General Data Protection Regulations
General Data Protection Regulations (GDPR) is a new legislation which is effective from 25th May 2018..
In order for patients to continue to receive SMS (Text messages) from Wyncroft Surgery, we need your consent.
If you have online access you can do this by logging onto SystmOnline (smart phone apps) and choosing the “Account” option then select change contact details. Scroll down to Telephone Numbers and click “Yes” button to allow messaging.
If you do not have access to Systmone online please contact surgery and speak to reception.
If you have an email address registered with the surgery - you will also need to give consent to receive communication.
We need following information when contacting the surgery - Name, Date of birth, Address and Telephone number along with your consent to receive the text messages from the surgery.
Please contact us if you need any further information.
Adults and Children
What is a privacy notice?
A privacy notice helps your doctor’s surgery tell you how it uses information it has about you, like your name, address, date of birth and all of the notes the doctor or nurse makes about you in your healthcare record.
Why do we need one?
You doctor’s surgery needs a privacy notice to make sure it meets the legal requirements which are written in a new document called the General Data Protection Regulation (Or GDPR for short).
What is GDPR?
GDPR is a document that helps your doctor’s surgery keep the information about you secure. It was introduced on the 25th May 2018, making sure that your doctor, nurse and any other staff at the practice follow the rules and keeps your information safe.
What information do we collect about you?
Don’t worry; we only collect the information we need to help us keep you healthy – such as your name, address, information about your parents or guardians, records of appointments, visits, telephone calls, your health record, treatment and medicines, test results, X-rays and any other information to enable us to care for you.
How do we use your information?
Your information is taken to help us provide your care. But we might need to share this information with other medical teams, such as hospitals, if you need to be seen by a special doctor or sent for an X-ray. Your doctor’s surgery may be asked to help with exciting medical research; but don’t worry, we will ask you, or your parents or adults with parental responsibility, if it’s okay to share your information.
How do we keep your information private?
Well, your doctor’s surgery knows that it is very important to protect the information we have about you. We make sure we follow rules that are written in the GDPR and other important rule books.
Don’t want to share?
All of our patients, no matter what their age, can say that they don’t want to share their information. If you are under 16 this is something which your parents or adults with parental responsibility will have to decide. They can get more information from a member of staff at the surgery, who can also explain what this means to you.
How do I access my records?
Remember we told you about the GDPR? Well, if you want to see what is written about you, you have a right to access the information we hold about you, but you will need to complete a Subject Access Request (SAR). Your parents or adults with parental responsibility will do this on your behalf if you are under 16. But if are over 12, you may be classed as being competent and you may be able to do this yourself. Please write in to the Practice Manager to request this and you will be given further information on how this process works, (or ask your parents or adults with parental responsibility to do so).
What do I do if I have a question?
If you have any questions, ask a member of the surgery team or your parents or adults with parental responsibility. You can also contact the practice on 01245 224253. GP Practices are data controllers for the data they hold about you.
What to do if you are not happy about how we manage your information
We really want to make sure you are happy, but we understand that sometimes things can go wrong. If you or your parents or adults with parental responsibility are unhappy with any part of our data processing methods, you can speak to the Practice Manager.
General Practice Transparency Notice for GPES Data for Pandemic Planning and Research (COVID19)
This practice is supporting vital coronavirus (COVID-19) planning and research by sharing your data with NHS Digital. This transparency notice supplements our main practice privacy notice.
The health and social care system is facing significant pressures due to the coronavirus (COVID-19) outbreak. Health and care information is essential to deliver care to individuals, to support health, social care and other public services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the coronavirus outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations. This practice is supporting vital coronavirus planning and research by sharing your data with NHS Digital, the national safe haven for health and social care data in England.
Our legal basis for sharing data with NHS Digital
NHS Digital has been legally directed to collect and analyse patient data from all GP practices in England to support the coronavirus response for the duration of the outbreak. NHS Digital will become the controller under the General Data Protection Regulation 2016 (GDPR) of the personal data collected and analysed jointly with the Secretary of State for Health and Social Care, who has directed NHS Digital to collect and analyse this data under the COVID-19 Public Health Directions 2020 (COVID-19 Direction).
All GP practices in England are legally required to share data with NHS Digital for this purpose under the Health and Social Care Act 2012 (2012 Act). More information about this requirement is contained in the data provision notice issued by NHS Digital to GP practices.
Under GDPR our legal basis for sharing this personal data with NHS Digital is Article 6(1)(c) - legal obligation. Our legal basis for sharing personal data relating to health, is Article 9(2)(g) – substantial public interest, for the purposes of NHS Digital exercising its statutory functions under the COVID-19 Direction.
The type of personal data we are sharing with NHS Digital
The data being shared with NHS Digital will include information about patients who are currently registered with a GP practice or who have a date of death on or after 1 November 2019 whose record contains coded information relevant to coronavirus planning and research. The data contains NHS Number, postcode, address, surname, forename, sex, ethnicity, date of birth and date of death for those patients. It will also include coded health data which is held in your GP record such as details of:
- diagnoses and findings
- medications and other prescribed items
- investigations, tests and results
- treatments and outcomes
- vaccinations and immunisations
How NHS Digital will use and share your data
NHS Digital will analyse the data they collect and securely and lawfully share data with other appropriate organisations, including health and care organisations, bodies engaged in disease surveillance and research organisations for coronavirus response purposes only. These purposes include protecting public health, planning and providing health, social care and public services, identifying coronavirus trends and risks to public health, monitoring and managing the outbreak and carrying out of vital coronavirus research and clinical trials. The British Medical Association, the Royal College of General Practitioners and the National Data Guardian are all supportive of this initiative.
NHS Digital has various legal powers to share data for purposes relating to the coronavirus response. It is also required to share data in certain circumstances set out in the COVID-19 Direction and to share confidential patient information to support the response under a legal notice issued to it by the Secretary of State under the Health Service (Control of Patient Information) Regulations 2002 (COPI Regulations).
Legal notices under the COPI Regulations have also been issued to other health and social care organisations requiring those organisations to process and share confidential patient information to respond to the coronavirus outbreak. Any information used or shared during the outbreak under these legal notices or the COPI Regulations will be limited to the period of the outbreak unless there is another legal basis for organisations to continue to use the information.
Data which is shared by NHS Digital will be subject to robust rules relating to privacy, security and confidentiality and only the minimum amount of data necessary to achieve the coronavirus purpose will be shared. Organisations using your data will also need to have a clear legal basis to do so and will enter into a data sharing agreement with NHS Digital. Information about the data that NHS Digital shares, including who with and for what purpose will be published in the NHS Digital data release register.
National Data Opt-Out
The application of the National Data Opt-Out to information shared by NHS Digital will be considered on a case by case basis and may or may not apply depending on the specific purposes for which the data is to be used. This is because during this period of emergency, the National Data Opt-Out will not generally apply where data is used to support the coronavirus outbreak, due to the public interest and legal requirements to share information.
National Data Opt Out
The national data opt-out was introduced on 25 May 2018, enabling patients to opt out from the use of their data for research or planning purposes, in line with the recommendations of the National Data Guardian in her Review of Data Security, Consent and Opt-Outs.
Patients can view or change their national data opt-out choice at any time by using the online service at www.nhs.uk/your-nhs-data-matters or by calling 0300 3035678.
By 2021 all health and care organisations are required to be compliant with the national data opt-out policy. NHS Digital and Public Health England are already compliant and are applying national data opt-outs.
The national data opt-out applies to the disclosure of confidential patient information for purposes beyond individual care across the health and adult social care system in England.
This document provides operational guidance to understand the application of national data opt-out policy – it sets out when the national data opt-out must be applied along with the exemptions when it will not apply. The national data opt-out applies to data that originates within the health and adult social care system in England and is applied by health and care organisations that subsequently process this data for purposes beyond individual care. The opt-out does not apply to data disclosed by providers of health and care services outside of England or to children’s social care services. This document includes guidance in relation to several specific data uses, for example risk stratification.
The national data opt-out is aligned with the authorisation used for sharing a patient’s data in accordance with the common law duty of confidentiality (CLDC). In broad terms the national data opt-out applies unless there is a mandatory legal requirement or an overriding public interest for the data to be shared. The opt-out does not apply when the individual has consented to the sharing of their data or where the data is anonymised in line with the Information Commissioner’s Office (ICO) Code of Practice on Anonymisation.
A member of the public is able to set an opt-out via a number of channels that include online, digitally assisted and non-digital channels. Any person registered on the Personal Demographic Services (PDS) and who consequently has an NHS number allocated to them is able to set a national data opt-out. The opt-out is stored in a central repository against their NHS number on the Spine, which supports the IT infrastructure for health and social care in England.
NHS Digital and Public Health England are applying the national data opt-out to any in scope data releases and are compliant with this policy. Other relevant organisations are required to be compliant with the opt-out by March 2020.
The opt-out applies regardless of the format of the data and this includes structured and unstructured electronic data and paper records. When the opt-out is applied, the entire record (or records) associated with that individual must be fully removed from the data being disclosed. The NHS number is used as the identifier for the removal of the records.
A national data opt-out publication provides statistics on the national data opt-out against various dimensions, including age and geography to help organisations to understand the impact of the opt-out on their data. Related documents that set out requirements and guidance on the application of the national data opt-out include the Data Security and Protection Toolkit (DSPT), the forthcoming Information Standard on Compliance with the National Data Opt-out and the NHS Digital Code of Practice on Confidential Information. Further information and guidance on the opt-out is available from the national data opt-out webpages.
The data is being processed for the purpose of delivery of a programme, sponsored by NHS Digital, to monitor urine for indications of chronic kidney disease (CKD) which is recommended to be undertaken annually for patients at risk of chronic kidney disease e.g., patients living with diabetes. The programme enables patients to test their kidney function from home. We will share your contact details with Healthy.io to enable them to contact you and confirm that you wish them to send you a test kit. This will help identify patients at risk of kidney disease and help us agree any early interventions that can be put in place for the benefit of your care. Healthy.io will only use your data for the purposes of delivering their service to you. If you do not wish to receive a home test kit from Healthy.io we will continue to manage your care within the Practice. Healthy.io are required to hold data we send them in line with retention periods outlined in the Records Management code of Practice for Health and Social Care. Further information about this is available at http://bit.ly/uACRtest.
Accessible Information Standard
The Accessible Information Standard aims to ensure that patients (or their carers) who have a disability or sensory loss can receive, access and understand information, for example in large print, braille or via email, and professional communication support if they need it, for example from a British Sign Language interpreter.
This applies to patients and their carers who have information and / or communication needs relating to a disability, impairment or sensory loss. It also applies to parents and carers of patients who have such information and / or communication needs, where appropriate.
Please call the surgery on 01245 224253, email on firstname.lastname@example.org, post or speak to a reception team member.