Revised June 2021

COVID-19 Pandemic and Your Information

The Information Commissioner’s Office (ICO) recognises the unprecedented challenges the NHS and other health professionals are facing during the Coronavirus (COVID-19) pandemic.

The ICO also recognise that ‘Public bodies may require additional collection and sharing of personal data to protect against serious threats to public health’.

The Government have also taken action in respect of this and on 20th March 2020 the Secretary of State for Health and Social Care issued a Notice under Regulation 3(4) of The Health Service (Control of Patient Information) Regulations 2002 requiring organisations such as GP Practices to use your information to help GP Practices and other healthcare organisations to respond to and deal with the COVID-19 pandemic.

In order to look after your healthcare needs during this difficult time, we may urgently need to share your personal information, including medical records, with clinical and non-clinical staff who belong to organisations that are permitted to use your information and need to use it to help deal with the Covid-19 pandemic. This could (amongst other measures) consist of either treating you or a member of your family and enable us and other healthcare organisations to monitor the disease, assess risk and manage the spread of the disease.

Please be assured that we will only share information and health data that is necessary to meet yours and public healthcare needs.

The Secretary of State for Health and Social Care has also stated that these measures are temporary and will expire on 30th September 2021 unless a further extension is required. Any further extension will be provided in writing and we will communicate the same to you.
Please also note that the data protection and electronic communication laws do not stop us from sending public health messages to you, either by phone, text or email as these messages are not direct marketing.

It may also be necessary, where the latest technology allows us to do so, to use your information and health data to facilitate digital consultations and diagnoses and we will always do this with your security in mind.

For more information, the COPI notice.

If you are concerned about how your information is being used, please contact our Data Protection Officer using the contact details provided in this Privacy Notice.

COVID-19: At Risk Patients Data Collection

The Department of Health and Social Care has directed NHS Digital to collect patient data for the purpose of identifying those who may be clinically extremely vulnerable if they contract COVID-19.

The required data comprises two extracts:

  • patients registered at GP practices in England
  • patients registered as part of the criminal justice secure and detained estate in England.

The data collected will be analysed and linked with other data NHS Digital holds to identify a list of clinically extremely vulnerable patients who will be advised to take shielding measures to protect themselves.

  • Patient level data including name, address, NHS Number and GP practice will be collected for identified patients.
  • Patients added to the Shielded Patient List (SPL) will be contacted by the NHS on behalf of the Chief Medical Officer, Chris Whitty, to advise of the measures they can take to reduce their risk of contracting the virus and to sign-post them to the Extremely Vulnerable Persons service operated by gov.uk

Data will be collected weekly under the Covid-19 Health and Social Care Act 2012 in support of the Public Health Directions 2020. Collection will continue until the expiry of the COVID-19 Direction. This is currently 31 March 2022 but will be reviewed in September 2020 and every 6 months thereafter.

Find out how the Shielded Patient List is being used.

Find out more about the Extremely Vulnerable Persons service.

COVID-19: Research Projects

The Government has requested that every effort is made by healthcare organisations to enrol patients in the national priority clinical trials to help find a treatment for Covid-19.

The key three national trials are:

Other priority studies, including observational studies, are listed here.

Patients will be asked for their consent to take part in the national trials and for their data to be shared. Patients may be invited to take part in additional Covid-19 related research projects for which pseudo anonymised or patient identifiable data may be used with their consent. Anonymous data may also be collected from the practice for the purpose of Covid-19 research to improve patient and public health. Individuals cannot be identified from the collection of anonymous data.

COVID-19: Increased patient information for health and care professionals

To help the NHS to respond to the COVID-19 pandemic, NHSX and NHS Digital are improving the access that doctors, nurses and other authorised health and care professionals have to medical records and information. This will help them to more safely treat and advise patients who are not attending their usual GP practice or who have called NHS 111.

Changes are being made to GP Connect and to the Summary Care Record to enable this.

GP Connect

GP Connect is a service that allows GP practices and authorised clinical staff to share and view GP practice clinical information and data between IT systems, quickly and efficiently (see point 10.P below).

Following the Covid-19 pandemic, additional functionality will be rapidly deployed across GP Connect to give GPs, NHS 111 clinicians and those in urgent and emergency care settings providing direct care, access to all primary care medical records through the GP Connect solution.

This will:

  • improve GPs ability to treat patients outside of their registered practice, giving patients easier access to a GP when they need one, regardless of demand or staffing levels in their own practice, for example within a network or a federation hub;
  • give authorised health and care professionals working in primary care, NHS 111 – including the COVID Clinical Assessment Service (CCAS) – and other appropriate direct care settings, access to the GP records of the patients they are treating, regardless of where they are registered;
  • allow remote organisations such as NHS 111 to book appointments directly with the patients GP practice including the ability to manage referrals from the COVID Clinical Assessment Service (CCAS). This will enable healthcare professionals to provide more timely care and provide flexibility for the primary care system.

Summary Care Record

A small set of information is already widely available – on allergies and medications – in the Core Summary Care Record (SCR) which every patient has, unless they have decided to opt-out of having a SCR (see point 7 below). A proportion of the population also currently share Additional Information as part of their SCR. The Additional Information includes information such as:

  • details of the management of long-term conditions
  • medications
  • immunisations
  • care plan information
  • significant medical history, past and present.

The sharing of this Additional Information as part of a SCR ordinarily requires the prior explicit consent of the patient. Under the Notice issued under Regulation 3(4) of the Health Service Control of Patient Information Regulations 2002 (the COPI notice) requiring confidential patient information to be shared in response to the COVID-19 pandemic, this Additional Information will now automatically be included in all patient SCRs unless a patient has expressed a preference not to include it. This will provide a wider range of health and care professionals across the country with faster access to more information about the patients they are treating. More information can be found here.

Patients still have the option of retaining a Core SCR and opting out of sharing Additional Information, or opting out of having an SCR altogether. They also may choose to opt back into the sharing of their SCR should they wish. A form has been published to allow patients to exercise this option, which should be returned to their practice and can be found here.

These are temporary arrangements for the period of the COPI Notice.

These changes will help improve patient care by giving authorised clinical staff in general practice, NHS 111 and in other care settings providing direct care faster access to the GP Record and the Additional Information in patient’s Summary Care Records during the coronavirus pandemic period. Access to this information will help professional staff to provide tailored clinical care to that patient – including those patients with long term medical conditions – and support clinical assessment and decision making.

Patients can be reassured that:

  • Summary Care Records and GP Records accessed in this way will only be used to support individual direct patient care
  • Healthcare professionals must only access a Summary Care Record where they have the patient’s permission to do so or in an emergency when a patient is unable to give consent.
  • Patients can be reassured that if they have expressed a consent preference with regard to their Summary Care Record, to either opt-out or have a Core Summary Care Record only, their preference will continue to be respected and applied.

Patients can be assured that if they have opted out of their practice sharing their GP record, this decision will be respected and it will not be shared via the GP Connect service. Patients can also change their preferences to opt-out of, or opt back into having their information shared should they wish to.

More information on GP Connect and Summary Care Records is available on the NHS Digital website.

GP Connect

Summary Care Record

For more information about the Covid-19 Public Health Directions 2020 and how NHS Digital is using patient data to support the government response to the Covid-19 outbreak please visit:

Covid 19 Response Information Governance Hub

End of notice specific to the COVID-19 pandemic

 

1. Why are we providing this Privacy Notice?

We are required to provide you with this Privacy Notice by Law. It explains how we use the personal and healthcare information we collect, store and hold about you. If you are unclear about how we process or use your personal and healthcare information, or you have any questions about this Privacy Notice or any other issue regarding your personal and healthcare information, then please do contact our Data Protection Officer (details below).

The Law says:

  1. We must let you know why we collect personal and healthcare information about you;
  2. We must let you know how we use any personal and/or healthcare information we hold on you;
  3. We need to inform you in respect of what we do with it;
  4. We need to tell you about who we share it with or pass it on to and why; and
  5. We need to let you know how long we can keep it for.

2. The Data Protection Officer

The Data Protection Officer for Living Well Partnership Caroline Sims. You can contact the Caroline Sims if:

  • You have any questions about how your information is being held;
  • If you require access to your information or if you wish to make a change to your information;
  • If you wish to make a complaint about anything to do with the personal and healthcare information we hold about you;
  • Or any other query relating to this Policy and your rights as a patient.

3. About us

We, at the Living Well Partnership (‘the Surgery’) are a Data Controller of your information. This means we are responsible for collecting, storing and handling your personal and healthcare information when you register with us as a patient.

There may be times where we also process your information. That means we use it for a particular purpose and, therefore, on these occasions we may also be Data Processors. The purposes for which we use your information are set out in this Privacy Notice.

4. Information we collect from you

The information we collect from you will include:

  1. Your contact details (such as your name and email address, including place of work and work contact details);
  2. Details and contact numbers of your next of kin;
  3. Your age, gender, ethnicity, sexual orientation;
  4. Details in relation to your medical history;
  5. The reason for your visit to the Surgery;
  6. Medical notes and details of diagnosis and consultations with our GPs and other health professionals within the Surgery involved in your direct healthcare.

5. Information about you from others

We also collect personal information about you when it is sent to us from the following:

  1. a hospital, a consultant or any other medical or healthcare professional including community and social, or any other person involved with your general healthcare.

6. Your Summary Care Record

Your summary care record is an electronic record of your healthcare history (and other relevant personal information) held on a national healthcare records database provided and facilitated by NHS England.

This record may be shared with other healthcare professionals and additions to this record may also be made by relevant healthcare professionals and organisations involved in your direct healthcare.

You may have the right to request that this record is not shared with anyone who is not involved in the provision of your direct healthcare.

You can also provide consent for additional information to be included on your Summary Care Record (such as details of a carer, treatment preferences and communication needs).

An opt out form (including consent for additional information to be shared) is available on our website or from reception.

More information about Summary care Records can be found here: Summary Care Records (SCR) – information for patients – NHS Digital

7. Care and Health Information Exchange (“CHIE”)

Care and Health Information Exchange (CHIE), formerly known as the Hampshire Health Record or HHR, is an electronic summary record for people living in Hampshire, Portsmouth and Southampton.

In order for different parts of the health and care system to work together to provide you with the support you need, the CHIE stores summary information from these organisations in one place so that, with your consent, health care professionals can view it to deliver better care to you. From July 2019 this data can be reviewed in ‘real time’ which ensures that it is always up to date.

This record contains more information than the Summary Care Record, but is only available to organisations in Hampshire.

Records on CHIE are held with clear NHS numbers and other identifiers required to locate information to deliver to professionals in support of treatment and care. The primary purpose of the CHIE is to provide clinical and care professionals with complete, accurate and up-to-date information when caring for patients like you.

In addition to ensuring that people who care for you have access to the right level of summary information CHIE also analyses trends in population health through a database called Care and Health Information Analytics (CHIA). This is called ‘secondary processing’. CHIA is a physically separate database, which receives some data from CHIE but all of the data used in this way has been ‘pseudo-anonymised’ – this means names, initials, addresses, dates of birth and postcodes have all been removed.

It is not possible to identify any patient by looking at the ‘pseudo-anonymised’ data on the CHIA database. People who have access to CHIA do not have access to CHIE.

If you object to your information being processed or stored on CHIE it can retain just enough information about you to ensure that the restriction is respected in future.  You can ask to restrict processing to direct care (data not transferred to CHIA by registering a type 1 opt-out) only or completely (data not visible in CHIE or CHIA by registering a CHIE and type one opt-out). An opt-out form is available on our website or from reception.

Further details about CHIE are available here

CHIE Poster

CHIE Review of Procedures Compliance with GDPR

8. Who we may provide your personal information to and why

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care Services, important information about you is collected to help ensure you get the best possible care and treatment. This information may be passed to other approved organisations where there is a legal basis to do so, to help with planning services, improving care, research into developing new treatments and preventing illness. All of this helps in providing better care to you and your family and future generations. As explained in this privacy notice, confidential information about your health and care is only used in this way where allowed by law and would never be used for any other purpose without your clear and explicit consent.

We may pass your personal information on to the following people or organisations, because these organisations may require your information to assist them in the provision of your direct healthcare needs. It, therefore, may be important for them to be able to access your information in order to ensure they may properly deliver their services to you:

  1. Hospital professionals (such as doctors, consultants, nurses, etc);
  2. Other GPs/Doctors;
  3. Nurses and other healthcare professionals;
  4. Dentists;
  5. Any other person that is involved in providing services related to your general healthcare, including mental health professionals.
  6. Pharmacists – Prescriptions containing personal identifiable and health data will be shared with chemists/pharmacies, in order to provide patients with essential medication or treatment as their health needs dictate. This process is achieved either by face to face contact with the patient or electronically. Repeat or acute prescriptions may be ordered and sent directly to the pharmacy making a more efficient process. Arrangements can also be made with the pharmacy to deliver medication. When fulfilling prescription requests, the pharmacy is the data processor.

9. Other people who we provide your information to

  1. Commissioners;
  2. Clinical Commissioning Groups;
  3. Local authorities (Social Services);
  4. Community health services;
  5. The Health Service Ombudsman;
  6. Public Health England;
  7. NHS Digital for the purposes of mandatory national primary care audits directed by NHS England, with which practices must legally comply. This audit data, which may be patient identifiable, helps support practices to identify opportunities for improvement in clinical care. More information about what data is collected by NHS Digital, how it is used and for what purpose is found on NHS Digital Keeping Data Safe
  8. One of the primary data collections by NHS Digital is the General Practice Data for Planning and Research (GPDPR), in which confidential patient data is extracted to support vital health and care planning and research. (This data collection will run alongside the original General Practice Extraction Service (GPES) collection until September 2021 when the GPES will be replaced by the GPDPR). Practices are legally required to comply with the GPDPR. Patients who want to opt out of their data being collected by NHS Digital or leaving the practice for any purpose other than their direct health care, can register a Type 1 opt out directly with their practice. A Type 1 opt out form is available on our website or from reception. Alternatively patients can register with the National Data Opt Out (see point 20 or visit Your NHS Data matters to prevent personal data being used by NHS England for research and planning or any other secondary use. More information about the GPDPR can be found here: General Practice Data for Planning and Research: NHS Digital Transparency Notice – NHS Digital
  9. Medicines and Healthcare products Regulatory Agency (MHRA). Anonymous data is collected from the practice for the purpose of research to improve patient and public health. You cannot be identified from the information sent to MHRA. Patients may be invited to take part in additional research projects for which pseudo anonymised or patient identifiable data may be used. Patients will always be asked to consent to taking part in these projects and for personal data to be shared.
  10. Health Intelligence. The Practice shares your diabetes related data with the Diabetic Eye Screening Programme operated by Health Intelligence (commissioned by NHS England). This supports your invitation for eye screening (where you are eligible and referred by the Practice) and ongoing care by the screening programme. This data may be shared with any Hospital Eye Services you are under the care of to support further treatment and with other healthcare professionals involved in your care, for example your Diabetologist. For further information, take a look at Health Intelligence’s Privacy Notice on the diabetic eye screening website: desphiow.co.uk
  11. Healthy io – ACR App. The purpose of this project is to identify and provide support for patients with Chronic Kidney Disease, inviting the patients to use an App to monitor their kidney function and allow the GP to review the results. Anonymised data will be analysed for audit purposes. In this case the data processor is Healthy.io, Precision, Twilio. The legal basis for processing this data is: under UK GDPR 6 1 (e) Public Task and 9 2 (h) Health data.
  12. LumiraDX processes data relating to patients using INRStar under the legal basis of public interest / task and the delivery of direct health care.
  13. Anonymised patient data is shared with Midlands and Lancashire Commissioning Support Unit and NHS Business Services Authority as part of a Patient Experience Survey pilot on behalf of NHS England. Data is processed under the legal basis of public interest and the management of healthcare systems. Patients can decline to take part in the survey or they can opt out of their data leaving the practice for any purpose other than their direct health care, by completing a Type 1 opt out form available on our website or from reception.
  14. GP Hubs. We provide extended access services to our patients, at hubs across the city and in Hedge End. This means you can access medical services outside of our normal working hours. In order to provide you with this service, we have formal arrangements in place with the Clinical Commissioning Groups (Southampton City and West Hampshire) and the providers of the service, Southampton Primary Care Limited and Eastleigh Southern Parishes Network, also known as the “hubs”. This means the “hubs” will have to have access to your medical record to be able to offer you the service. Please note, to ensure that those practices comply with the law and to protect the use of your information, we have very robust data sharing agreements and other clear arrangements in place to ensure your data is always protected and used for those purposes only
  15. Local data sharing schemes. These schemes enable healthcare professionals outside of the Surgery to view information from your GP record, with your explicit consent, should that need arise. These schemes are as follows:
    • The National Summary Care Record (SCR) – further details above
    • The Care and Health Information Exchange (CHIE) – further details above
    • EMIS Web data streaming (A&E and GP hubs)
    • Remote Consultations (GP out of hours)
    • Adastra Web Access (GP out of hours)
    • IBIS (Ambulance service)
    • Symphony (Southampton General Hospital)
  16. GP Connect is a service that allows GP practices and authorised clinical staff to share and view GP practice clinical information and data between IT systems, quickly and efficiently. This enables:
    • GPs to treat patients outside of their registered practice, giving patients easier access to a GP when they need one, regardless of demand or staffing levels in their own practice, for example within a network or a federation hub;
    • authorised health and care professionals working in primary care, NHS 111 and other appropriate direct care settings, to access the GP records of the patients they are treating, regardless of where they are registered;
    • remote organisations such as NHS 111 to book appointments directly with the patient’s GP practice, allowing healthcare professionals to provide more timely care and flexibility for the primary care system.
  17. Data Extraction by the Clinical Commissioning Group. The Clinical Commissioning Group, at times, extracts medical information about you but the information we pass to them via our computer systems cannot identify you to them. This information only refers to you by way of a code that only your practice can identify (it is pseudo-anonymised). This therefore protects you from anyone who may have access to this information at the Clinical Commissioning Group from ever identifying you as a result of seeing the medical information and we will never give them the information that would enable them to do this.
  18. There are good reasons why the Clinical Commissioning Group may require this pseudo-anonymised information, which are:
    • To enable the commissioning of services that meet the needs of the population they are serving;
    • To protect the health of the public.
  19. For the purposes of complying with the law e.g. Police, Solicitors, Insurance Companies, NHS Counter Fraud.
  20. Anyone you have given your consent to, to view or receive your record, or part of your record. Please note, if you give another person or organisation consent to access your record we will need to contact you to verify your consent before we release that record. It is important that you are clear and understand how much and what aspects of your record you give consent to be disclosed.  

10. Anonymised information

Sometimes we may provide information about you in an anonymised form. If we do so, none of the information we provide to any other party will identify you as an individual and cannot be traced back to you.

11. Third party processors

In order to deliver the best possible service, Living Well Partnership will share data (where required) with other NHS bodies such as other GP practices and hospitals, as advised above. In addition the Partnership will use carefully selected third party service providers to support the delivery of patient care. When we use a third party service provider to process data on our behalf then we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately. Examples of functions that may be carried out by third parties or using third party software include:

  1. Companies that provide IT services and support, including our core clinical systems; systems which manage patient facing services (such as our website and services accessible through the same); data hosting service providers; systems which facilitate appointment bookings or electronic prescription services; document management services etc;
  2. Companies that carry out remote data searches to support the achievement of the Quality Outcomes Framework (QOF) and the provision of some enhanced and core medical services. Data processing may, for example, support the management of chronic conditions or major public health concerns, the provision of preventative services such as screening or the identification of disease prevalence;
  3. Platforms that enable electronic communication with patients about their direct care (for example SMS text messages, e-Consults and video consultations. Video consultations use a secure connection and are not recorded and e-Consults and personalised text messages are only stored within a patient’s record);
  4. Platforms that enable mass communication to patients electronically or by post (for example patient newsletters, public health information or invitations to attend an annual review);
  5. Delivery services (for example if we were to arrange for delivery of any medicines to you);
  6. Payment providers (if for example you were paying for a prescription or a service such as travel vaccinations).

12. Call recordings

All external calls made to and from Living Well Partnership surgery lines are recorded, including telephone consultations, for training and monitoring purposes and where appropriate, to assist in the investigation of complaints. Patients are notified that calls are recorded on Living Well Partnership’s telephone message and on our websites.

Recordings made as part of a patient’s care are treated as sensitive patient data. Call recordings are held securely within an online portal that can only be accessed by authorised Living Well Partnership staff. Recordings are accessible for 90 days before they are automatically deleted.

Any requests from patients for access to call recordings within a 90 day period must include the date, approximate time and the phone number used, to enable calls to be located within our telephone system.

Any call recordings that are downloaded by Living Well Partnership for training or monitoring purposes are stored electronically in a secure location and can only be accessed with a clinical or operational need to do so, by authorised Living Well Partnership staff and are deleted after use or after 1 year.

In line with NHS guidelines, call recordings that are downloaded by Living Well Partnership in relation to a complaint, are retained for up to 10 years.

Living Well Partnership’s telephone system enables patients to leave a message to cancel an appointment. Cancellation messages are sent to a secure NHS email account for action and are deleted after one month. Original messages are not retained.

13. Your rights as a patient

The Law gives you certain rights to your personal and healthcare information that we hold, as set out below:

A. Access and Subject Access Requests

You have the right to see what information we hold about you and to request a copy of this information.

If you would like a copy of the information we hold about you please email our Data Protection Officer. We will provide this information free of charge, however, we may, in some limited and exceptional circumstances, have to make an administrative charge for any extra copies or if the information requested is excessive, complex or repetitive.

We have one month to reply to your request and give you the information that you require. We would ask, therefore, that any requests you make are in writing and it is made clear to us what and how much information you require.

B. Online access

You may ask us if you wish to have online access to your medical record. However, there will be certain protocols that we have to follow in order to give you online access, including written consent and production of documents that prove your identity.

Please note that when we give you online access, the responsibility is yours to make sure that you keep your information safe and secure if you do not wish any third party to gain access.

C. Correction

 We want to make sure that your personal information is accurate and up to date. You may ask us to correct any information you think is inaccurate. It is very important that you make sure you tell us if your contact details including your mobile phone number has changed.

D. Removal

You have the right to ask for your information to be removed, however, if we require this information to assist us in providing you with appropriate medical services and diagnosis for your healthcare, then removal may not be possible.

E. Objection

We cannot share your information with anyone else for a purpose that is not directly related to your health, e.g. medical research, educational purposes, etc. We would ask you for your consent in order to do this, however, you have the right to request that your personal and healthcare information is not shared by the Surgery in this way. Please note the Anonymised Information section in this Privacy Notice.

F. Transfer

You have the right to request that your personal and/or healthcare information is transferred, in an electronic form (or other form), to another organisation, but we will require your clear consent to be able to do this.

14. Third Parties mentioned on your medical record

Sometimes we record information about third parties mentioned by you to us, during a consultation. We are under an obligation to make sure we also protect that third party’s rights as an individual and to ensure that references to them, which may breach their rights to confidentiality, are removed before we send any information to any other party including yourself. Third parties can include: spouses, partners and other family members.

15. How we use the information about you

We use your personal and healthcare information in the following ways:

  1. when we need to speak to, or contact other doctors, consultants, nurses or any other medical/healthcare professional or organisation during the course of your diagnosis or treatment or on going healthcare;
  2. when we are required by Law to hand over your information to any other organisation, such as the police, by court order, solicitors, or immigration enforcement.

We will never pass on your personal information to anyone else who does not need it, or has no right to it, unless you give us clear consent to do so.

16. Profiling

We may use automated software for the following reasons:

  1. Identify services which may benefit you;
  2. Support the commissioning of services to meet the needs of patients in the locality;
  3. Report to Governing Bodies to ensure we are offering opportunities and services to all population groups.

Any information we share is anonymised. We will never share your personal information with anyone to enable profiling.

17. Legal justification for collecting and using your information

The Law says we need a legal basis to handle your personal and healthcare information.

  1. CONSENT: Sometimes we also rely on the fact that you give us consent to use your personal and healthcare information so that we can take care of your healthcare needs. Please note that you have the right to withdraw consent at any time if you no longer wish to receive services from us.
  2. CONTRACT: We have a contract with NHS England to deliver healthcare services to you. This contract means that we are under a legal obligation to ensure that we deliver medical and healthcare services to the public.
  3. LEGAL OBLIGATION: Sometimes the Law obliges us to provide your information to an organisation.
  4. NECESSARY CARE: Providing you with the appropriate healthcare, where necessary. The Law refers to this as ‘protecting your vital interests’ where you may not be in a position to be able to consent.
  5. PUBLIC INTEREST / TASK: Sometimes processing patient data is necessary in the public interest.

18. Special Categories

The Law states that personal information about your health falls into a special category of information because it is very sensitive. The most common reasons that may entitle us to use and process your information are as follows:

  1. CONSENT: When you have given us consent;
  2. VITAL INTEREST: If you are incapable of giving consent and we have to use your information to protect your vital interests (e.g. if you have had an accident and you need emergency treatment);
  3. DEFENDING A LEGAL CLAIM: If we need your information to defend a legal claim against us by you, or by another party;
  4. PUBLIC INTEREST / TASK: Where we may need to handle your personal information when it is considered to be in the public interest. For example, when there is an outbreak of a specific disease and we need to contact you for treatment, or we need to pass your information to relevant organisations to ensure you receive advice and/or treatment;
  5. HEALTH OR SOCIAL CARE: Where we need your information to provide you with medical and healthcare services.
  6. PUBLIC HEALTH: When data processing is necessary for the reasons of public interest in the area of public health, for example, public health monitoring and statistics, NHS resource planning or public vaccination programmes

19. National Data Opt Out Programme

From September 2020 all health and care organisations including GP practices are required to be compliant with the National Data Opt Out (NDO) Programme.

Patients who have previously opted out of their data being shared by NHS Digital for secondary uses (a type 2 opt out), will have their preference transferred automatically to the NDO Programme. Patients do not need to do anything further if they continue not to want to share their data in this way.

Other patients may have previously opted out of their data leaving the practice for research and planning purposes (a type 1 opt out). This preference was due to be respected until September 2020 (now extended due to the Covid-19 pandemic). If patients continue not to want their data to be shared for these purposes, they need to register with the NDO Programme, see below.

Most of the time anonymised data is used for research and planning so that you cannot be identified, in which case your confidential patient information isn’t needed.

The National Data Opt Out does not apply to:

  1. Searches being carried out when sharing information for patients’ direct care, such as diabetic retinopathy. If patients also want to opt out of this they must inform their practice.
  2. Some research projects such as Biobank. Patients need to contact Biobank directly if they have signed up to this and they do not want their data shared with Biobank.
  3. Anonymised or aggregated data being shared with Clinical Commissioning Groups for audit or payment purposes; see section 9 above.
  4. The Summary Care Record; see section 6 above.

To find out more about the wider use of confidential personal information and to register your choice to opt out, please visit Your NHS Data Matters. On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply

You can also find out more about how patient information is used at:

HRA Information About Patients (which covers health and care research); and

Understanding Patient Data (which covers how and why patient information is used, the safeguards and how decisions are made).

If you do choose to opt out, your confidential patient information will still be used to support your individual care. You can also still consent to your data being used for specific purposes.

You may change your preference at any time.

20. How long we keep your personal information

We carefully consider any personal information that we store about you and we will not keep your information for longer than is necessary for the purposes set out in this Privacy Notice. Data is retained in accordance with The Records Management Code of Practice for Health and Social Care 2016.

21 Under 16s

There is a separate privacy notice for patients under the age of 16, a copy of which may be obtained on request or here..

22. If English is not your first language

If English is not your first language you can request a translation of this Privacy Notice. Please contact our Data Protection Officer.

23. Complaints

If you have a concern about the way we handle your personal data or you have a complaint about what we are doing, or how we have used or handled your personal and/or healthcare information, please contact our Data Protection Officer.

You have a right to raise any concern or complaint with the UK information regulator, at the Information Commissioner’s Office.

24. Our Website

Living Well Partnership currently has four websites and this Privacy Notice applies to all four. If you use a link to any other website from the Surgeries websites then you will need to read their respective privacy notice. We take no responsibility (legal or otherwise) for the content of other websites.

The four websites covered by this Privacy Notice are:

http://www.bitterneparksurgery.nhs.uk/

http://www.ladieswalkpractice.nhs.uk/

http://www.westonlaneandharefieldsurgeries.co.uk/

http://www.stlukesandbotleysurgery.co.uk/

25. Cookies

Our websites use cookies. For more information on which cookies we use and how we use them, please see our websites.

26. Security

We take the security of your information very seriously and we do everything we can to ensure that your information is always protected and secure. We regularly update our processes and systems and we also ensure that our staff are properly trained. We also carry out assessments and audits of the information that we hold about you and make sure that if we provide any other services, we carry out proper assessments and security reviews.

27. Text Messaging and contacting you

We are obliged to protect any confidential information we hold about you and we take this very seriously, therefore it is imperative that you let us know immediately if you change any of your contact details.

We may contact you using SMS texting to your mobile phone to notify you about appointments and important information about your direct care, therefore you must ensure that we have your up to date details. This is to ensure we are sure we are actually contacting you and not another person.

More information about AccuRx (the system we use to text patients about their personal care) and how data is processed can be found in our AccuRx Data Protection Impact Assessment. A copy of this can be provided on request by submitting an administrative eConsult via our website.   

28. Where to find our Privacy Notice

You can find a copy of this Privacy Notice on our website, or a hard copy can be provided on request.

29. Changes to our Privacy Notice

We regularly review and update our Privacy Notice. This Privacy Notice was last updated in June 2021.

30. Copyright

This Privacy Notice has been adapted with permission from LMC Law Limited. This Privacy Notice shall not be transferred, sold, licensed, copied or otherwise utilised by any person other than with the permission of Living Well Partnership and LMC Law Limited.