Medical Records and Data Protection

  1. How we collect, look after and use your data
    1. How is My Information Collected and Looked After?
    2. Our contact details as data controller
    3. Data Protection Officer
    4. Why we collect your information?
    5. What information do we collect?
    6. How do we use your information and how do we get it?
    7. The NHS care record guarantee
    8. Primary Care Networks:
    9. For commissioning and healthcare planning purposes:
    10. Population Health Management:
    11. Leeds Care Record
    12. Summary Care Record
    13. For research purposes
    14. For safeguarding purposes, life or death situations or other circumstances when we are required to share information:
    15. Who do we share information with?
    16. Third party data processors
    17.  Is information transferred outside the UK?
    18. What is our lawful basis for using information?
    19. Common law duty of confidentiality
    20. How do we protect your personal information?
    21. What are your data protection rights?
    22. Right to be informed
    23. The right of access
    24. The right to rectification
    25. The right to erasure
    26. The right to restrict processing
    27. The right to object
    28. Rights in relation to automated decision making and profiling.
    29. The right to data portability
    30. National data opt-out
    31. OpenSAFELY COVID-19 Service
    32. Other ways we use your information
    33. How do I complain?
    34. Date of last review
  2. Online Medical Records Access
  3. Personal Data
  4. Privacy Policy
    1. How we use your information and the law.
    2. Why do we need your information?
    3. How do we lawfully use your data?
    4. Risk Stratification
    5. Medicines Management
    6. How do we maintain the confidentiality of your records?
    7. With your consent we would also like to use your information to
    8. Where do we store your information Electronically?
    9. Who are our partner organisations?
    10. How long will we store your information?
    11. How can you access, amend move the personal data that you have given to us?
    12. Access to your personal information
    13. What should you do if your personal information changes?
  5. Publication Scheme
    1. Your rights to information
    2. How much will it cost to get any information you want?
    3. Feedback
    4. Classes of Information
  6. Sharing your Medical Record
  7. Subject Access Requests (GDPR Right of Access)
    1. Online Medical Records Access
  8. Summary Care Record
    1. Who Has Access?
    2. Information Source
    3. Content
    4. For more information visit:
  9. Telephone Call Recording for GDPR
    1. Outline:
    2. Aim:
    3. Process:
    4. Playback / Monitoring of Recorded Calls:
  10. Accessing someone else’s information
    1. Linked profiles in your NHS account

How we collect, look after and use your data

The notice below explains how St Martin’s Practice will collect, look after, share & use your personal data.

“Personal data” is information relating to you as a living, identifiable individual. This page of information is our “Privacy Notice” (also called “Fair Processing Notice”).

We have an easy read version of this Privacy Notice available.

How is My Information Collected and Looked After?

Who is responsible for my information?

We understand how important it is to keep your personal information safe and secure and we take this very seriously. We have taken steps to make sure your personal information is looked after in the best possible way and we review this regularly.

Please read this privacy notice (‘Privacy Notice’) carefully, as it contains important information about how we use the personal and healthcare information we collect on your behalf.

The person with the key responsibility for data protection and security is Camilla Hawkes, Practice Manager.

Our contact details as data controller

Name: St Martins Practice

Address: 210 Chapeltown Rd, Leeds, LS7 4HZ

Phone number: 0113 22 11 888

Email: please use the contact us form on this website.

We are the data controller for your information. A controller decides on why and how information is used and shared.

The practice is registered with the Information Commissioners Office as a Data Controller- our registration number is: Z5580728 and you can view our registration here.

Data Protection Officer

Our Data Protection Officer is is responsible for monitoring our compliance with data protection requirements. You can contact them with queries or concerns relating to the use of your personal data at [wyicb-leeds.dpo@nhs.net].

Why we collect your information?

As a GP practice we are responsible for your day-to-day medical care and the purpose of this notice is to inform you of the type of information that we hold about you, how that information is used for your care, our legal basis for using the information, who we share this information with and how we keep it secure and confidential.

It covers information we collect directly from you (that you have either provided to us, or from consultations with staff members), or we collect from other organisations who manage your care (such as hospitals or community services).

We are required by law to maintain records about your health and treatment, or the care you have received within any NHS service.

These records help to ensure that you receive the best possible care. They may be paper or electronic and they may include:

  • Basic details about you such as name, address, email address, NHS number, date of birth, next of kin, etc.
  • Contact we have had with you such as appointments or clinic visits.
  • Notes and reports about your health, treatment and care
  • Details of diagnosis and treatment given
  • Information about any allergies or health conditions.
  • Results of x-rays, scans and laboratory tests.
  • Relevant information from people who care for you and know you well such as health care professionals and relatives.
  • For visitors to the practice basic information such as name and vehicle registration number

By providing the Practice with their contact details, patients are agreeing to the Practice using those channels to communicate with them about their healthcare, i.e. by letter (postal address), by voice mail or voice message (telephone or mobile number), by text message (mobile number) or by email (email address).

You can find more detailed information about how we your information for the following specific purposes here:

  • Primary Care Networks
  • For commissioning and healthcare planning
  • Population Health Management
  • Leeds Care Record
  • Summary Care Record
  • Research – Find out how health researchers use information.
  • Safeguarding, life or death situations and other circumstances we are required to share information.

What information do we collect?

Personal information

We currently collect and use the following personal information:

  • personal identifiers and contacts (for example, name and contact details)

More sensitive information

We process the following more sensitive data (including special category data):

  • data concerning physical or mental health (for example, details about your appointments or diagnosis)
  • data revealing racial or ethnic origin
  • data concerning a person’s sex life
  • data concerning a person’s sexual orientation
  • genetic data (for example, details about a DNA sample taken from you as part of a genetic clinical service)
  • data revealing religious or philosophical beliefs
  • data relating to criminal or suspected criminal offences

How do we use your information and how do we get it?

As health professionals, we maintain records about you to direct, manage, and deliver the care you receive. By registering with the practice, your existing records will be transferred to us from your previous practice so that we can keep them up to date while you are our patient and if you do not have a previous medical record (a new-born child or coming from overseas, for example), we will create a medical record for you.

We take great care to ensure that your information is kept securely, that it is up to date, accurate and used appropriately. In the practice, individual staff will only look at what they need in order to carry out tasks such as booking appointments, making referrals, supporting your care, or to support the management of the services we provide.

The personal information we collect is provided directly from you for one of the following reasons:

  • you have provided information to seek care – this is used directly for your care, and also to manage the services we provide, to clinically audit our services, investigate complaints, or to be used as evidence as part of an investigation into care
  • if you have signed up to our newsletter / patient participation group, we will engage with you to seek you comments and views on the practice.
  • If you have made a complaint we will need to collect information about the complaint which will include your personal information. We may also need to gain additional information from, or share information we have with, other healthcare providers and NHS organisations in order to process and investigate your complaint.

We also receive personal information about you from others, in the following scenarios:

The NHS care record guarantee

The Care Record Guarantee is our commitment that we will use records about you in ways that respect your rights and promote your health and wellbeing. Copies of the full document can be obtained from: https://webarchive.nationalarchives.gov.uk/ukgwa/20130513181549/http:/www.nigb.nhs.uk/guarantee

Primary Care Networks:

All practices in the UK are members of a Primary Care Network (PCN), which is a group of practices who have chosen to work together and with local community, mental health, social care, pharmacy, hospital and voluntary services to provide care to their patients.

PCNs are built on the core of current primary care services and enable greater provision of proactive, personalised, coordinated and more integrated health and social care.

We are members of CHAPELTOWN PCN along with Woodhouse medical centre and Allerton/Westfield medical centre

This arrangement means that practices within the same PCN may share data with other practices within the PCN, for the purpose of patient care (such as extended hours appointments and other services). Each practice within the PCN is part of a stringent data sharing agreement that means that all patient data shared is treated with the same obligations of confidentiality and data security.

For commissioning and healthcare planning purposes:

In some cases, for example when looking at population healthcare needs, some of your data may be shared (usually in such a way that you cannot be identified from it). The following organisations may use data in this way to inform policy or make decisions about general provision of healthcare, either locally or nationally.

In order to comply with its legal obligations we may send data to NHS Digital when directed by the Secretary of State for Health under the Health and Social Care Act 2012.

This practice contributes to national clinical audits and will send the data which are required by NHS Digital when the law allows. This may include demographic data, such as date of birth, and information about your health which is recorded in coded form, for example, the clinical code for diabetes or high blood pressure.

Population Health Management:

Population Health Management (PHM) is about improving the physical and mental health of people. It involves analysing data, in a format which does not identify individuals, and using the results to help making decisions on ways to prevent ill-health, improve care, reduce hospital admissions and help ensure that the most effective services are available for our patients.

The benefits of PHM are:

  • to help frontline teams understand current health and care needs and predict what will be needed in the future.
  • to identify specific groups of patients that are high risk and would benefit from direct interventions to improve their health and wellbeing.
  • to improving the standard and quality of care.
  • to prevent people needing hospital care unless necessary
  • to support Working across different organisations in the health and care sector, to a positive difference to people’s lives. This can be supported by joining the data dots to tackle health inequalities we know exist across West Yorkshire.
  • to identify gaps in services, as well as inform service redesigns.

We, and other healthcare providers like the hospital and community service providers, send information that relates to you to our data processor the North of England Commissioning Support Unit (NECS). NECS then pseudonymise this data, which means the information that could identify you is removed and is replaced with a pseudonym. Information about the different health and care interventions you have had is then linked together so that it can be analysed without identifying you.

This pseudonymised data is then shared with West Yorkshire Integrated Care Board who will analyse the data to carry out commissioning and planning services and Population Health Management. Sometimes this analysis identifies individuals who might benefit from direct interventions to prevent illness. The results relating to patients registered at our practice are sent back to us so that we can assess who would benefit or require a particular healthcare intervention.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything.

If you do not want your data to be used in this way, you can opt-out of all planning and research initiatives through the national data opt-out service. Access this service online at www.nhs.uk/your-nhs-data-matters or by calling: 0300 303 5678.

Leeds Care Record

The Leeds Care Record (LCR) provides health and social care professionals directly involved in your care access to the most up to date information about you. It does this by sharing appropriate information from your medical and care records between health and social care services in Leeds.

At the moment, every health and social care organisation that you use has a different set of patient records for you. These records may duplicate information, or one record might hold information about your treatment, care and support that another one does not.

In Leeds, we have developed a virtual system called the Leeds Care Record. If you live in Leeds you will have a Leeds Care Record created for you. It is held on a secure computer system and includes some key health and social care information about you. The information is taken from other medical records you may have such as your GP record, hospital records or social care records.

If you do not want your information being shared on the LCR you can object to this, by contacting the LCR.

Summary Care Record

Your Summary Care Record (SCR) is a short summary of your GP medical records. It tells other health and care staff who care for you about the medicines you take and your allergies.

All patients registered with a GP have a SCR, unless they have chosen not to have one. Your SCR contains basic information about allergies and medications and any reactions that you have had to medication in the past.

Some patients, including many with long term health conditions, have previously agreed to have Additional Information shared as part of their Summary Care Record. This additional information includes information about significant medical history (past and present), reasons for medications, care plan information and immunisations.

The purpose of SCR is to improve the care that you receive, however, if you don’t want to have an SCR you have the option to opt out. If this is your preference please inform your GP or fill in an SCR patient consent preferences form and return it to your GP practice.

For research purposes

Research data is usually shared in a way that individual patients are non-identifiable. Occasionally where research requires identifiable information you may be asked for your explicit consent to participate in specific research projects. The surgery will always gain your consent before releasing any information for this purpose, unless the research has been granted a specific exemption from the Confidentiality Advisory Group of the Health Research Authority

Where specific information is asked for, such as under the National Diabetes audit, you will be given the choice to opt of the audit

For safeguarding purposes, life or death situations or other circumstances when we are required to share information:

We may also disclose your information to others in exceptional circumstances (i.e. life or death situations) or in accordance with Dame Fiona Caldicott’s information sharing review (Information to share or not to share).

For example, your information may be shared in the following circumstances:

  • When we have a duty to others e.g. in child protection cases
  • Where we are required by law to share certain information such as the birth of a new baby, infectious diseases that may put you or others at risk or where a Court has decided we must.

Who do we share information with?

We share information about you with other health professionals to support your care, and in more limited ways for indirect care purposes:

  • NHS Trusts and hospitals that are involved in your care.
  • Community Care Teams
  • Care homes
  • Other General Practitioners (GPs) or Primary Care Networks (which are groups of GP Practices).
  • Ambulance Services.
  • Social Care Services.
  • Education Services.
  • Local Authorities.
  • Voluntary and private sector providers working with or for the NHS. Such as Dentists, Pharmacies. Opticians & care homes

From time to time we may offer you referrals to other providers, specific to your own health needs not included in the list above. In these cases we will discuss the referral with you and advise you that we will be sharing your information (generally by referral) with those organisations.

We may also share information with the following types of organisations:

Third party data processors

  • IT system supplier (West Yorkshire ICB / Leeds City Council)
  • Software suppliers (SystmOne, EMIS)
  • Communication suppliers (telephony services, email, text messages)
  •  

In some circumstances we are legally obliged to share information. This includes:

  •  when required by NHS England to develop national IT and data services
  • when registering births and deaths
  • when reporting some infectious diseases
  • when a court orders us to do so
  • where a public inquiry requires the information
  • Medical examiners

We will also share information if the public good outweighs your right to confidentiality. This could include:

  •  to detect, prevent or investigate crime
  • where there are serious risks to the public or staff
  • to protect children or vulnerable adults

We may also process your information in order to de-identify it, so that it can be used for purposes beyond your individual care whilst maintaining your confidentiality. These purposes will include to comply with the law and for public interest reasons.

 Is information transferred outside the UK?

As a GP surgery, we do not routinely send patient data outside of the UK / EU where the laws do not protect your privacy to the same extent as the law in the UK.

Our data is hosted in UK and is only available to our staff and technical support staff in the UK.

What is our lawful basis for using information?

Under UK GDPR the Practice are mandated to identify a legal basis to process your personal information.

For personal data

  • 6(1)(a) – Consent: this must be freely given, specific, informed and unambiguous.
  • 6(1)(b) – Contract: between a person and a service, such as a service user and privately funded care home.
  • 6(1)(c) – Legal obligation: the law requires us to do this, for example where NHS England or the courts use their powers to require the data. See this list for the most likely laws that apply when using and sharing information in health and care.
  • 6(1)(d) – Vital interests: Life & Death
  • 6(1)(e) – Public task: a public body, such as an NHS organisation or Care Quality Commission (CQC) registered social care organisation, is required to undertake particular activities by law. See this list for the most likely laws that apply when using and sharing information in health and care.

Special Category data (Sensitive Data including Health Records)

  • 9(2)(a) – Explicit consent
  • 9(2)(b) – Employment, social security and social protection (if authorised by law)
  • 9(2)(c) – Vital interests – Life and Death
  • 9(2)(e) – Made public by the data subject
  • 9(2)(f) – Legal claims or judicial acts
  • 9(2)(g) – Reasons of substantial public interest (with a basis in law)
  • 9(2)(h) – Health or social care (with a basis in law)
  • 9(2)(i) – Public health (with a basis in law)

Common law duty of confidentiality

In our use of health and care information, we satisfy the common law duty of confidentiality because:

  •  you have provided us with your consent (we have taken it as implied to provide you with care, or you have given it explicitly for other uses)
  • we have support from the Secretary of State for Health and Care following an application to the Confidentiality Advisory Group (CAG) who are satisfied that it isn’t possible or practical to seek consent
  • we have a legal requirement to collect, share and use the data
  • for specific individual cases, we have assessed that the public interest to share the data overrides the public interest served by protecting the duty of confidentiality (for example sharing information with the police to support the detection or prevention of serious crime). This will always be considered on a case by case basis, with careful assessment of whether it is appropriate to share the particular information, balanced against the public interest in maintaining a confidential health service

How do we protect your personal information?

As a Practice, we are committed to protecting your privacy and will only process data in accordance with the General Data Protection Regulation (GDPR), the Data Protection Act 2018, the Common Law Duty of Confidentiality, professional codes of practice, the Human Rights Act 1998 and other appropriate legislation.

Everyone working for the Practice has a legal and contractual duty to keep information about you confidential. All our staff receive appropriate and ongoing training to ensure that they are aware of their personal responsibilities and their obligations to uphold confidentiality.

Staff are trained to ensure how to recognise and report any incident and the organisation has procedures for investigating, managing and learning lessons from any incidents that occur.

All identifiable information that we hold about you in an electronic format will be held securely and confidentially in secure hosted servers that pass stringent security standards.

Any companies or organisations we use we may use to process your data are also legally and contractually bound to operate under the same security and confidentiality requirements.

All identifiable information we hold about you within paper records is kept securely and confidentially in lockable cabinets with access restricted to appropriately authorised staff.

As an organisation we are required to provide annual evidence of our compliance with all applicable laws, regulations and standards through the Data Security and Protection toolkit.

Your information is securely stored for the time periods specified in the Records Management Code of Practice.

All records are retained and destroyed in accordance with the NHS Records Management Code of Practice.

The Practice does not keep patient records for longer than necessary and all records are destroyed confidentially once their retention period has been met, and the Practice has made the decision that the records are no longer required.

What are your data protection rights?

Under the GDPR all patients have certain rights in relation to the information which the practice holds about them. Not all of these will rights apply equally, as certain rights are not available depending on situation and the lawful basis used for the processing.

For reference these rights may not apply are where the lawful basis we use (as shown in the above table in the section on “lawful bases”) is:

  •  Processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller – in these cases the rights of erasure and portability will not apply.
  • Legal Obligation – in these cases the rights of erasure, portability, objection, automated decision making and profiling will not apply.

Right to be informed

You have the right to be informed of how your data is being used. The propose of this document is to advise you of this right and how your data is being used by the practice

The right of access

You have the right of access – You have the right to ask us for copies of your personal information, this is often referred to as a ‘Subject Access Request’. This right always applies. There are some exemptions, which means you may not always receive all the information we process.

You can make a subject access request by contacting us via the Contact Us form on this website

The right to rectification

You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.

The right to erasure

You have the right to ask us to erase your personal information in certain circumstances – This will not generally apply in the matter of health care data

The right to restrict processing

You have the right to ask us to restrict the processing of your information in certain circumstances – You have to right to limit the way in which your data is processed if you are not happy with the way the data has been managed.

The right to object

You have the right to object to processing if you disagree with the way in which part of your data is processed you can object to this- please bear in mind that this may affect the medical services we are able to offer you

Rights in relation to automated decision making and profiling.

Your rights in relation to automated processing – Sometimes your information may be used to run automated calculations. These can be as simple as calculating your Body Mass Index or ideal weight but they can be more complex and used to calculate your probability of developing certain clinical conditions, and we will discuss these with you if they are a matter of concern.

No decisions about individual care are made solely on the outcomes of these tools, they are only used to help us assess your possible future health and care needs with you and we will discuss these with you.

The right to data portability

Your right to data portability – you have the right to ask that we transfer the information you gave us from one organisation to another. The right only applies if we are processing information based on your consent or under a contract, and the processing is automated, so will only apply in very limited circumstances.

National data opt-out

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  •  improving the quality and standards of care provided
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services

This may only take place when there is a clear lawful basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential health and care information is only used like this when allowed by law.

Whenever possible data used for research and planning is anonymised, so that you cannot be identified and your confidential information is not accessed.

You have a choice about whether you want your confidential information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters. On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Our organisation has reviewed the disclosures we make and is compliant with the national data opt-out policy.

OpenSAFELY COVID-19 Service

The NHS England OpenSAFELY COVID-19 Service is a secure, transparent, open-source software platform for analysis of electronic health data. The system provides access to de-identified (pseudonymised) personal data to support Approved Users (academics, analysts, and data scientists) to undertake approved projects for COVID-19 research, COVID-19 clinical audit, COVID-19 service evaluation and COVID-19 health surveillance purposes.

The purposes for processing are to identify medical conditions and medications that affect the risk or impact of COVID-19 infection on individuals; this will assist with identifying risk factors associated with poor patient outcomes as well as information to monitor and predict demand on health services.

Further information can be found on the NHS digital website.

Other ways we use your information

Call recording

All Telephone calls are routinely recorded for the following purposes:

  • To make sure that staff act in compliance with our procedures.
  • To ensure quality control.
  • Training, monitoring and service improvement
  • To prevent crime, misuse and to protect staff and patients

SMS Text messaging

When attending the Practice for an appointment or a procedure you may be asked to confirm that the Practice has an accurate contact number and mobile telephone number for you. This can be used to provide appointment details via SMS text messages and automated calls to advise you of appointment times.

CCTV

Surveillance cameras (CCTV) are employed on and around our practice in order to:

  • protect staff, patients, visitors and Practice property
  • apprehend and prosecute offenders, and provide evidence to take criminal or civil court action
  • provide a deterrent effect and reduce unlawful activity
  • help provide a safer environment for our staff
  • monitor operational and safety related incidents
  • help to provide improved services, for example by enabling staff to see patients and visitors requiring assistance

St Martins does not own our building. The building owner is Assura. Assura is the data controller for the CCTV pictures. They will only retain surveillance data for a reasonable period or as long as is required by law. In certain circumstances (high profile investigations, serious or criminal incidents) they may need to disclose CCTV data for legal reasons.

How do I complain?

If you have any concerns about our use of your personal information, you can make a complaint to us via the Contact Us form on this website.

Following this, if you are still unhappy with how we have used your data, you can then complain to the ICO.

The ICO’s address is: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Helpline number: 0303 123 1113

ICO website: https://www.ico.org.uk

Date of last review

This privacy notice was reviewed and updated in August 2024.

Page last updated: 27.8.2024

Online Medical Records Access

The easiest way to see your medical records online is via the NHS App. The App can be downloaded from the playstore and then follow its instructions.

If you want to see older records than are visible through the App then please contact us via  AccuRx and we will send you a request form to complete.

It is possible via NHS App to see the records of someone you care for. Please be aware that for children, proxy access is only allowable up until their 11th birthday, after which different arrangements have to be made. This is in line with national guidance.

Personal Data

The following IT systems are in use at the practice:

  • Referral Management (using NHS numbers in referrals)
  • Electronic Appointment Booking (the facility to book routine appointments online and, similarly, to cancel appointments
  • Online booking of repeat prescriptions
  • Summary Care Record (uploading details of your current medication and allergies to the national “spine” so that these are available for doctors involved in your care elsewhere)
  • GP to GP transfers (the electronic transfer of records from practice to practice when you re-register
  • Patient Access to records (the facility to view your medical records online).

If you are not already registered for online access and would like to be please contact reception.

If you would like access to your medical records enabled or would like to opt out of the local or national summary care record, please contact reception.

Privacy Policy

This privacy notice lets you know what happens to any personal data that you give to us, or any that we may collect from or about you.

This privacy notice applies to personal information processed by or on behalf of the practice.

This Notice explains

  • Who we are, how we use your information and our Data Protection Officer
  • What kinds of personal information about you do we process?
  • What are the legal grounds for our processing of your personal information (including when we share it with others)?
  • What should you do if your personal information changes?
  • For how long your personal information is retained by us?
  • What are your rights under data protection laws?

The General Data Protection Regulation (GDPR) became law on 24th May 2016. This is a single EU-wide regulation on the protection of confidential and sensitive information. It enters into force in the UK on the 25th May 2018, repealing the Data Protection Act (1998).

For the purpose of applicable data protection legislation (including but not limited to the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”), and the Data Protection Act 2018 (currently in Bill format before Parliament) the practice responsible for your personal data.

This Notice describes how we collect, use and process your personal data, and how, in doing so, we comply with our legal obligations to you. Your privacy is important to us, and we are committed to protecting and safeguarding your data privacy rights

How we use your information and the law.

The practice will be what’s known as the ‘Controller’ of the personal data you provide to us.

We collect basic personal data about you which does not include any special types of information or location-based information. This does however include name, address, contact details such as email and mobile number etc.

We will also collect sensitive confidential data known as “special category personal data”, in the form of health information, religious belief (if required in a healthcare setting) ethnicity, and sex during the services we provide to you and or linked to your healthcare through other health providers or third parties.

Why do we need your information?

The health care professionals who provide you with care maintain records about your health and any treatment or care you have received previously (e.g. NHS Trust, GP Surgery, Walk-in clinic, etc.). These records help to provide you with the best possible healthcare.

NHS health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. Records which the Practice hold about you may include the following information;

  • Details about you, such as your address, carer, legal representative, emergency contact details
  • Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments, etc.
  • Notes and reports about your health
  • Details about your treatment and care
  • Results of investigations such as laboratory tests, x-rays etc
  • Relevant information from other health professionals, relatives or those who care for you

To ensure you receive the best possible care, your records are used to facilitate the care you receive. Information held about you may be used to help protect the health of the public and to help us manage the NHS. Information may be used within the GP practice for clinical audit to monitor the quality of the service provided.

How do we lawfully use your data?

We need to know your personal, sensitive and confidential data in order to provide you with Healthcare services as a General Practice, under the General Data Protection Regulation we will be lawfully using your information in accordance with:

Article 6, e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;”

Article 9, (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems

This Privacy Notice applies to the personal data of our patients and the data you have given us about your carers/family members.

Risk Stratification

Risk stratification data tools are increasingly being used in the NHS to help determine a person’s risk of suffering a condition, preventing an unplanned or (re)admission and identifying a need for preventive intervention. Information about you is collected from a number of sources including NHS Trusts and from this GP Practice. A risk score is then arrived at through an analysis of your de-identified information is only provided back to your GP as data controller in an identifiable form. Risk stratification enables your GP to focus on preventing ill health and not just the treatment of sickness. If necessary, your GP may be able to offer you additional services. Please note that you have the right to opt out of your data being used in this way.

Medicines Management

The Practice may conduct Medicines Management Reviews of medications prescribed to its patients. This service performs a review of prescribed medications to ensure patients receive the most appropriate, up to date and cost-effective treatments.

How do we maintain the confidentiality of your records?

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

  • Data Protection Act 2018
  • The General Data Protection Regulations 2016
  • Human Rights Act 1998
  • Common Law Duty of Confidentiality
  • Health and Social Care Act 2012
  • NHS Codes of Confidentiality, Information Security and Records Management
  • Information: To Share or Not to Share Review

Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential.

We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), where the law requires information to be passed on and / or in accordance with the information sharing principle following Dame Fiona Caldicott’s information sharing review (Information to share or not to share) where “The duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles.

Our practice policy is to respect the privacy of our patients, their families and our staff and to maintain compliance with the General Data Protection Regulations (GDPR) and all UK specific Data Protection Requirements. Our policy is to ensure all personal data related to our patients will be protected.

All employees and sub-contractors engaged by our practice are asked to sign a confidentiality agreement. The practice will, if required, sign a separate confidentiality agreement if the client deems it necessary. If a sub-contractor acts as a data processor for the practice an appropriate contract (art 24-28) will be established for the processing of your information.

In Certain circumstances you may have the right to withdraw your consent to the processing of data. Please contact the Data Protection Officer in writing if you wish to withdraw your consent. If some circumstances we may need to store your data after your consent has been withdrawn to comply with a legislative requirement.

Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified. Sometimes your information may be requested to be used for research purposes – the surgery will always gain your consent before releasing the information for this purpose in an identifiable format. In some circumstances you can Opt-out of the surgery sharing any of your information for research purposes.

We would however like to use your name, contact details and email address to inform you of services that may benefit you, with your consent only. There may be occasions were authorised research facilities would like you to take part on innovations, research, improving services or identifying trends.

At any stage where we would like to use your data for anything other than the specified purposes and where there is no lawful requirement for us to share or process your data, we will ensure that you have the ability to consent and opt out prior to any data processing taking place. This information is not shared with third parties or used for any marketing and you can unsubscribe at any time via phone, email or by informing the practice DPO as below.

Where do we store your information Electronically?

All the personal data we process is processed by our staff in the UK however for the purposes of IT hosting and maintenance this information may be located on servers within the European Union.

No 3rd parties have access to your personal data unless the law allows them to do so and appropriate safeguards have been put in place. We have a Data Protection regime in place to oversee the effective and secure processing of your personal and or special category (sensitive, confidential) data.

Who are our partner organisations?

We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations;

  • NHS Trusts / Foundation Trusts
  • GP’s
  • eMBED Health
  • Independent Contractors such as dentists, opticians, pharmacists
  • Private Sector Providers
  • Voluntary Sector Providers
  • Ambulance Trusts
  • Clinical Commissioning Groups
  • Social Care Services
  • NHS England (NHSE) and NHS Digital (NHSD)
  • Local Authorities
  • Education Services
  • Fire and Rescue Services
  • Police & Judicial Services
  • Voluntary Sector Providers
  • Private Sector Providers
  • Other ‘data processors’ which you will be informed of

You will be informed who your data will be shared with and in some cases asked for consent for this to happen when this is required.

We may also use external companies to process personal information, such as for archiving purposes. These companies are bound by contractual agreements to ensure information is kept confidential and secure. All employees and sub-contractors engaged by our practice are asked to sign a confidentiality agreement. If a sub-contractor acts as a data processor for the practice an appropriate contract (art 24-28) will be established for the processing of your information.

How long will we store your information?

We are required under UK law to keep your information and data for the full retention periods as specified by the NHS Records management code of practice for health and social care and national archives requirements. More information on records retention can be found online at https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016.

How can you access, amend move the personal data that you have given to us?

Even if we already hold your personal data, you still have various rights in relation to it. To get in touch about these, please contact us. We will seek to deal with your request without undue delay, and in any event in accordance with the requirements of any applicable laws. Please note that we may keep a record of your communications to help us resolve any issues which you raise.

Right to object: If we are using your data because we deem it necessary for our legitimate interests to do so, and you do not agree, you have the right to object. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases). Generally, we will only disagree with you if certain limited conditions apply.

Right to withdraw consent: Where we have obtained your consent to process your personal data for certain activities (for example for a research project), or consent to market to you, you may withdraw your consent at any time.

Right to erasure: In certain situations (for example, where we have processed your data unlawfully), you have the right to request us to “erase” your personal data. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases) and will only disagree with you if certain limited conditions apply. If we do agree to your request, we will Delete your data but will generally assume that you would prefer us to keep a note of your name on our register of individuals who would prefer not to be contacted. That way, we will minimise the chances of you being contacted in the future where your data are collected in unconnected circumstances. If you would prefer us not to do this, you are free to say so.

Right of data portability: If you wish, you have the right to transfer your data from us to another data controller. We will help with this with a GP to GP data transfer and transfer of your hard copy notes

Access to your personal information

Data Subject Access Requests (DSAR): You have a right under the Data Protection legislation to request access to view or to obtain copies of what information the surgery holds about you and to have it amended should it be inaccurate. To request this, you need to do the following:

  • Your request should be made to the Practice – for information from the hospital you should write direct to them
  • There is no charge to have a copy of the information held about you
  • We are required to respond to you within one month
  • You will need to give adequate information (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified, and your records located information we hold about you at any time

What should you do if your personal information changes?

You should tell us so that we can update our records please contact the Practice Manager as soon as any of your details change, this is especially important for changes of address or contact details (such as your mobile phone number), the practice will from time to time ask you to confirm that the information we currently hold is accurate and up-to-date.

Publication Scheme

This publication scheme is a complete guide to the information routinely made available to the public by St Martins practice. It is a description of the information about our GPs and the Practice which we make publicly available. It will be reviewed at regular intervals and we will monitor its effectiveness.

Your rights to information

The Freedom of Information Act 2000 recognises that members of the public have the right to know how public services are organised and run, how much they cost and how the decisions are made.

We will respond to requests about information we hold with 20 days. This right is subject to some exemptions which have to be taken into consideration before deciding what information we can release. The timescale may be extended if we must give consideration to a full public interest test.

You are entitled to access your clinical records or any other personal information held about you. See the Medical Records section of our website, and then click: Subject Access Requests.

How much will it cost to get any information you want?

Wherever possible we will make the information available free of charge. If we do need to make a charge the cost will be made known to you before we go ahead.

Feedback

If you have any comments about the operation of the Publication Scheme, or how we have dealt with your request for information from the Scheme, please write to Camilla Hawkes, Practice Manager.

Classes of Information

Information to be publishedHow the information can be obtained 
Class1 – Who we are and what we doIe Organisational information, structures, locations and contactsThis will be current information only
Doctors in the practiceWebsite
Contact details for the practice (named contacts where possible with telephone number and email address (if used))Website
Opening hoursWebsite
Other staffing detailsWebsite
Meetings specifically with pharmaceutical companies and other medical suppliers None: our policy is not to meet with pharmaceutical companies. We can provide a copy of this policy on request to the practice manager.
Class 2 – What we spend and how we spend itIe Financial information relating to projected and actual income and expenditure, procurement, contracts and financial auditCurrent and previous financial year as a minimum
Details of NHS funding received by the practiceBy application to practice manager
Audit of NHS incomeBy application to practice manager
Details of expenditure items over £10,000By application to practice manager
List and value of contracts awarded by the practice that have gone through formal tendering process.By application to practice manager
Staff allowances and expenses that can be incurred or claimed, with totals paid to senior staff members ie partners in the businessBy application to practice manager
Pay policyBy application to practice manager
Declaration of GPs’ NHS incomeWebsite
Class 3 – What our priorities are and how we are doingIe Strategies and plans, performance indicators, audits, inspections and reviewsCurrent and previous year as a minimum
Plans for the development and provision of NHS servicesBy application to practice manager
Performance data including performance against targets 
Inspection reports by CQCCQC website
Class 4 – How we make decisionsIe Decision making processes and records of decisionsCurrent and previous year as a minimum
Records of decisions made in the practice affecting the provision of NHS servicesBy application to practice manager
Class 5 – Our policies and proceduresIe Current written protocols, policies and procedures for delivering our services and responsibilitiesCurrent information only
Policies and procedures about the employment of staffBy application to practice manager
Internal instructions to staff and policies relating to the delivery of servicesBy application to practice manager
Equality and diversity policyBy application to practice manager
Health and safety policyBy application to practice manager
Complaints procedures (including those covering requests for information and operating the publication scheme)Website
Records management policies (records retention, destruction and archive)By application to practice manager
Data protection policies 
Policies and procedures for handling requests for informationWebsite
Patients’ charterWebsite
Class 6 – Lists and RegistersCurrently maintained lists and registers only
Any publicly available register or listNone held
Class 7 – The services we offerIe Information about the services we offer, including leaflets, guidance and newsletters produced for the publicCurrent information only
The services provided under contract to the NHSWebsite
Charges for any of these servicesWebsite
Information leafletsWebsite
Out of hours arrangementsWebsite
Class 8- This publication scheme 
This publication schemeThis scheme on display on the website. Specific enquires can be made to the Practice Manager

Page / checked updated: 26.9.24

Sharing your Medical Record

Increasingly, patient medical data is shared e.g. between GP surgeries and District Nursing, in order to give clinicians access to the most up to date information when attending patients.

The systems we operate require that any sharing of medical information is consented to by patients beforehand. Patients must consent to sharing of the data held by a health provider out to other health providers and must also consent to which of the other providers can access their data.

  • E.g. it may be necessary to share data held in GP practices with district nurses but the local podiatry department would not need to see it to undertake their work. In this case, patients would allow the surgery to share their data, they would allow the district nurses to access it but they would not allow access by the podiatry department. In this way access to patient data is under patients’ control and can be shared on a ‘need to know’ basis.

Subject Access Requests (GDPR Right of Access)

How can I see what information you hold about me?

You have a right under data protection legislation to request to see what information the practice holds about you. You also have the right to ask for inaccuracies to be corrected and in some circumstances you have the right to request that we stop processing your data. Some of these rights are not automatic and we reserve the right to discuss with you why we might not comply with a request from you to exercise them.

If you make a Subject Access Request, we will:

  • describe the information we hold about you
  • tell you why we are holding that information
  • tell you who it might be shared with
  • at your request, provide a copy of the information in an easy to read form

In order to request this, you need to do the following:

  • Your request may be made verbally, or in writing – for information from the hospital you should contact it directly.
  • We will provide electronic copies (via online access, by email) free of charge.
  • We are required to respond to you within 1 month.

In some circumstances there may be a charge to have a printed copy of the information held about you. If this is the case, this will be discussed with you before any charge is made.

Please note: we make their full text medical records back to 2016 available to our patients via our online service. It is a quicker and easier to both you and us to obtain online access in this way, rather than the formal Subject Access request process. If you would like to set up online access then see below and please speak to our patient Support team.

If you would like to make a Subject Access Request or have any further questions, please complete the form below and follow the instructions set out on the forms, or call our Patient Support team on 0113 22 11 888.

Online Medical Records Access

All patients who are registered with our Online Service are able to view their medical records online.

We would ask firstly that you read the information in the leaflets available from reception. Then, to register, please print and complete the request form and bring it in to the surgery. Alternatively, if you come in to the front desk we can print you a form which is largely pre-filled. We will ask you a few questions to confirm your identity.

If you wish to apply for proxy access, ie on behalf of someone you care for, then there is a different form to complete (also below). Please be aware that for children, proxy access is only allowable up until their 11th birthday, after which different arrangements have to be made. This is in line with national guidance. The information leaflets below have more information.

Summary Care Record

Your patient record is held securely and confidentially on the electronic system at your GP practice. If you require treatment in another NHS healthcare setting such as an Emergency Department or Minor Injury Unit, those treating you would be better able to give you appropriate care if some of the information from the GP practice were available to them.

This information can now be shared electronically via: The Summary Care Record, used nationally across England.

The information will be used only by authorised health care professionals directly involved in your care. Your permission will be asked before the information is accessed, unless the clinician is unable to ask you and there is a clinical reason for access.

If you would like to opt out, please ask reception for our opt out form.

A parent or guardian can request to opt out children under 16 but ultimately it is the GP’s decision whether to create the records or not, because of their duty of care to the child. If you are the parent or guardian of a child under 16 and feel that they are able to understand, then you should make this information available to them.

Who Has Access?

Across all health care settings, including urgent care, community care and outpatient departments in England.

Information Source

GP record

Content

  • Your current medications
  • Any allergies you have
  • Any bad reactions you have had to medicines
  • Additional information (upon request to your GP)

For more information visit:

www.digital.nhs.uk

Telephone Call Recording for GDPR

Outline:

This summary outlines the practice’s call recording process that is in operation. The purpose of call recording is to provide a record of incoming and outgoing calls, which can:

  • Protect the interests of both parties
  • Help improve practice performance and service delivery in the interests of providing best care
  • Protect Practice team from nuisance or abusive calls
  • Establish facts relating to incoming/outgoing calls made (e.g. concerns, complaints and medico-legal claims)
  • Contract compliance as part of Contemporaneous Record Keeping part of Records Management Policy and Access to Health Records

Aim:

The aim of this policy is to ensure that the telephone call recording is operated in accordance with General Data Protection Regulations 2018. This will involve the recording of telephone conversations, which are subject to the Telecommunications Act 1984.

For call recording, the following GDPR conditions are met:

Article 6, e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;”

Article 9, (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems

Process:

The Practice will make every reasonable effort to advise Patients that their call will be recorded and for what purpose the recording may be used.

Where a patient requests a copy of a recording then this is authorised under the general provisional of data subject access requests part of the GDPR. Any requests for copies of telephone conversations made as Subject Access Requests under the GDPR must be notified in writing to the Practice.

Playback / Monitoring of Recorded Calls:

Call recordings are securely stored as 256bit encrypted files with access restricted to the Practice Manager by use of login credentials. The monitoring of the call recordings will be undertaken by the Practice Manager and/or Assistant Practice Manager. Any playback of recordings will take place in a secure and confidential environment.

The General Data Protection Regulation 2018 allows access to information that is held about you. This includes recorded telephone calls. Telephone call recordings are stored in such a way that will enable easy access to the information relating to one or more individuals. All requests for access are by Subject Access Requests as per GDPR; applications should be made in writing to the Practice.

Last updated: 19.7.19

Accessing someone else’s information

As a parent, family member or carer, you may be able to access services for someone else. We call this having proxy access. We can set this up for you if you are both registered with us.

To requests proxy access:

  • collect a proxy access form from reception from 10:00 am to 6:00 pm

Linked profiles in your NHS account

Once proxy access is set up, you can access the other person’s profile in your NHS account, using the NHS App or website.

The NHS website has information about using linked profiles to access services for someone else.