be able to offer you additional services.

Individual Risk Management at a GP practice level however is deemed to be part of your individual healthcare and is covered by our legal powers above.

Our data processor for Risk Stratification is: 

Population Health Management  

Population Health Management improves population health by data driven planning and delivery of proactive care to achieve maximum impact. It includes segmentation, stratification and impactability modelling to identify local ‘at risk’ cohorts – and, in turn, designing and targeting interventions to prevent ill-health and to improve care and support for people with ongoing health conditions and reducing unwarranted variations in outcomes.

The benefits of Population Health Management are

• Using data-driven insights and evidence of best practice to inform target
• interventions to improve the health & wellbeing of specific populations & cohorts
• The wider determinants of health, not just health & care
• Making informed judgements, not just relying on the analytics
• Prioritising the use of collective resources to have the best impact
• Acting together – the NHS, local authorities, public services, the VCS,
• communities, activists & local people. Creating partnerships of equals
• Achieving practical tangible improvements for people & communities

Information about you is collected from several sources including NHS Trusts and from this GP Practice. The identifying parts of your data are removed, and an analysis of your data is undertaken. This analysis may be undertaken by external organisations who are acting on behalf of your GP Practice and have a Data Processing contract with the Practice. This is then provided back to your GP as data controller in an identifiable form.  As a result of population health management, your GP may be able to offer you additional services.

Medicines Management 

The Practice may conduct Medicines Management Reviews of medications prescribed to its patients. This service performs a review of prescribed medications to ensure patients receive the most appropriate, up to date and cost-effective treatments. The reviews are carried out by the Clinical Commissioning Group’s Medicines Management Team under a Data Processing contract with the Practice.

Patient Communication

The Practice would like to use your name, contact details, and email address to inform you of NHS services, or provide inform about your health/information to manage your healthcare or information about the management of the NHS service.  There may be occasions where authorised research facilities would like you to take part in research in regard to your particular health issues, to try and improve your health. Your contact details may be used to invite you to receive further information about such research opportunities, but you must give your explicit consent to receive messages for research purposes.

GP-Connect

The Practice use a facility called GP Connect to support your direct care. GP Connect makes patient information available to all appropriate clinicians when and where they need it, to support direct patients care, leading to improvements in both care and outcomes.

GP Connect is not used for any purpose other than direct care.

NHS 111 Clinicians are able to

access the GP records of the patients they are treating via a secure NHS Digital service called GP connect.

The NHS 111 service (and other services determined locally e.g. Other GP practices in a Primary Care Network) will be able to book appointments for patients at GP practices and other local services.

The legal bases for direct care via GP Connect is the same as the legal bases for the care you would receive from your own GP, or another healthcare provider:

For the processing of personal data:

Article 6.1 (e) of the UK GDPR: … performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’.

For the processing of “Special Category Data” (which includes your medical information):

Article 9.2 (h) of the UK GDPR:’… the purposes of preventive or occupational medicine

Safeguarding

The Practice is dedicated to ensuring that the principles and duties of safeguarding adults and children are holistically, consistently, and conscientiously applied with the wellbeing of all patients at the heart of what we do.

Our legal basis for processing information for safeguarding purposes, as stipulated in the UK GDPR is:

Article 6(1)(e) ‘…exercise of official authority…’. 

For the processing of special categories data, the basis is:

Article 9(2)(b) – ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…’

Categories of personal data

The data collected by Practice staff in the event of a safeguarding situation, will be minimised to include only the personal information as is necessary in order to handle the situation. In addition to some basic demographic and contact details, we will also process details of what the safeguarding concern is. This is likely to be special category information.

Sources of the data

The Practice will either receive or collect information when someone contacts the organisation with safeguarding concerns, or we believe there may be safeguarding concerns and make enquiries to relevant providers.

Recipients of personal data

The information is used by the Practice when handling a safeguarding incident or concern. We may share information accordingly to ensure duty of care and investigation as required with other partners such as local authorities, the police or healthcare professionals (i.e., their GP or mental health team).

Research

Clinical Practice Research Datalink (CPRD) collects anonymised patient data from a network of GP practices across the UK. Primary care data is linked to a range of other health related data to provide a fully representative UK population health dataset.  You can opt out of your information being used for research purposes at any time and full details on CRPD can be found here:

General Practice Data for Planning and Research

The Government is delaying the implementation of the General Practice Data for Planning and Research (GP DPR) programme until four key areas of work are strengthened:

• the ability for patients to opt out or back in to sharing their GP data with NHS Digital, with data being deleted even if it has been uploaded
• the backlog of opt-outs has been fully cleared
• a Trusted Research Environment (TRE) is available where approved researchers can work securely on de-identified patient data which does not leave the environment
• a campaign of engagement and communication has increased public awareness of the programme, explaining how data is used and patient choices

This delay will also provide more time to speak with patients, doctors, health charities and others.

This Privacy Notice will be updated when further details of the proposed implementation have been confirmed, and this may not be for at least another 12 months.

For further information please refer to NHS Digitals webpage on this subject matter

The NHS needs data about the patients it treats in order to plan and deliver its services and to ensure that care and treatment provided is safe and effective. The General Practice Data for Planning and Research data collection will help the NHS to improve health and care services for everyone by collecting patient data that can be used to do this. For example, patient data can help the NHS to:

• monitor the long-term safety and effectiveness of care.
• plan how to deliver better health and care services.
• prevent the spread of infectious diseases.
• identify new treatments and medicines through health research.

GP practices already share patient data for these purposes, but this new data collection will be more efficient and effective.  We have agreed to share the patient data we look after in our practice with NHS Digital who will securely store, analyse, publish, and share this patient data to improve health and care services for everyone. This includes:

• informing and developing health and social care policy
• planning and commissioning health and care services
• taking steps to protect public health (including managing and monitoring the coronavirus pandemic)
• in exceptional circumstances, providing you with individual care.
• enabling healthcare and scientific research

This means that we can get on with looking after our patients and NHS Digital can provide controlled access to patient data to the NHS and other organisations who need to use it to improve health and care for everyone.

Contributing to research projects will benefit us all as better and safer treatments are introduced more quickly and effectively without compromising your privacy and confidentiality.

NHS Digital has engaged with the British Medical Association (BMA), Royal College of GPs (RCGP) and the National Data Guardian (NDG) to ensure relevant safeguards are in place for patients and GP practices.

Summary Care Records (SCR)

All patients registered with a GP have a Summary Care Record, unless they have chosen not to have one. The information held in your Summary Care Record gives registered and regulated healthcare professionals, away from your usual GP practice, access to information to provide you with safer care, reduce the risk of prescribing errors and improve your patient experience.

Your Summary Care Record contains basic (Core) information about allergies and medications and any reactions that you have had to medication in the past.

During the height of the pandemic changes were made to the Summary Care Record (SCR) to make additional patient information available to all appropriate clinicians when and where they needed it, to support direct patients care, leading to improvements in both care and outcomes.

These changes to the SCR will remain in place, unless you decide otherwise.

Regardless of your past decisions about your Summary Care Record preferences, you will still have the same options that you currently have in place to opt out of having a Summary Care Record, including the opportunity to opt-back in to having a Summary Care Record or opt back in to allow sharing of Additional Information.

You can exercise these choices by doing the following.

Opting Out

If you don’t want your identifiable patient data to be shared for purposes except for your own care, you can opt-out by registering a Type 1 Opt-out or a National Data Opt-out, or both. These opt-outs are different, and they are explained in more detail below. Your individual care will not be affected if you opt out using either option.

Type 1 Opt-Outs – If you do not want your identifiable patient data to be shared outside of the GP practice for purposes except your own care, you can register an opt-out with the GP practice. This is known as a Type 1 Opt-out. Type 1 Opt-outs were introduced in 2013 for data sharing from GP practices, but may be discontinued in the future as a new opt-out has since been introduced to cover the broader health and care system, called the National Data Opt-out. If this happens, patients who have registered a Type 1 Opt-out will be informed. There is more information about National Data Opt-outs below.

NHS Digital will not collect any patient data for patients who have already registered a Type 1 Opt-in line with current policy. If this changes patients who have registered a Type 1 Opt-out will be informed.

If you do not want your patient data shared with NHS Digital for the purposes above, you can register a Type 1 Opt-out with your GP practice. You can register a Type 1 Opt-out at any time. You can also change your mind at any time and withdraw a Type 1 Opt-out.

If you have already registered a Type 1 Opt-out with us your data will not be shared with NHS Digital.  If you wish to register a Type 1 Opt-out with your us before data sharing starts with NHS Digital, this should be done by returning this form to the practice. If you do intend to opt out of the GP DPR we will update this Privacy Notice with the date by which you must provide your opt-out by to allow time for processing it.  If you have previously registered a Type 1 Opt-out and you would like to withdraw this, you can also use the form to do this. You can send the form by post or email to your us at the GP Practice or call 0300 3035678 for a form to be sent out to you.

If you do not want NHS Digital to share your identifiable patient data with anyone else for purposes beyond your own care, then you can also register a National Data Opt-out.

National Data Opt-Out

If you don’t want your confidential patient information to be shared by NHS Digital with other organisations for purposes except your own care – either GP data, or other data it holds, such as hospital data – you can register a National Data Opt-out.

If you have registered a National Data Opt-out, NHS Digital will not share any confidential patient information about you with other organisations, unless there is an exemption to this, such as where there is a legal requirement or where it is in the public interest to do so, such as helping to manage contagious diseases like coronavirus. You can find out more about exemptions on the NHS website.

There is an intention for the National Data Opt-out to apply to any confidential patient information shared by the GP practice with other organisations for purposes except your individual care. This means it will replace the Type-1 Opt-out. If this happens, patients who have registered a Type 1 Opt-out will be informed. Please note that the National Data Opt-out will not apply to confidential patient information being shared by GP practices with NHS Digital, as it is a legal requirement for us to share this data with NHS Digital and the National Data Opt-out does not apply where there is a legal requirement to share data.

You can find out more about and register a National Data Opt-out or change your choice on nhs.uk/your-nhs-data-matters or by calling 0300 3035678. 

You can also set your opt-out preferences via the NHS App if you are registered to use this application.

The legal bases for processing this information.

The Health and Social Care Act 2012 covers the sharing and collection of health and care data.  It says that when the Secretary of State for Health and Social Care needs to collect and analyse data to help the health service, they can tell NHS Digital to do this for them.  The instruction, which NHS Digital must act on, is called a direction.  In this case:

1) The Secretary of State for Health and Social Care sent a direction to NHS Digital, instructing them to collect and analyse general practice data for health and social care purposes including policy, planning, commissioning, public health, and research purposes.

2) NHS Digital sent all GP practices a document called a Data Provision Notice, giving details of the data it needs GP Practices like ours to share so it can comply with the direction.  All GP Practices in England are required to share data with NHS Digital when they are sent a Data Provision Notice.

Under data protection law, we can only share patient data if we have a legal basis under Articles 6 and 9 of the UK GDPR.  Our legal basis for sharing patient data with NHS Digital is Article 6(1)(c) – legal obligation, as we are required under the 2012 Act to share it with NHS Digital.

When we are sharing patient data about health, we also need a legal basis under Article 9 of the UK GDPR.  This is:

• Article 9(2)(g) – as we are sharing patient data for reasons of substantial public interest, for the purposes of NHS Digital exercising its statutory functions under the General Practice Data for Planning and Research Directions. It is substantially in the public interest to process patient data for planning and research purposes to improve health and care services for everyone. This is permitted under paragraph 6 of Schedule 1 of the Data Protection Act 2018 (DPA).
• Article 9(2)(h) – as we are sharing patient data for the purposes of providing care and managing health and social care systems and services. This is permitted under paragraph 2 of Schedule 1 of the DPA.
• Article 9(2)(i) – as patient data will also be used for public health purposes. This is permitted under paragraphs 3 of Schedule 1 of the DPA.
• Article 9(2)(j) – as patient data will also be used for the purposes of scientific research and for statistical purposes. This is permitted under paragraph 4 of Schedule 1 of the DPA.

Third party processors

In order to deliver the best possible service, the practice will share data (where required) with other NHS bodies such as other GP practices and hospitals. In addition, the practice will use carefully selected third party service providers. When we use a third-party service provider to process data on our behalf then we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately. Examples of functions that may be carried out by third parties include:

• Companies that provide IT services & support, including our core clinical systems; systems which manage patient facing services (such as our website and service accessible through the same); data hosting service providers; systems which facilitate appointment bookings or electronic prescription services; document management services etc.
• Delivery services (for example if we were to arrange for delivery of any medicines to you).
• Payment providers (if for example you were paying for a prescription or a service such as travel vaccinations).

Further details regarding specific third-party processors can be supplied on request to the practice.

How we maintain the confidentiality of your records 

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

• Data Protection Act 2018
• The UK General Data Protection Regulations (UK GDPR)
• Human Rights Act 1998
• Common Law Duty of Confidentiality
• Health and Social Care Act 2012
• NHS Codes of Confidentiality, Information Security and Records Management
• Information: To Share or Not to Share Review

Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential.

We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e., life or death situations), where the law requires information to be passed on and/or in accordance with the information sharing principle following Dame Fiona Caldicott’s information sharing review (Information to share or not to share) where “The duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles.

Our practice policy is to respect the privacy of our patients, their families, and our staff and to maintain compliance with the UK GDPR and all UK specific Data Protection Requirements. Our policy is to ensure all personal data related to our patients will be protected.

All employees and sub-contractors engaged by our practice are asked to sign a confidentiality agreement. The practice will, if required, sign a separate confidentiality agreement if the client deems it necessary.  If a sub-contractor acts as a data processor for TRENTHAM MEWS MEDICAL CENTRE an appropriate contract will be established for the processing of your information.

In certain circumstances you may have the right to withdraw your consent to the processing of data. Please contact the PM TO UPDATE in writing if you wish to withdraw your consent.  If some circumstances we may need to store your data after your consent has been withdrawn to comply with a legislative requirement.

Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified. Sometimes your information may be requested to be used for research purposes – the surgery will always gain your consent before releasing the information for this purpose in an identifiable format.   In some circumstances you can Opt-out of the surgery sharing any of your information for research purposes.

With your consent we would also like to use your information 

There are times that we may want to use your information to contact you or offer you services, not directly about your healthcare, in these instances we will always gain your consent to contact you.  We would however like to use your name, contact details, and email address to inform you of other services that may benefit you.  We will only do this with your consent.  There may be occasions where authorised research facilities would like you to take part on innovations, research, improving services or identifying trends, you will be asked to opt into such programmes if you are happy to do so.

At any stage where we would like to use your data for anything other than the specified purposes and where there is no lawful requirement for us to share or process your data, we will ensure that you have the ability to consent and opt out prior to any data processing taking place.
This information is not shared with third parties or used for any marketing and you can unsubscribe at any time via phone, email or by informing the practice.

Where we store your electronic information

All the personal data we process is processed by our staff in the UK however for the purposes of IT hosting and maintenance this information may be located on servers within the European Union.

No third parties have access to your personal data unless the law allows them to do so, and appropriate safeguards have been put in place such as a Data Processing agreement.  We have a Data Protection regime in place to oversee the effective and secure processing of your personal and or special category data.

EMIS Web 

The Practice uses a clinical system provided by a Data Processor called EMIS.  Since June 2019, EMIS commenced storing your practice’s EMIS Web data in a highly secure, third party cloud hosted environment, namely Amazon Web Services (“AWS”).

The data will remain in the UK at all times and will be fully encrypted both in transit and at rest. In doing this there will be no change to the control of access to your data and the hosted service provider will not have any access to the decryption keys. AWS is one of the world’s largest cloud companies, already supporting numerous public sector clients (including the NHS), and it offers the very highest levels of security and support.

Our partner organisations 

We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations:

• NHS Trusts/Foundation Trusts
• GP’s
• Primary Care Networks
• Integrated Care Systems
• NHS Commissioning Support Units
• Independent Contractors such as dentists, opticians, pharmacists
• Private Sector Providers
• Voluntary Sector Providers
• Ambulance Trusts
• Clinical Commissioning Groups
• Social Care Services
• NHS England (NHSE) and NHS Digital (NHSD)
• Multi Agency Safeguarding Hub (MASH)
• Local Authorities
• Education Services
• Fire and Rescue Services
• Police & Judicial Services
• Other ‘data processors’ which you will be informed of

You will be informed who your data will be shared with and in some cases asked for consent for this to happen when this is required.

Computer System of Choice

This practice operates a Clinical Computer System of Choice on which NHS Staff record information securely.  This information can then be shared with other clinicians so that everyone caring for you is fully informed about your medical history, including allergies and medication.

To provide around the clock safe care, unless you have asked us not to, we will make information available to our Partner Organisations (as listed above).  Wherever possible, their staff will ask for your consent before your information is viewed.

Shared Care Records

To support your care and improve the sharing of relevant information to our partner organisations when they are involved in looking after you, we will share information to other systems.  You can opt-out of this sharing of your records with our partners at any time if this sharing is based on your consent.

We may also use external companies to process personal information, such as for archiving purposes. These companies are bound by contractual agreements to ensure information is kept confidential and secure.  All employees and sub-contractors engaged by our practice are asked to sign a confidentiality agreement. If a sub-contractor acts as a data processor for TRENTHAM MEWS MEDICAL CENTRE an appropriate contract will be established for the processing of your information.

Sharing your information without consent

We will normally ask you for your consent, but there are times when we may be required by law to share your information without your consent, for example:

• where there is a serious risk of harm or abuse to you or other people.
• Safeguarding matters and investigations
• where a serious crime, such as assault, is being investigated or where it could be prevented.
• notification of new births
• where we encounter infectious diseases that may endanger the safety of others, such as meningitis or measles (but not HIV/AIDS)
• where a formal court order has been issued
• where there is a legal requirement, for example if you had committed a Road Traffic Offence.

How long we store your information for

We are required under UK law to keep your information and data for the full retention periods as specified by the NHS Records management code of practice for health and social care and national archives requirements.

More information on records retention can be found in the NHS Records Management Code of Practice 2020

Destruction

This will only happen following a review of the information at the end of its retention period. Where data has been identified for disposal, we have the following responsibilities:

• to ensure that information held in manual form is destroyed using a cross-cut shredder or contracted to a reputable confidential waste company [Shred-Pro] that complies with European Standard EN15713 and obtain certificates of destruction.
• to ensure that electronic storage media used to store, or process information are destroyed or overwritten to national standards.

Primary Care Networks

The objective of Primary Care Networks (PCNs) is for group practices working together to create more collaborative workforces which ease the pressure of GP’s, leaving them better able to focus on patient care. The aim is for all areas within England to be covered by a PCN.

Primary Care Networks form a key building block of the NHS long-term plan. Bringing general practices together to work at scale has been a policy priority for some years for a range of reasons, including improving the ability of practices to recruit and retain staff; to manage financial and estates pressures; to provide a wider range of services to patients and to integrate with the wider health and care system more easily.

All GP practices are expected to come together in geographical networks covering populations of approximately 30–50,000 patients and take advantage of additional funding attached to the GP contract.

This means the practice may share your information with other practices within the PCN to provide you with your care and treatment.

TRENTHAM MEWS MEDICAL CENTRE is a member of the (South Stoke West PCN) which includes the following local GP Practices

Trentham Mews Medical Centre

Brinsley Surgery

Blurton Health Centre

Trentvale Medical Practice

Honeywall Medical Practice

Hanford Health Centre 

Access to your personal information 

You have a right under the Data Protection legislation to request access to view or to obtain copies of what information the surgery holds about you and to have it amended should it be inaccurate. For any request you should:

• Make your request directly to the practice. (For information from a hospital or other Trust/ NHS organisation you should write directly to them).
• Be aware that there is no charge to have a copy of the information held about you.
• Be aware that information must be released to you within one calendar month (unless in exceptional circumstances, which you will be informed of a part of the process)
• Be aware you may be asked for key information to process the request (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified, and your records retrieved.

What to do if your personal information changes

You should tell us so that we can update our records as we are required to keep accurate and up-to-date records at all times.  Please contact the Practice as soon as any of your details change, this is especially important for changes of address or contact details (such as your mobile phone number).   The practice will from time to time ask you to confirm that the information we currently hold is accurate and up to date.

Objections/Complaints 

Should you have any concerns about how your information is managed at the practice, please contact PM TO UPDATE in the first instance. If you are still unhappy following a review of your concerns by the practice, you have the right to lodge a complaint with a supervisory authority, the Information Commissioner’s Office using the contact details below:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Tel: 01625 545745

If you are happy for your data to be used for the purposes described in this privacy notice, then you do not need to do anything.  If you have any concerns about how your data is shared, then please contact the Practice Data Protection Officer, Caldicott Guardian or IG Lead.

If you would like to know more about your rights in respect of the personal data that we hold about you, please use the contact details below:

IG Lead: Mrs Donna Thomas Practice Manager Medical Centre

Caldicott Guardian: Dr J McPherson

Data Protection Officer: Hayley Gidman

Midlands and Lancashire CSU

ST4 4LX

01782 872648

Useful Links

Please find below some links to external webpages which you may wish to access to find out additional information:

• Information Commissioners Office
• Information Governance Alliance
• NHS Constitution
• NHS Digital Guide to Confidentiality in Health and Social Care
• Health Research Authority
• Health Research Authority Confidentiality Advisory Group (CAG)
• National Data Opt-Out

We all have bad days, and when we feel ill we may feel ‘down’ and a litter more irritable than normal.  All our staff are here to help you.  Reception staff are following procedures that help the practice to function efficiently.  Staff have the right to work in a safe and secure environment and we, as employers, have the legal responsibility to provide that safe and secure environment.

The practice will not tolerate:

• Verbal abuse to staff which prevents them from doing their job or makes them feel unsafe

• Threats of violence or actual violence to a GP or a member of his or her staff.

The GPs have the right to remove from their patient register list any patient who behaves in the above manner.