This practice handles medical records in-line with laws on data protection and confidentiality.
- We share medical records with those who are involved in providing you with care and treatment.
- In some circumstances we will also share medical records for medical research, for example to find out more about why people get ill.
- We share information when the law requires us to do so, for example, to prevent infectious diseases from spreading or to check the care being provided to you is safe.
- You have the right to be given a copy of your medical record.
- You have the right to object to your medical records being shared with those who provide you with care.
- You have the right to object to your information being used for medical research and to plan health services.
- You have the right to have any mistakes corrected and to complain to the Information Commissioner’s Office. Please speak to a member of staff for more information about your rights.
- All incoming and outbound calls to the practice are recorded for training and monitoring purpose
- For more information please email firstname.lastname@example.org
This practice keeps medical records confidential and complies with the General Data Protection Regulation.
We hold your medical record so that we can provide you with safe care and treatment.
We will also use your information so that this practice can check and review the quality of the care we provide. This helps us to improve our services to you.
We will share relevant information from your medical record with other health or social care staff or organisations when they provide you with care. For example, your GP will share information when they refer you to a specialist in a hospital. Or your GP will send details about your prescription to your chosen pharmacy.
For more information on how we share your information with organisations who are directly involved in your care can be found below.
Healthcare staff working in A&E and out of hours care will also have access to your information. For example, it is important that staff who are treating you in an emergency know if you have any allergic reactions. This will involve the use of your Summary Care Record. For more information visit the NHS Digital website or alternatively speak to your practice.
You have the right to object to information being shared for your own care. Please speak to the practice if you wish to object. You also have the right to have any mistakes or errors corrected.
Registering for NHS care
All patients who receive NHS care are registered on a national database. This database holds your name, address, date of birth and NHS Number but it does not hold information about the care you receive. The database is held by NHS Digital: a national organisation which has legal responsibilities to collect NHS data. More information can be found on the NHS Digital website or the phone number for general enquiries is 0300 303 5678.
Identifying patients who might be at risk of certain diseases
Your medical records will be searched by a computer programme so that we can identify patients who might be at high risk from certain diseases such as heart disease or unplanned admissions to hospital. This means we can offer patients additional care or support as early as possible.
This process will involve linking information from your GP record with information from other health or social care services you have used. Information which identifies you will only be seen by this practice. For more information speak to the practice.
Sometimes we need to share information so that other people, including healthcare staff, children or others with safeguarding needs, are protected from risk of harm. These circumstances are rare. We do not need your consent or agreement to do this. Please see our local policies for more information.
St Pauls Way Medical Centre shares information from medical records to support medical research when the law allows us to do so, for example to learn more about why people get ill and what treatments might work best. we will also use your medical records to carry out research within the practice. This is important because:
- the use of information from GP medical records is very useful in developing new treatments and medicines;
- medical researchers use information from medical records to help answer important questions about illnesses and disease so that improvements can be made to the care and treatment patients receive.
Occasionally we share information with medical research organisations but will only do so with your explicit consent or when the law allows. You have the right to object to your identifiable information being used or shared for medical research purposes. Please speak to the practice if you wish to object.
Checking the quality of care – national clinical audits
St Pauls Way Medical Centre contributes to national clinical audits so that healthcare can be checked and reviewed. Information from medical records can help doctors and other healthcare workers measure and check the quality of care which is provided to you. The results of the checks or audits can show where hospitals are doing well and where they need to improve. The results of the checks or audits are used to recommend improvements to patient care. Data is sent to NHS Digital a national body with legal responsibilities to collect data. The data will include information about you, such as your NHS Number and date of birth and information about your health which is recorded in coded form – for example the code for diabetes or high blood pressure. We will only share your information for national clinical audits or checking purposes when the law allows. For more information about national clinical audits see the Healthcare Quality Improvements Partnership website or phone 020 7997 7370. You have the right to object to your identifiable information being shared for national clinical audits. Please contact the practice if you wish to object.
How your information is shared so that this practice can meet legal requirements
The law requires St Pauls Way Medical Centre to share information from your medical records in certain circumstances. Information is shared so that the NHS or Public Health England can, for example:
- plan and manage services;
- check that the care being provided is safe;
- prevent infectious diseases from spreading.
We will share information with NHS Digital, the Care Quality Commission and local health protection team (or Public Health England) when the law requires us to do so. Please see below for more information.
We must also share your information if a court of law orders us to do so.
NHS Digital is a national body which has legal responsibilities to collect information about health and social care services. It collects information from across the NHS in England and provides reports on how the NHS is performing. These reports help to plan and improve services to patients. This practice must comply with the law and will send data to NHS Digital, for example, when it is told to do so by the Secretary of State for Health or NHS England under the Health and Social Care Act 2012. More information about NHS Digital and how it uses information can be found on the NHS digital website.
NHS Digital sometimes shares names and addresses of patients suspected of committing immigration offences with the Home Office. More information on this can be found here.
Care Quality Commission (CQC)
The CQC regulates health and social care services to ensure that safe care is provided. The law says that we must report certain serious events to the CQC, for example, when patient safety has been put at risk. For more information about the CQC visit their website.
The law requires us to share data for public health reasons, for example to prevent the spread of infectious diseases or other diseases which threaten the health of the population.
We will report the relevant information to local health protection team or Public Health England.
For more information about Public Health England and disease reporting visit this website.
National screening programmes
The NHS provides national screening programmes so that certain diseases can be detected at an early stage. These screening programmes include bowel cancer, breast cancer, cervical cancer, aortic aneurysms and a diabetic eye screening service. The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme.
More information can be found on this website or you can speak to the practice.
We are required by law to provide you with the following information about how we handle your information.
Data Controller contact details:
St Pauls Way Medical Centre
Data Protection Officer contact
Purpose of the processing:
To give direct health or social care to individual patients. For example, when a patient agrees to a referral for direct care, such as to a hospital, relevant information about the patient will be shared with the other healthcare staff to enable them to give appropriate advice, investigations, treatments and/or care.
To check and review the quality of care. (This is called audit and clinical governance).
Lawful basis for processing
These purposes are supported under the following sections of the GDPR:
Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and
Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”
Healthcare staff will also respect and comply with their obligations under the common law duty of confidence.
Recipient or categories of recipients of the processed data. The data will be shared with:
- healthcare professionals and staff in this surgery;
- local hospitals;
- out of hours services;
- diagnostic and treatment centres;
- or other organisations involved in the provision of direct care to individual patients.
Rights to object
You have the right to object to information being shared between those who are providing you with direct care. This may affect the care you receive – please speak to the practice. You are not able to object to your name, address and other demographic information being sent to NHS Digital. This is necessary if you wish to be registered to receive NHS care. You are not able to object when information is legitimately shared for safeguarding reasons. In appropriate circumstances it is a legal and professional requirement to share information for safeguarding reasons. This is to protect people from harm. The information will be shared with the local safeguarding service.
Right to access and correct
You have the right to access your medical record and have any errors or mistakes corrected. Please speak to a member of staff. We are not aware of any circumstances in which you will have the right to delete correct information from your medical record; although you are free to obtain your own legal advice if you believe there is no lawful purpose for which we hold the information and contact us if you hold a different view.
GP medical records will be kept in line with the law and national guidance. Information on how long records are kept can be found on the NHS Digital website or you can speak to the practice.
Right to complain
You have the right to complain to the Information Commissioner’s Office. If you wish to complain follow this link or call the helpline on 0303 123 1113.
Data we get from other organisations
We receive information about your health from other organisations who are involved in providing you with health and social care. For example, if you go to hospital for treatment or an operation the hospital will send us a letter to let us know what happens. This means your GP medical record is kept up-to date when you receive care from other parts of the health service.
To find out more about how data is used across East London, please see the NHS Data Sharing in East London page.
The General Data Protection Regulation (GDPR) is a new law that determines how your personal data is processed and kept safe, and the legal rights that you have in relation to your own data.
The regulation applies from 25 May 2018, and will apply even after the UK leaves the EU.
What GDPR will mean for patients
The GDPR sets out the key principles about processing personal data, for staff or patients;
- Data must be processed lawfully, fairly and transparently
- It must be collected for specific, explicit and legitimate purposes
- It must be limited to what is necessary for the purposes for which it is processed
- Information must be accurate and kept up to date
- Data must be held securely
- It can only be retained for as long as is necessary for the reasons it was collected
There are also stronger rights for patients regarding the information that practices hold about them. These include;
- Being informed about how their data is used
- Patients to have access to their own data
- Patients can ask to have incorrect information changed
- Restrict how their data is used
- Move their patient data from one health organisation to another
- The right to object to their patient information being processed (in certain circumstances)
What is GDPR?
GDPR stands for General Data Protection Regulations and is a new piece of legislation that will supersede the Data Protection Act. It will not only apply to the UK and EU; it covers anywhere in the world in which data about EU citizens is processed.
The GDPR is similar to the Data Protection Act (DPA) 1998 (which the practice already complies with), but strengthens many of the DPA’s principles. The main changes are:
- Practices must comply with subject access requests
- Where we need your consent to process data, this consent must be freely given, specific, informed and unambiguous
- There are new, special protections for patient data
- The Information Commissioner’s Office must be notified within 72 hours of a data breach
- Higher fines for data breaches – up to 20 million euros
What is ‘patient data’?
Patient data is information that relates to a single person, such as his/her diagnosis, name, age, earlier medical history etc.
What is consent?
Consent is permission from a patient – an individual’s consent is defined as “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.”
The changes in GDPR mean that we must get explicit permission from patients when using their data. This is to protect your right to privacy, and we may ask you to provide consent to do certain things, like contact you or record certain information about you for your clinical records.
Individuals also have the right to withdraw their consent at any time.