Policies
1 General Data Protection Regulations
We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections. These cover details of the Data Controller and Data Protection officer along why we hold the data, what it is used.
1) Data Controller: Dr S. Parnell
2) Data Protection Officer: Dr S. Parnell
3) Purpose of the processing:
Details of the purpose of each Privacy Notice are listed in the individual Privacy Notices described above.
4) Lawful basis for processing:
The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:
Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.”
and
Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”
5) Recipient or categories of recipients of the processed data:
The data will be shared with Health and care professionals and support staff in this surgery and at hospitals, diagnostic and treatment centres who contribute to your personal care. [if possible list actual named sites such as local hospital)(s) name]
6) Rights to object:
You have the right to object to some or all the information being processed under Article 21. Please contact the Data Controller or the practice. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance
7) Right to access and correct: You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
8) Retention period:
The data will be retained in line with the law and national guidance.
https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016 or speak to the practice.
9) Right to Complain:
You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/ or by calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
2 Your Privacy
Northiam & Broad Oak Surgeries Privacy Notices
Our practice has always provided security around your personal information and how it is used to deliver the care and services you need.
All of the data we hold about you is secured in line with legislation and complies with the General Data Protection Regulations (GDPR) which came into force in May 2018.
The data collected about you
Records which this GP Practice will hold or share about you will include the following:
- Personal Data – means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Special Categories of Personal Data – this term describes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
- Confidential Patient Information – this term describes information or data relating to their health and other matters disclosed to another (e.g. patient to clinician) in circumstances where it is reasonable to expect that the information will be held in confidence. Including both information ‘given in confidence’ and ‘that which is owed a duty of confidence’. As described in the Confidentiality: NHS code of Practice: Department of Health guidance on confidentiality 2003.
- Pseudonymised – The process of distinguishing individuals in a dataset by using a unique identifier which does not reveal their ‘real world’ identity.
- Anonymised – Data in a form that does not identify individuals and where identification through its combination with other data is not likely to take place
- Aggregated – Statistical data about several individuals that has been combined to show general trends or values without identifying individuals within the data.
Your rights under GDPR legislation?
Under the General Data Protection Regulations (GPDR), any organisation using your personal data must have your explicit consent.
However, in the legislation GP practices have a legal basis for processing your confidential health data for the provision of your Direct Care and consent is implied by registering with the practice.
In our policies you will find detailed the specific circumstances in which your personal data is used within the Health Service.
Details of the important subsections of the legislation are listed in the following pages.
Your rights to see your information
You have a right to access your medical records and these can be accessed either directly online or in the surgery by appointment (details are in the Patient Registration Pack).
You may give permission to third parties (for example a solicitor or insurance company) to be provided with copies of your records.
Your rights as a Parent or Guardian
In Article 8, the GDPR introduces specific protections for children by limiting their ability to consent to data processing without parental authorisation.
The age of consent in the UK is 16.
What do you need to do?
Please read the following sections detailing how your personal data is managed and used within this practice and the wider health service.
Each section will describe how and why your data is used along with your consent options.
Your right to opt-out of sharing data – National Opt-out scheme/Type 1 Opt-out
The national data opt-out is a service that allows patients to opt out of their confidential patient information being used for research and planning.
Registering an opt-out is managed centrally with the National Data Opt-out Scheme or with a Type 1 Opt-out recorded on your medical record. See Privacy Notice for details of how to register an opt-out.
Your opt-out can be changed at any time.
If you wish to discuss your options please make an appointment with reception or call 0300 3035678 for more details.
3 Privacy Notice
How we Protect your Personal Data – Privacy Notices
As a practice we hold your personal information and details of any care you have received.
Your data is held securely in compliance with all legislation.
Summary data, (details of medication, allergies etc.) is held centrally and available should you require treatment anywhere in the NHS. You can opt-out of sharing summary data, see the Summary Care Policy below.
However, your detailed medical history is not shared and can only be accessed by staff within the practice.
The National Data Opt-out, introduced on 25 May 2018, enables you to opt out from the use of your data for research or planning purposes.
You register an opt-out centrally and you can view or change your national data opt-out choice at any time using the online service at https://www.nhs.uk/your-nhs-data-matters/manage-your-choice/ or by calling 0300 3035678.
You can opt-out of all data sharing by completing a Type 1 Opt-out request form and registering your opt-out with the practice. Your data will then not be used in any NHS planning or fot national statistics or screening programmes. For more information on usage see NHS Digital and NHS Planning policies below.
We will not share any data without your consent unless there are exceptional (life or death) circumstances or where the law requires.
You have the right to see your personal information and we can provide you with access to your records.
Your data does contribute to the production of overall NHS statistics but personal details that would identify you are never part of this analysis.
We will also use your information in reviewing prescribed medications and in preventative screening.
The details of all the areas where your data is stored or could be used are listed in the policies on this page.
We do not use Cookies on our website.
Full details of these are available from reception or by using the links below.
4 Privacy Notice: NHS Digital
Purpose:
To provide the Secretary of State and others with information and reports on the status, activity and performance of the NHS. The provide specific reporting functions on identified
What are my Options?
None, the Practice is required by law to provide information when required.
Some, but not all, of this data is subject to the National Opt-out scheme which allows patients to opt out of their confidential patient information being used for research and planning. You have the right to opt-out of some usage. See Privacy notice for details of how to register an opt-out.
What is the impact?
An opt-out would mean your data is not included in any analysis or statistics. An opt-out does not cover all circumstances for example COVID-19 research. See the NHS-England-Directions link below for full details.
NHS Digital is the secure central database of NHS patient data.
NHS Digital provides reports on the performance of the NHS, statistical information, audits and patient outcomes (https://digital.nhs.uk/data-and-information).
These include general statistics, for example A/E and outpatient waiting times and more specific targeted data collections and reports such as English National Diabetes Audits.
GPs are required by the Health and Social Care Act to provide NHS Digital with information when instructed. This is a legal obligation which overrides any patient wishes.
These instructions are called “Directions”.
More information on the directions placed on GPs can be found at https://digital.nhs.uk/article/8059/NHS-England-Directions- and www.nhsdatasharing.info
5 Privacy Notice: NHS Planning
Purpose:
The practice searches some or all records to identify individuals who may be at increased risk of certain conditions or diagnoses i.e. Diabetes, heart disease, risk of falling.
What are my Options?
You have the right to opt-out of our processing your data in these circumstances and before any decision based upon that processing is made about you. See Privacy Notice above for details of how to register an opt-out for this service.
What is the impact?
Without your data we may not be able to identify preventative interventions based on your risk factors.
This data the practice holds for you is to identify preventive interventions.
The results may then be shared with other healthcare workers, such as specialist, therapists, technicians etc.
The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.
The data we hold may be linked with data held elsewhere by other organisations, and usually processed by organisations within or bound by contracts with the NHS.
If any processing of this data occurs outside the practice it will be anonymous and your identity will not be visible to the processors.
Only this practice will be able to identify you and the results of any calculated factors, for example, your risk of having a heart attack in the next 10 years.
Processing of this type is only lawfully allowed where it results in individuals being identified with their associated calculated risk.
It is not lawful for this processing to be used for other purposes, such as “health analytics” and we do not support any such activity.
We have an overriding responsibility to do what is in your best interests.
If we identify you as being at significant risk of having, for example a heart attack or stroke, we are justified in performing that processing.
6 Privacy Notice: Summary Care Record
Purpose:
Provides a summary of your data that can be accessed elsewhere in the NHS.
What are my Options?
You have the right to object to our sharing your data in these circumstances and you can ask your GP to block uploads.
What is the impact?
Opting out would mean that if you are treated elsewhere in the NHS, for example in A&E, without a SCR record those treating you would not have any record of allergies or medication.
The Summary Care Record consists of a basic medical record held on a central government database on every patient registered with a GP surgery in England.
The basic data is automatically extracted from our systems and uploaded to the central system. GPs are required by their contract with the NHS to allow this upload.
The basic upload consists of current medication, allergies and details of any previous bad reactions to medicines, the name, address, date of birth and NHS number of the patient.
The Summary Care Record can be expanded with addition detailed data but this will not happen unless you specifically request the data be added and provide your consent.
Summary Care Records can only be viewed within the NHS on NHS smartcard controlled screens or by organisation, such as pharmacies, contracted to the NHS.
You can find out more about the SCR here.
7 Summary Care Record
The NHS is introducing a national database for patient records. This record has only important information that may be helpful in an emergency when the practice may be closed. The record will only be available to doctors and nurses.The information will include:
- Your name, address, date of birth and your NHS number.
- Medicines you are taking
- Allergies you have
- Any medicines that may make you ill
You have a choice about whether you want your details released to the NHS Summary Care Records. All patients will automatically have a summary care record produced unless they opt out. If you don’t want your records released there are a number of ways you can opt out:
- Attend the surgery and fill out a form
- Ask for a form by phoning 0300 123 3020
- Or download the Summary Care Record Form from the website
More information about Summary Care Records can be found on Health and Social Care Information Centre.
Your Summary Care Record will contain important information about any medicines you are taking, allergies you suffer from and any bad reactions to medicines that you have had.
Giving healthcare staff access to this information can prevent mistakes being made when caring for you in an emergency or when your GP practice is closed.
Your Summary Care Record will also include your name, address, date of birth and your unique NHS Number to help identify you correctly.
You may want to add other details about your care to your Summary Care Record. This will only happen if you ask for the information to be included. You should discuss your wishes with the healthcare staff treating you.
You can choose not to have a Summary Care Record. You need to let your GP practice know by filling in and returning a Summary Care Opt-out form.
Privacy Notice – Call Recording
The surgery has the ability to record telephone calls. Calls are recorded for the purpose of training, to protect our staff, document information in your medical record or identify any issues in practice processes with a view to improving them. Necessary data will be shared with Health and care professionals and support staff in this surgery. Call recordings will not be shared outside of the practice, unless we have a legal requirement to do so.
Privacy Notice: Care Quality Commission (CQC)
Purpose:
The CQC provide the Secretary of State and others with information and reports on the status, activity and performance of this practice.
What are my Options?
None, the CQC have legal rights to access certain types of data.
The Care Quality Commission (CQC) is an organisation established in English law by the Health and Social Care Act.
The CQC is the regulator for English Health and Social Care services to ensure that safe care is provided.
They inspect and produce reports on all English general practices in a rolling 5 year program.
The law allows CQC to access identifiable patient data as well as requiring this practice to share certain types of data with them in certain circumstances, for instance following a significant safety incident.
For more information about the CQC see: http://www.cqc.org.uk/
Privacy Notice: Direct Care
Purpose
Direct Care is care delivered to you alone and most care is provided from this surgery.
If you agree to a referral for direct care elsewhere, such as a referral to a specialist in a hospital, necessary and relevant information about you, your circumstances and your problem will need to be shared with the other healthcare workers, such as specialist, therapists, technicians etc.
The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.
What are my Options?
By registering with this Practice you are agreeing that your detailed medical records can be used by the Practice to provide care and services.
What is the impact?
Removing your medical records from this Practice would mean we would be unable to provide you with continuing care.
This practice keeps a full history of you and your care.
This covers who you are, where you live, what you do, your family, possibly your friends, your employers, your habits, your problems and diagnoses, the reasons you seek help, your appointments, where you are seen and when you are seen, who by, referrals to specialists and other healthcare providers, tests carried out here and in other places, investigations and scans, treatments and outcomes of treatments, your treatment history, the observations and opinions of other healthcare workers, within and without the NHS as well as comments and aide memoires reasonably made by healthcare professionals in this practice who are appropriately involved in your health care.
When registering for NHS care, all patients who receive NHS care are registered on a national database, the database is held by NHS Digital which has legal responsibilities to collect NHS
Not all of your care is provided by your GP and your details are available to others in the Practice who deliver care and other services.
If your health needs require care from others outside this practice we will exchange whatever information about you that is necessary for them to provide that care.
When you make contact with healthcare providers outside the practice but within the NHS it is usual for them to send us information relating to that encounter.
We will retain part or all of those reports. Normally we will receive equivalent reports of contacts you have with non NHS services but this is not always the case.
Your consent to this sharing of data, within the practice and with those others outside the practice is assumed and is allowed by the Law.
You have the right to object to our sharing your data in these circumstances but we have an overriding responsibility to do what is in your best interests.
Privacy Notice: Direct Care – Emergencies
Purpose:
Doctors have a professional responsibility to share data in emergencies to protect their patients or other persons. Often in emergency situations the patient is unable to provide consent.
What are my Options?
You have the right to make pre-determined decisions about the type and extent of care you will receive should you fall ill in the future, these are known as “Advance Directives”.
What is the impact?
If an Advance Directive is lodged in your records, these will normally be honoured despite the observations in the first paragraph.
There are occasions when intervention is necessary in order to save or protect a patient’s life or to prevent them from serious immediate harm, for instance during a collapse or diabetic coma or serious injury or accident.
In many of these circumstances the patient may be unconscious or too ill to communicate. In these circumstances we have an overriding duty to try to protect and treat the patient.
If necessary we will share your information and possibly sensitive confidential information with other emergency healthcare services, the police or fire brigade, so that you can receive the best treatment.
The law acknowledges this and provides supporting legal justifications.
Individuals have the right to make pre-determined decisions about the type and extend of care they will receive should they fall ill in the future, these are known as “Advance Directives”.
If lodged in your records, these will normally be honoured despite the observations in the first paragraph.
Privacy Notice: National Screening Programmes
Purpose:
The NHS provides several national health screening programs to detect diseases or conditions earlier such as; cervical and breast cancer, aortic aneurysm and diabetes.
The information is shared so as to ensure only those who should be called for screening, are called, and or those at highest risk are prioritised.
What are my Options?
None, the law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme.
The NHS provides national screening programmes so that certain diseases can be detected at an early stage.
These currently apply to bowel cancer, breast cancer, aortic aneurysms and diabetic retinal screening service.
The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme.
More information can be found here.
Privacy Notice: Anti-Coagulation Services
Purpose:
To provide the Surgery with a record of International Standard Ratio (INR) measurements for patients and support in the prescription of anticoagulants.
What are my Options?
None, Only patients using anticoagulants are stored on the database and the system is used for this specific purpose only.
What is the impact?
Personal confidential data is shared with the LumiraDX in order to provide patients who meet the criteria with an anticoagulation service. Patients Data in the form of their name, NHS number age and gender is stored. INR tests (international normalized ratio) results are held on data base following a blood test. The data is used to calculate the required level of anticoagulants. The data and the service and be accessed and administered by the practice.
Patients may exercise their rights of access by using the practices SARs process.
Legal Basis: Under UK GDPR Article 6 1 (e) Public Task and Article 9 2 (h) Health data
Privacy Notice: Medical Research
Purpose:
Medical research.
What are my Options?
You have the right to object to your identifiable information being used or shared for medical research purposes. Please speak to the practice if you wish to object.
What is the impact?
We would not identify you to take part in any medical research.
This practice from time-to-time may participate in research programmes.
We do not share any information with the following medical research organisations although we may also use your medical records to carry out research within the practice.
We will only agree to participate in any project if there is an agreed clearly defined reason for the research that is likely to benefit healthcare and patients.
Such proposals will normally have a consent process, ethics committee approval, and will be in line with the principles of Article 89(1) of GDPR.
Research organisations do not usually approach patients directly but will ask us to identify and make contact with suitable patients to seek their consent.
In certain circumstances research can be authorised under law without the need to obtain consent.
This is known as the section 251 arrangement.
Privacy Notice: Payments
Purpose:
To enable GPs to receive payments. To provide accountability.
What are my Options?
None.
This Practice is a Contract holding GPs and receives receive payments from the government on a tiered basis.
Most of the income is derived according to the number of patients registered with the practice.
The amount paid per patient per quarter varies according to the age, sex and other demographic details for each patient.
There are also graduated payments made according to the practice’s achievement of certain agreed national quality targets known as the Quality and Outcomes Framework (QUOF), for example the proportion of diabetic patients who have had an annual review.
Practices can also receive payments for participating in agreed national or local enhanced services, for instance opening early in the morning or late at night or at the weekends.
Practices can also receive payments for certain national initiatives such as immunisation programs.
There are also short term initiatives and projects that practices can take part in.
Practices or GPs may also receive income for participating in the education of medical students, junior doctors and GPs themselves as well as research.
In order to make patient based payments basic and relevant necessary data about you needs to be sent to the various payment services.
The release of this data is required by English law.
Under our NHS contract all GP practices are required to declare the mean earnings (e.g. average pay) for GPs working to deliver NHS services to patients at each practice, the disclosure is below.
The average pay for GPs working in Dr Parnell and Partners in the 2022-23 financial year was £63,504 before tax and national insurance.
This is for 2 full time contractor GP’s, 2 part time contractor GP’s, , 1 part time salaried GP, and 1 locum GPs who worked in the practice for more than 6 months.
NHS England require that the net earnings of doctors engaged in the practice is publicised, and the required disclosure is shown above. However, it should be noted that the prescribed method for calculating earnings is potentially misleading because it takes no account of how much time doctors spend working in the practice, and should not be used to form any judgement about GP earnings, nor to make any comparison with any other practice.
Privacy Notice: Public Health
Purpose:
There are occasions when medical data needs to be shared with Public Health England, the Local Authority Director of Public Health, or the Health Protection Agency, either under a legal obligation or for reasons of public interest or their equivalents in the devolved nations.
What are my Options?
None, we have legal obligations to share certain types of information.
Public health encompasses everything from national smoking and alcohol policies, the management of epidemics such as flu, the control of large scale infections such as TB and Hepatitis B to local outbreaks of food poisoning or Measles.
Certain illnesses are also notifiable; the doctors treating the patient are required by law to inform the Public Health Authorities, for instance Scarlet Fever.
This will necessarily mean your personal and health information being shared with the Public Health organisations.
Some of the relevant legislation includes:
- The Health Protection (Notification) Regulations 2010 (SI 2010/659)
- The Health Protection (Local Authority Powers) Regulations 2010 (SI 2010/657)
- the Health Protection (Part 2A Orders) Regulations 2010 (SI 2010/658)
- Public Health (Control of Disease) Act 1984
- Public Health (Infectious Diseases) Regulations 1988
- The Health Service (Control of Patient Information) Regulations 2002
Privacy Notice: Safeguarding
Purpose:
The purpose of the processing is to protect the child or vulnerable adult and the Practice is required by Law to share information with relevant bodies.
What are my Options?
None, we have legal obligations to share certain data in certain circumstances.
Some members of society are recognised as needing protection, for example children and vulnerable adults.
If a person is identified as being at risk from harm we are expected as professionals to do what we can to protect them.
In addition we are bound by certain specific laws that exist to protect individuals. This is called “Safeguarding”.
Where there is a suspected or actual safeguarding issue we will share information that we hold with other relevant agencies whether or not the individual or their representative agrees.
There are three laws that allow us to do this without relying on the individual or their representatives agreement (unconsented processing), these are: