Privacy Notice

 

BACK TO MAIN INDEX

 

1. Why We Are Providing This Privacy Notice

This Privacy Notice explains why we collect information about you, how that information may be used, how we keep it safe and confidential and what your rights are around the data we collect and use. We are required to provide you with this Privacy Notice by Law. The UK General Data Protection Regulation (GDPR) requires that data controllers provide certain information to people whose information (personal data) they hold and use. A privacy notice is one way of providing this information. This is sometimes referred to as a fair processing notice.

A privacy notice should identify who the data controller is, with contact details for its Data Protection Officer. It should also explain the purposes for which personal data are collected and used, how the data are used and disclosed, how long it is kept, and the controller’s legal basis for processing. If you are unclear about how we process or use your personal and healthcare information, or you have any questions about this Privacy Notice or any other issue regarding your personal and healthcare information, then please do contact our Data Protection Officer.

The Law says:

  • We must let you know why we collect personal and healthcare information about you;
  • We must let you know how we use any personal and/or healthcare information we hold on you;
  • We need to inform you in respect of what we do with it;
  • We need to tell you about who we share it with or pass it on to and why; and
  • We need to let you know how long we can keep it for.

image depicting privacy notice

 

2 . The Data Protection Officer

The Data Protection Officer at the Surgery is Dr G.Chana and You can contact us through the website contact us form if:

  • You have any questions about how your information is being held;
  • If you require access to your information or if you wish to make a change to your information;
  • If you wish to make a complaint about anything to do with the personal and healthcare information we hold about you;
  • Or any other query relating to this Policy and your rights as a patient.
 

3. About Us

We, at The Yiewsley Family Practice (‘the Surgery’) situated at Yiewsley Health Centre, 20 High Street, Yiewsley, West Drayton, Middlesex UB7 7DP are a Data Controller of your information. This means we are responsible for collecting, storing and handling your personal and healthcare information when you register with us as a patient.

There may be times where we also process your information. That means we use it for a particular purpose and, therefore, on those occasions we may also be Data Processors. The purposes for which we use your information are set out in this Privacy Notice.

 

4. Why do we need your information?

We are here to provide care and treatment to you as our patients. In order to do this, the GP practice keeps personal data about you such as your name, address, date of birth, telephone numbers, email address, NHS Number etc and your health and care information (which is known as a special category of information under the General Data Protection Regulation (GDPR).

Information is needed so we can provide you with the best possible health and care. We also use your data to:

  • Confirm your identity to provide these services and those of your family / carers
  • Understand your needs to provide the services that you request
  • Obtain your opinion on our services
  • Prevent and detect fraud and corruption in the use of public funds
  • Make sure we meet our statutory obligations, including those related to diversity and equalities
  • To undertake specific purposes (i.e. employing our staff, research and development etc.)
 

5. How we keep your information confidential and safe

Everyone working for our organisation is subject to the Common Law Duty of Confidence. Information provided in confidence will only be used for the purposes advised with consent given by the patient unless there are other legal bases covered by the law. The NHS Digital Code of Practice on Confidential Information applies to all NHS staff and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared.

All our staff are expected to make sure information is kept confidential and receive regular training on how to do this. The health records we use may be electronic, on paper, or a mixture of both. We use a combination of working practices and technology to ensure that your information is kept confidential and secure. Your records are backed up securely in line with NHS standard procedures.

We ensure that the information we hold is kept in secure locations, is protected by appropriate security and access is restricted to authorised personnel. We also make sure external organisations who process your personal information in order to support us are contractually required to have appropriate organisation and technical measures to protect your personal data.

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

  • Data Protection Act 2018;
  • UK GDPR;
  • Human Rights Act 1998
  • Common Law Duty of Confidentiality;
  • NHS Codes of Confidentiality and Information Security;
  • Health and Social Care Act 2012 and 2015;
  • And all other applicable legislation.

We will maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if we reasonably believe that others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (such as a risk of serious harm to yourself or others) or where the law requires information to be passed on.

 

6. Information We Collect About You

The information we collect from you will include:

  • Your contact details (such as your name and email address, photo identification, including place of work and work contact details);
  • Details and contact numbers of your next of kin;
  • Your age range, gender, ethnicity;
  • Details in relation to your medical history;
  • The reason for your visit to the Surgery;
  • Medical notes and details of diagnosis and consultations with our GPs and other health professionals within the Surgery involved in your direct healthcare.
 

5. Information About You From Others

We also collect personal information about you when it is sent to us from the following:

  1. a hospital, a consultant or any other medical or healthcare professional, or any other person involved with your general healthcare.
  2. Depending on the situation we may collect firearms applications, DVLA reports/requests, immigration matters, court orders, social service reports.
 

6. Your Summary Care Record

Your summary care record is an electronic record of your healthcare history (and other relevant personal information) held on a national healthcare records database provided and facilitated by NHS England.

This record may be shared with other healthcare professionals and additions to this record may also be made by relevant healthcare professionals and organisations involved in your direct healthcare.

You may have the right to demand that this record is not shared with anyone who is not involved in the provision of your direct healthcare. If you wish to enquire further as to your rights in respect of not sharing information on this record then please contact our Data Protection Officer.

To find out more about the wider use of confidential personal information and to register your choice to opt out if you do not want your data to be used in this way, please visit the NHS My Data Choice website

Note if you do choose to opt out, you can still consent to your data being used for specific purposes. However, if you are happy with this use of information you do not need to do anything. You may however change your choice at any time.

 

9. Who We May Provide Your Personal Information To, And Why

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care Services, important information about you is collected to help ensure you get the best possible care and treatment. This information may be passed to other approved organisations where there is a legal basis, to help with planning services, improving care, research into developing new treatments and preventing illness. All of this helps in providing better care to you and your family and future generations. However, as explained in this privacy notice, confidential information about your health and care is only used in this way where allowed by law and would never be used for any other purpose without your clear and explicit consent.

We may pass your personal information on to the following people or organisations, because these organisations may require your information to assist them in the provision of your direct healthcare needs. It, therefore, may be important for them to be able to access your information in order to ensure they may properly deliver their services to you:

  • Hospital professionals (such as doctors, consultants, nurses, etc);
  • Other GPs/Doctors;
  • Pharmacists;
  • Nurses and other healthcare professionals;
  • Dentists;
  • Any other person that is involved in providing services related to your general healthcare, including mental health professionals.
 

10. Other People Who We Provide Your Information To

  • NHS Trusts / Foundation Trusts
  • GP’s
  • Independent Contractors such as dentists, opticians, pharmacists
  • Private Sector Providers
  • Voluntary Sector Providers
  • Ambulance Trusts
  • Clinical Commissioning Groups
  • Social Care Services
  • NHS England (NHSE) and NHS Digital (NHSD)
  • Education Services
  • Fire and Rescue Services
  • Voluntary Sector Providers
  • Commissioners;
  • Local authorities;
  • Community health services;
  • For the purposes of complying with the law e.g. Police, Solicitors, Insurance Companies;
  • Anyone you have given your consent to, to view or receive your record, or part of your record. Please note, if you give another person or organisation consent to access your record we will need to contact you to verify your consent before we release that record. It is important that you are clear and understand how much and what aspects of, your record you give consent to be disclosed.
  • Extended Access – we provide extended access services to our patients which means you can access medical services outside of our normal working hours. In order to provide you with this service, we have formal arrangements in place with the Clinical Commissioning Group and with other practices whereby certain key “hub” practices offer this service on our behalf for you as a patient to access outside of our opening hours. This means, those key “hub” practices will have to have access to your medical record to be able to offer you the service. Please note to ensure that those practices comply with the law and to protect the use of your information, we have very robust data sharing agreements and other clear arrangements in place to ensure your data is always protected and used for those purposes only.
    • Extended Access Hubs are as follows
      • Yiewsley Health Centre
      • Mead House
      • Central Uxbridge
      • Eastcote Health Centre
  • Data Extraction by the Clinical Commissioning Group – the clinical commissioning group at times extracts medical information about you, but the information we pass to them via our computer systems cannot identify you to them. This information only refers to you by way of a code that only your practice can identify (it is pseudo-anonymised). This therefore protects you from anyone who may have access to this information at the Clinical Commissioning Group from ever identifying you as a result of seeing the medical information and we will never give them the information that would enable them to do this. There are good reasons why the Clinical Commissioning Group may require this pseudo-anonymised information, these are as follows: Extended Access, Medicines Management and prescribing data.

You will be informed who your data will be shared with and in some cases asked for consent for this to happen when this is required.

We may also use external companies to process personal information, such as for archiving purposes. These companies are bound by contractual agreements to ensure information is kept confidential and secure. All employees and sub-contractors engaged by our practice are asked to sign a confidentiality agreement. If a sub-contractor acts as a data processor for the practice an appropriate contract (art 24-28) will be established for the processing of your information.

 

11. Where do we store your information Electronically?

All the personal data we process is processed by our staff in the UK however for the purposes of IT hosting and maintenance this information may be located on servers within the European Union.
No 3rd parties have access to your personal data unless the law allows them to do so and appropriate safeguards have been put in place. We have a Data Protection regime in place to oversee the effective and secure processing of your personal and or special category (sensitive, confidential) data.

 

12. Anonymised Information

Sometimes we may provide information about you in an anonymised form. If we do so, then none of the information we provide to any other party will identify you as an individual and cannot be traced back to you.

 

10. Your Rights As A Patient

The Law gives you certain rights to your personal and healthcare information that we hold, as set out below:

Access and Subject Access Requests

You have the right to see what information we hold about you and to request a copy of this information.

If you would like a copy of the information we hold about you please email our Data Protection Officer. We will provide this information free of charge however, we may in some limited and exceptional circumstances have to make an administrative charge for any extra copies if the information requested is excessive, complex or repetitive.

We have one month to reply to you and give you the information that you require. We would ask, therefore, that any requests you make are in writing and it is made clear to us what and how much information you require. 

Online Access

You may ask us if you wish to have online access to your medical record. However, there will be certain protocols that we have to follow in order to give you online access, including written consent and production of documents that prove your identity.

Please note that when we give you online access, the responsibility is yours to make sure that you keep your information safe and secure if you do not wish any third party to gain access.

Correction

We want to make sure that your personal information is accurate and up to date. You may ask us to correct any information you think is inaccurate. It is very important that you make sure you tell us if your contact details including your mobile phone number has changed.

Removal

You have the right to ask for your information to be removed however, if we require this information to assist us in providing you with appropriate medical services and diagnosis for your healthcare, then removal may not be possible.

Objection

We cannot share your information with anyone else for a purpose that is not directly related to your health, e.g. medical research, educational purposes, etc. We would ask you for your consent in order to do this however, you have the right to request that your personal and healthcare information is not shared by the Surgery in this way. Please note the Anonymised Information section in this Privacy Notice.

Transfer

You have the right to request that your personal and/or healthcare information is transferred, in an electronic form (or other form), to another organisation, but we will require your clear consent to be able to do this.

National Data Opt-Out

A new National Data Opt-Out was introduced in May 2018, following recommendations from the National Data Guardian. The National Data Opt-Out only concerns data being used for secondary purposes. This is because the legal basis for which data is processed in primary care purposes is not based on consent. Health care trusts as a data controller do not need to rely upon consent in order to process that data, as it is specifically required to provide an immediate and direct care for that individual’s health. 

Where the National Data Opt-Out does apply is in respect of secondary care purposes, which are purposes beyond the immediate and direct aspect of the care for that individual. A key example of secondary care purposes is research and planning. 

Following from the guidance by the National Data Guardian, the National Data Opt-Out only allows patients to have the option to opt-out of personally identifiable data being used for purposes other than direct care. This means that organisations can use patient’s data if it has gone through a de-identification process (in line with the current ICO code of practice for anonymization) and no longer identifies an individual. 

This decision was made following a review of the National Data Guardian, which heard that the public were satisfied that if the data is anonymous and used for secondary purposes. The National Data Guardian also found that the majority of purposes beyond those of direct care do not actually require personal confidential data to identify individuals, and that it is of considerable benefit to commissioners, planners, and researchers. It was considered that the possibility for an opt-out where the dataset would be removed entirely would have a negative impact on health services ability to use the information for research and planning. 

With the above in mind, although the majority of data being used for secondary purposes is already anonymised, patients have the option to opt-out of having their confidential patient information shared for reasons beyond their individual care, for example for research and planning. However, this will not affect their de-identified data being used for such purposes. Find out more about the national data opt-out and how to set up your choices.

 

14. Third Parties Mentioned On Your Medical Records

Sometimes we record information about third parties mentioned by you to us during any consultation. We are under an obligation to make sure we also protect that third party’s rights as an individual and to ensure that references to them which may breach their rights to confidentiality, are removed before we send any information to any other party including yourself. Third parties can include: spouses, partners, and other family members. 

 

15. How We Use The Information About You

We use your personal and healthcare information in the following ways:

  • when we need to speak to, or contact other doctors, consultants, nurses or any other medical/healthcare professional or organisation during the course of your diagnosis or treatment or on going healthcare;
  • when we are required by Law to hand over your information to any other organisation, such as the police, by court order, solicitors, or immigration enforcement.

We will never pass on your personal information to anyone else who does not need it, or has no right to it, unless you give us clear consent to do so.

 

16. Legal Justification For Collecting And Using Your Information

The Law says we need a legal basis to handle your personal and healthcare information.

Contract: We have a contract with NHS England to deliver healthcare services to you. This contract provides that we are under a legal obligation to ensure that we deliver medical and healthcare services to the public.

Consent: Sometimes we also rely on the fact that you give us consent to use your personal and healthcare information so that we can take care of your healthcare needs.

Please note that you have the right to withdraw consent at any time if you no longer wish to receive services from us.

Necessary Care: Providing you with the appropriate healthcare, where necessary. The Law refers to this as ‘protecting your vital interests’ where you may be in a position not to be able to consent. 

Law: Sometimes the Law obliges us to provide your information to an organisation (see above).

 

17. Special Categories

The Law states that personal information about your health falls into a special category of information because it is very sensitive. Reasons that may entitle us to use and process your information may be as follows:

Public Interest: Where we may need to handle your personal information when it is considered to be in the public interest. For example, when there is an outbreak of a specific disease and we need to contact you for treatment, or we need to pass your information to relevant organisations to ensure you receive advice and/or treatment;

Consent: When you have given us consent;

Vital Interest: If you are incapable of giving consent, and we have to use your information to protect your vital interests (e.g. if you have had an accident and you need emergency treatment);

Defending a Claim: If we need your information to defend a legal claim against us by you, or by another party;

Providing you with medical care: Where we need your information to provide you with medical and healthcare services

 

18. How Long We Keep Your Personal Information

We carefully consider any personal information that we store about you, and we will not keep your information for longer than is necessary for the purposes as set out in this Privacy Notice.

 

19. Under 16s

There is a separate privacy notice for patients under the age of 16, a copy of which may be obtained on request.

 

20. If English Is Not Your First Language

If English is not your first language you can request a translation of this Privacy Notice. Please contact our Data Protection Officer

 

21. Complaints 

If you have a concern about the way we handle your personal data or you have a complaint about what we are doing, or how we have used or handled your personal and/or healthcare information, then please contact our Data Protection Officer.

However, you have a right to raise any concern or complaint with the UK information regulator, at the Information Commissioner’s Office

 

22. Our Website

The only website this Privacy Notice applies to is the Surgery’s website. If you use a link to any other website from the Surgery’s website, then you will need to read their respective privacy notice. We take no responsibility (legal or otherwise) for the content of other websites.

 

23. Cookies

The Surgery’s website uses cookies. For more information on which cookies we use and how we use them, please see our Cookies Policy.

 

24. Security

We take the security of your information very seriously and we do everything we can to ensure that your information is always protected and secure. We regularly update our processes and systems and we also ensure that our staff are properly trained. We also carry out assessments and audits of the information that we hold about you and make sure that if we provide any other services, we carry out proper assessments and security reviews.

 

25. Text Messaging and Contacting You

Because we are obliged to protect any confidential information we hold about you and we take this very seriously, it is imperative that you let us know immediately if you change any of your contact details.

We may contact you using SMS texting to your mobile phone in the event that we need to notify you about appointments and other services that we provide to you involving your direct care, therefore you must ensure that we have your up to date details. This is to ensure we are sure we are actually contacting you and not another person.

 

26. Where To Find Our Privacy Notice

You may find a copy of this Privacy Notice in the Surgery’s reception, on our website, or a copy may be provided on request.

 

27. Changes To Our Privacy Notice

We regularly review and update our Privacy Notice. This Privacy Notice was last updated on 24/01/2024.