Privacy notice – Haxby Group York

Our legal basis for processing your data

Processing is for the direct patient care and GP practices must establish both a lawful basis for processing and a special category condition for processing to comply with the UK General Data Protection Regulations (UK-GDPR).

The lawful basis for processing is Article 6(1)(e) “necessary in the exercise of official authority vested in the controller” and the special category condition is Article 9(2)(h) “necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services”.

Where disclosures are a legal requirement the lawful basis and special category condition for processing are: Article 6(1)(c) “… for compliance with a legal obligation …” and Article 9(2)(h) “…management of health or social care systems…”

For “performance of a task carried out in the public interest” (Article 6(1)(e) and Article 9(2)(j) “research purposes”, the practice will always gain your consent before releasing information.

How we use your personal information

Healthcare professionals who provide you with care maintain records about your health and any treatment or care you have received, for example NHS Trusts, GP Surgeries, Walk-in-Centres etc. These records are used to help to provide you with the best possible healthcare.

NHS healthcare records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. Records this GP Practice hold about you may include the following information:

Details about you, such as your name, address, date of birth, carers, legal representatives and emergency contact details.
Any contact the surgery has with you, such as appointments, visits, telephone calls etc.
Notes and reports about your health.
Details about your treatment and care.
Results of investigations such as laboratory tests, x-rays etc.
Relevant information from other health professionals, relatives or those who care for you.

Risk Stratification

Risk stratification data tools are increasingly being used in the NHS to help determine a person’s risk of suffering a particular condition, preventing an unplanned or (re)admission and identifying a need for preventive intervention. Information about you is collected from a number of sources including NHS Trusts and from this GP Practice. A risk score is then arrived at through an analysis of your de-identified information using software, and is only provided back to your GP as data controller in an identifiable form. Risk stratification enables your GP to focus on preventing ill health and not just the treatment of sickness. If necessary your GP may be able to offer you additional services. Please note that you have the right to opt out of your data being used in this way.

Medicine Management

Your GP Practice supports a medicines management review service of medications prescribed to its patients. This service involves a review of prescribed medications to ensure patients receive the most appropriate, up to date and cost-effective treatments. This service is provided by qualified and registered healthcare professionals from within the GP practice, our NHS Primary Care Network, our local commissioning group or by external partners approved by the GP practice. Patient identifiable information does not leave the practice system but is accessed to ensure only appropriate clinical recommendations or decisions are made for each patient. Each patient can opt out of (or back into) the practice using their data for anything other than specified purposes or where there is a lawful requirement to do so.

Disclosures which are required by law or clinical audit requirements

In order to comply with its legal obligations this practice may send data to NHS Digital when directed by the Secretary of State for Health under the Health and Social Care Act 2012 and the practice contributes to national clinical audits and will send the data which are required by NHS Digital when the law allows. This may include demographic data, such as date of birth and information about your health which is recorded in coded form.

Disclosures for medical research or health management purposes

The surgery will always gain your consent before releasing the information for this purpose, the practice contributes to medical research and may send relevant information to medical research databases when consent is obtained and the law allows.

How do we maintain the confidentiality of your records?

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

EU General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR)
UK GDPR regulations – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
Human Rights Act 1998
Common Law Duty of Confidentiality
Health and Social Care Act 2012
NHS Codes of Confidentiality, Information Security and Records Management
Information: To Share or Not to Share Review

Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential.

We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (eg life or death situations), where the law requires information to be passed on and/or in accordance with the information sharing principle following Dame Fiona Caldicott’s information sharing review (Information to share or not to share) where “The duty to share information can be as important as the duty to protect patient confidentiality”. This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles. They should be supported by the policies of their employers, regulators and professional bodies.

Who are our partner organisations?

We may also have to share information, subject to strict agreements on how it will be used, with the following organisations:

NHS Trusts/Foundation Trusts
GPs
NHS Commissioning Support Units
Independent Contractors such as dentists, opticians, pharmacists
Private Sector Providers
Voluntary Sector Providers
Ambulance Trusts
Clinical Commissioning Groups
Social Care Services
NHS Digital
Local Authorities
Education Services
Fire and Rescue Services
Police & Judicial Services
Other “data processors” which you will be informed of

You will be informed who your data will be shared with and in some cases asked for explicit consent for this to happen when required.

We may also use external companies to process personal information, such as for archiving purposes. These companies are bound by contractual agreements to ensure information is kept confidential and secure.

Your rights in relation to your data

Right to Access – please see the “access to personal information” section below.
Right of rectification – right for individuals to have inaccurate personal data rectified.
Right to object – you have the right to object to the processing of your data at any time.

Access to personal information

You have a right under General Data Protection Regulation to request access to view or to obtain copies of what information the surgery holds about you and to have it amended should it be inaccurate. This is known as “subject access request” (SAR) and in order to request this you need to do the following:

Your request can be made verbally or in writing to the GP Practice – for information from the hospital or other healthcare provider you should write direct to them.
No charge will be made to provide the information.
We are required to respond to you within 30 days of receipt of request.
You will need to give adequate information (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified and your records located.

How long data will be retained

We will hold, protect and maintain your data for as long as the patient/doctor relationship is in place, this will either be until your death or if you decide to move to another GP practice, if you do move your data will follow you.

Change of Details

It is important that you inform us if any of your details such as your name or address have changed or if any of your details such as date of birth is incorrect in order for this to be amended. You have a responsibility to inform us of any changes so our records are accurate and up to date.

Notification

GDPR requires organisations to register a notification with the Information Commissioner to describe the purposes for which they process personal and sensitive information.

The information is publicly available on the Information Commissioners Office website www.ico.org.uk.

This Practice is registered with the Information Commissioners Office (ICO).

Collaborative Primary Care working

We are a member of WoNE Primary Care Network inYork. We are also part of NIMBUSCARE, which is a collective of all GP practice in York working collaboratively to support the population.

This means we will be working closely with a number of other Practices and health and care organisations to provide healthcare services to you.

During the course of our work, we may share your information with these Practices and health care organisations/professionals. We will only share this information where it relates to your direct healthcare needs.

When we do this, we will always ensure that appropriate agreements are in place to protect your information and keep it safe and secure. This is also what the Law requires us to do.

If you would like to see the information the PCN or NIMBUSCARE holds about you, please contact the data protection officer contact details shown below.

Who is the Data Controller?

The Data Controller, responsible for keeping your information secure and confidential is:

Haxby Group

Objections/Complaints

If you are happy for your data to be extracted and used for the purposes described in this privacy notice then you do not need to do anything. If you have any concerns about how your data is shared or information managed then please contact the Data Protection Officer at the following:

Barry Jackson

Head of Information Governance

Email: n3i.dpo@nhs.net

For queries and urgent responses contact through N3i service desk:

Phone: 0300 002 0001

If you are still unhappy following a review by the Practice, you can then complain to the Information Commissioner’s Office (ICO), telephone 0303 123 1113 (local rate).

General Practice Data for Planning and Research data collection (GPDPR)

Patient data from GP medical records is used every day to improve health, care and services through planning and research, helping to find better treatments and improve patient care. The NHS is introducing the GPDPR data collection to support this. Introduction of this has been delayed and we await further guidance from the NHS regarding GPDPR.

NHS Digital will collect, analyse, publish, and share patient data to improve health and care services for everyone. The data collection will provide a comprehensive and frequent (daily) extract of patient level and linkable data from the GP system suppliers. All identifiable data items will be pseudonymised by the GP system suppliers and flow to the NHS Digital’s Data Processing Services (DPS) where it is stored securely.

This will not impact on Type 1 Opt Outs or the National Data Opt Out. If a patient sets a Type 1 Opt Out (which prevents sharing of data outside the GP practice for anything other than individual care) this prevents GPDPR data collection.

If a patient sets a National Data Opt Out (which prevents confidential patient information being shared by NHS Digital with other organisations for purposes except individual care) this does not apply to the GPDPR collection.

The NHS Digital Privacy Notice on the GPDPR is available here https://digital.nhs.uk/data-and-information/data-collections-and-data-sets/data-collections/general-practice-data-for-planning-and-research/gp-privacy-notice

Healthy IO – ACR project for patients with diabetes – York

Data is being processed for the purpose of delivery of a programme, sponsored by NHS Digital, to monitor urine for indications of chronic kidney disease (CKD) which is recommended to be undertaken annually for patients at risk of chronic kidney disease e.g., patients living with diabetes. The programme enables patients to test their kidney function from home. We will share your contact details with Healthy.io to enable them to contact you and confirm that you wish them to send you a test kit. This will help identify patients at risk of kidney disease and help us agree any early interventions that can be put in place for the benefit of your care. Healthy.io will only use your data for the purposes of delivering their service to you. If you do not wish to receive a home test kit from Healthy.io we will continue to manage your care within the Practice. Healthy.io are required to hold data we send them in line with retention periods outlined in the Records Management code of Practice for Health and Social Care. Further information about this is available at http://bit.ly/uACRtest.

HN Clinical Coaching Service – York

Data is being processed for the purpose of delivering a clinical coaching service, provided by a company called HN. This service is delivered by a specially trained nurse or healthcare professional who will work with you on a one-to-one basis to advise on the best way to manage your condition(s). We will share your contact details with HN to enable them to contact you and confirm that you would want to take part in HN’s clinical coaching. This service will help provide you with the knowledge, skills and confidence to improve your health and quality of life. HN will only use your data for the purposes of delivering their service to you. If you do not wish to take part in the service provided by HN we will continue to manage your care within the Practice. HN are required to hold data we send them in line with retention periods outlined in the Records Management code of Practice for Health and Social Care. Further information about HN and their clinical coaching service is available at https://www.hn-company.co.uk/

GP Connect

We use a facility called GP Connect to support your direct care. GP Connect makes patient information available to all appropriate clinicians when and where they need it, to support direct patients care, leading to improvements in both care and outcomes.
GP Connect is not used for any purpose other than direct care.

Authorised Clinicians such as GPs, NHS 111 Clinicians, Care Home Nurses (if you are in a Care Home), Secondary Care Trusts, Social Care Clinicians are able to access the GP records of the patients they are treating via a secure NHS Digital service called GP connect.

The NHS 111 service (and other services determined locally e.g. Other GP practices in a Primary Care Network) will be able to book appointments for patients at GP practices and other local services.

Inspira Health – Primary Care Atrial Fibrillation (PCAF) Service

We are using this specialist-led comprehensive review of patients with atrial fibrillation (AF) ensuring patients are on optimal anticoagulation therapy. The PCAF Service primary aim is to ensure that eligible high-risk patients are anti- coagulated and optimally managed, and therefore help reduce the expected number of AF-related strokes within your practice population. The Service will also review patients currently on warfarin and DOAC to check patients are optimally anticoagulated and ensure patients are on the most appropriate anticoagulant and correct dose.

The data will be collected through querying of the GP Practice Clinical system and auditing patients on the Practice AF register medical records and this data will be used to identify patients that need clinical review by a local healthcare professional (HCP) specialising in AF/anticoagulation management. The HCP will then use that data and information held within the relevant patient’s medical record to have an informed discussion with patients about any necessary changes to their care. Further information is available at Inspira Health Ltd – provide seamless, high quality, integrated care pathways for patients which are precisely tailored to their individual needs.

iGPR

The iGPR Managed Service offer covered by this DPIA is assessed as being a robust and secure method for iGPR to support GPs to carry out the administrative and operational functions relating to requests for patient information using the iGPR product to produce such reports.

iGPR is responding to an identified need and direct requests from GP clients for such a Managed Service. The existing security measures in the iGPR product, together with the internal procedural controls of the Managed Service will further embed the principles of data protection by default and design in the Service and appropriately mitigate any risks identified in this DPIA. Additionally, the escalation and oversight architecture of the Managed Service, gives further assurance that data subject rights are central to the processing carried out as part of the iGPR Managed Service. The iGPR DPO will be responsible for ensuring that any risks to data are quickly identified and mitigated by the protocols to be established for the secure running of the Managed Service. More information is available at Managed Service | iGPR.

NHS App Messages

We use the NHS Account Messaging Service provided by NHS Digital to send you messages relating to your health and care. You need to be an NHS App user to receive these messages. Further information about the service can be found at the privacy notice for the NHS App managed by NHS Digital at: https://www.nhs.uk/using-the-nhs/nhs-services/the-nhs-app/privacy/”

Legal basis for sharing this data

In order for your Personal Data to be shared or processed, an appropriate “legal basis” needs to be in place and recorded. The legal bases for direct care via GP Connect is the same as the legal bases for the care you would receive from your own GP, or another healthcare provider:

for the processing of personal data: Article 6.1 (e) of the UK GDPR: “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.
for the processing of “Special Category Data” (which includes your medical information): Article 9.2 (h) of the UK GDPR: “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services”.

Your rights

Because the legal bases used for your care using GP Connect are the same as used in other direct care situations, the legal rights you have over this data under UK GDPR will also be the same- these are listed elsewhere in our privacy notice.

Find out more about GP Connect here https://digital.nhs.uk/services/gp-connect

Summary Care Record

During the height of the pandemic changes were made to the Summary Care Record (SCR) to make additional patient information available to all appropriate clinicians when and where they needed it, to support direct patients care, leading to improvements in both care and outcomes.

These changes to the SCR will remain in place unless you decide otherwise.

Regardless of your past decisions about your Summary Care Record preferences, you will still have the same options that you currently have in place to opt out of having a Summary Care Record, including the opportunity to opt-back in to having a Summary Care Record or opt back in to allow sharing of Additional Information.

You can exercise these choices by doing the following:

Choose to have a Summary Care Record with all information shared. This means that any authorised, registered and regulated health and care professionals will be able to see a detailed Summary Care Record, including Core and Additional Information, if they need to provide you with direct care.
Choose to have a Summary Care Record with Core information only. This means that any authorised, registered and regulated health and care professionals will be able to see limited information about allergies and medications in your Summary Care Record if they need to provide you with direct care.
Choose to opt-out of having a Summary Care Record altogether. This means that you do not want any information shared with other authorised, registered and regulated health and care professionals involved in your direct care. You will not be able to change this preference at the time if you require direct care away from your GP practice. This means that no authorised, registered and regulated health and care professionals will be able to see information held in your GP records if they need to provide you with direct care, including in an emergency.

To make these changes, you should inform your GP practice or complete this form and return it to your GP practice. Form available at https://digital.nhs.uk/services/summary-care-records-scr/scr-patient-consent-preference-form

Legal basis for sharing this data

In order for your Personal Data to be shared or processed, an appropriate ‘legal basis’ needs to be in place and recorded. The legal bases for direct care via SCR is the same as the legal bases for the care you would receive from your own GP, or another healthcare provider:

for the processing of personal data: Article 6.1 (e) of the UK GDPR: ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’.
for the processing of ‘Special Category Data’ (which includes your medical information): Article 9.2 (h) of the UK GDPR: ‘processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services’.

Your rights

Because the legal bases used for your care via SCR are the same as used in other direct care situations, the legal rights you have over this data under UK GDPR will also be the same- these are listed elsewhere in our privacy notice.

Find out more about SCR here https://digital.nhs.uk/services/summary-care-records-scr