The Alexandra Practice Privacy Notice
This privacy notice explains why we as a Practice collect information about our patients and how we use that information.
The Alexandra Practice manages patient information in accordance with existing laws and with guidance from organisations that govern the provision of healthcare in the UK such as the Department of Health and the General Medical Council.
We are committed to protecting your privacy and will only use information collected lawfully in accordance with:
- General Data Protection Regulations 2018 (from 25/05/2018)
- New Data Protection Act 2018
- Current Data Protection Act 1998
- Human Rights Act 1998
- Common Law Duty of Confidentiality
- Health and Social Care Act 2012
- NHS Codes of Confidentiality and Information Security
As data controllers, GPs have fair processing responsibilities. In practice, this means ensuring that your personal confidential data (PCD) is handled lawfully, clearly and transparently, and in a reasonably expected way.
Our Lawful basis for processing data is:
The lawful basis for processing special category health data for direct care is that processing is: ‘necessary… in the exercise of official authority vested in the controller’ (Article 1)(e)).
In some cases we also rely on: ‘processing is necessary for, compliance with a legal obligation to which the controller is subject’ (Article 6(1)(c)
The special category condition for processing for direct care is that processing is:
‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…’ (Article 9(2)(h)).
In addition to the GDPR, data controllers must also satisfy the common law duty of confidentiality. In order to satisfy the common law The Alexandra Practice can continue to rely on implied consent to share confidential health data for the provision of direct care. The most common example of when consent can be implied is when a patient agrees to a referral from one healthcare professional to another. In these circumstances, when you – the patient agrees to the referral this implies your consent for sharing relevant information to support the referral (unless you object). The referral information can then be disclosed under GDPR using articles 6(1)(e) and 9(2)(h) as above.
Where there is a legal requirement to disclose: for example, a direction under the Health
and Social Care Act 2012 or disclosures under public health legislation, our lawful basis for processing would be: ‘… for compliance with a legal obligation…’ (Article 6(1)(c)).
In the majority of cases, the most appropriate special category condition for processing in the face of a legal requirement to disclose will remain as: ‘…for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and services…’ (Article 9(2)(h))
For medical research: the lawful basis and special category condition are Article 6(1)
(e) ‘…for the performance of a task carried out in the public interest…’ and Article
9(2)(j) ‘…research purposes…’
The Health and Social Care Act 2012 changed the way that personal confidential data is processed, therefore it is important that our patients are aware of and understand these changes, and that you have an opportunity to object and know how to do so.
How we process your data
The health care professionals who provide you with care maintain records about your health and any NHS treatment or care you have received (e.g. NHS Hospital Trust, GP Surgery, Walk-in clinic, etc.). These records help to provide you with the best possible healthcare.
NHS health records may be processed electronically, on paper or a mixture of both; a combination of working practices and technology are used to ensure that your information is kept confidential and secure. Records held by this GP practice may include the following information:
- Details about you, such as address and next of kin and telephone number
- Any contact the practice has had with you, including appointments (emergency or scheduled), clinic visits, etc.
- Notes and reports about your health
- Details about treatment and care received and health promotion material provided
- Results of investigations, such as laboratory tests, x-rays, etc.
- Relevant information from other health professionals, relatives or those who care for you
- Details of private services provided such as letters, prescription or requests to or from third parties regarding your healthcare e.g. Solicitors , insurers
Retention Periods: The Practice retains medical records until death or until you leave the Practice. In line with NHS Records Keeping, your data will then be held by the NHS for a further 30 years
Your rights regarding your data under the law
- Be informed – this notice
- Get access to it – right of subject access
- Rectify or change it – this only applies for factual incorrect data within healthcare
- Erase or remove it – this only applies for factual incorrect data within healthcare
- Restrict or stop processing it – dependant on lawful processes
- Move, copy or transfer it – this will be subject to strict consent and security measures
- Object to it being processed or used – please advise the Practice as soon as possible
- Know if a decision was made by a computer rather than a person – patients are informed during consultation where applicable
Why do we collect and use your data?
The practice collects and holds data for the sole purpose of providing healthcare services to our patients and we will ensure that the information is kept confidential. However, we can disclose personal information if:
- It is required by law
- You provide consent – either implicitly or for the sake of your own care, or explicitly for other purposes
- It is justified by law to be in the public interest
Some of this information will be held centrally and used for statistical purposes. Where we hold data centrally, we take strict and secure measures to ensure that individual patients cannot be identified.
Information may be used for clinical audit purposes to monitor the quality of service provided, and may be held centrally and used for statistical purposes. Where we do this we ensure that patient records cannot be identified.
Sometimes your information may be requested to be used for clinical / medical research purposes – the practice does not routinely participate in research however if it was deemed necessary we will gain your explicit consent before releasing any information unless there is a lawful basis to supersede this as above.
The Practice also records all incoming and outgoing telephone calls. This data is held within our secure and password protected IT systems. No unauthorised persons have access to the call recordings. Calls are retained in line with retention periods and for approx. 6 months except in exceptional circumstances or if required as evidence in a linger running complaint or governance issue.
Disclosures which are required by law or clinical audit requirements: In order to comply with its legal obligations the Practice may send data to NHS Digital when directed by the Secretary of State for Health under the Health and Social Care Act 2012’ in addition this Practice contributes to national clinical audits and will send the data that is required by NHS Digital when the law allows. This may include demographic data, such as date of birth, and information about your health which is recorded in coded form, for example, the clinical code for diabetes or high blood pressure.
This Practice contributes to medical research and may send relevant information to medical research databases such as the Clinical Practice Research Datalink and QResearch or others when the law requires or allows.
Safeguarding Disclosures: Sometimes we need to share information so that other people, including healthcare staff, children, or others with safeguarding needs, are protected from risk of harm without your consent. These circumstances are rare and wherever possible and if appropriate, you will be informed if your information is being shared.
Notice under The Health Service (Control of Patient Information) Regulations 2002 (COPI). This notice requires healthcare organisations such as GP Practices to support the processing and sharing of information to help the COVID-19 response and has been further extended by the UK government.
Our Primary Care Network and Covid Vaccinations: The Alexandra Practice is part of the West Central (WC) Primary Care Network (PCN). For the purpose of providing healthcare services across the PCN we may need to share your data with the Practices within the PCN. This is because each Practice will offer shared services for the whole population of Chorlton, Whalley Range and Fallowfield under the government’s new PCN Enhanced Service. All Practices within the PCN are bound by the same NHS rules of confidentiality and a data sharing agreement is in place. Your data will only be shared for the provision of healthcare services. Please visit, www.england.nhs.uk/primary-care/primary-care-networks for more information.
08.01.2021 – Covid Vaccinations: If you are eligible for a Covid Vaccination we will need to share your data within the PCN and it will be viewed by staff members from all the member Practices of the PCN and vaccination hub staff. This is because the vaccination hub & PCN staff are necessary in order to enable such a large scale operation.
Data sharing schemes: Improvements in information technology are also making it possible for us to share data with other healthcare providers with the objective of providing you with better care. Patients will usually have to freely give their consent to their data being used in this way. However in some cases this sharing is justifiable through law as above. When the practice is about to participate in any new data-sharing scheme we will make patients aware by letter and on our website at least four weeks before the scheme is due to start. We will also explain clearly what you have to do to ‘opt-out’ of each new scheme.
Summary Care Records: All patients are allocated a Summary Care Record (SCR) in line with Section 254 of the Health and Social Care Act. A patient can object to their personal information being shared with other health care providers but if this limits the treatment that you can receive then the doctor will explain this to you at the time. For more information please visit: digital.nhs.uk/about-nhs-digital/corporate-information-and-documents/gdpr/gdpr-information-for-summary-care-record.
National Data Sharing: The Practice is supporting vital health and care planning and research by sharing your data with NHS Digital. For more information about this and how to opt out see the GP Practice Privacy Notice for General Practice Data for Planning and Research at: NHS: General Practice Data for Planning and Research (GPDPR).
There is also information available at reception and on our website on your options for opting out of local and national data sharing.
Mobile Telephone: If you provide us with your mobile phone number we will use this to send you reminders about any appointments, health screening information or surveys being carried out. We display notices within the Practice and on our website to inform patients of this. We may also send you medical information via text message such as test results and responses to queries that you have submitted. We will ask for the permission of all new patients via our registration form or alternatively you can opt out of this service by letting reception know.
In addition requests for services from the Practice submitted via the website (for example, queries for the doctors) will be transmitted via the internet and are subject to the same cyber security threats as with any other online service. We have security measures in place within our organisation via NHS Digital and with our website provider however we cannot guarantee the security of your devices and connections.
Risk stratification is a process for identifying and managing patients who are at high risk of requiring emergency or urgent care. Typically this is because patients have a long term condition such as COPD, cancer or other medical condition at risk of sudden worsening. NHS England encourages GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to provide care plans and planned care with the aim to prevent avoidable admissions or other emergency care.
Risk stratification enables your GP to focus on preventing ill health and not just the treatment of sickness. If necessary your GP may be able to offer you additional services.
Please note that you have the right to opt out of Risk Stratification. Please see below.
Concerns and Opting out: Should you have any concerns about how your information is managed, or wish to opt out of any data collection at the Practice, please contact the Practice, or your healthcare professional to discuss how the disclosure of your personal information can be limited. A new universal opt out code has been developed within the NHS to unify this process amongst organisations, to opt out please visit: www.nhs.uk/your-nhs-data-matters.
Patients have the right to change their minds and reverse a previous decision. Please contact the Practice, if you change your mind regarding any previous choice.
If you have received treatment within the NHS your personal information may be shared within a strictly monitored, secure and confidential environment in order to determine which HB/CCG should pay for the treatment or procedure you have received.
Information such as your name, address and date of treatment may be passed on to enable the billing process – these details are held in a secure environment and kept confidential. This information will only be used to validate invoices, and will not be shared for any further commissioning purposes. The Practice will usually only use Pseudonymised identifiers and date of treatment for validation.
How do we maintain the confidentiality of your records?
We are committed to protecting your privacy and will only use information collected lawfully in accordance with the current Data Protection Act 1998, GDPR May 2018 and when applicable we will adhere to the New Data Protection Act 2018 (which is overseen by the Information Commissioner’s Office), Human Rights Act, the Common Law Duty of Confidentiality, and the NHS Codes of Confidentiality and Security. Every staff member who works for an NHS organisation has a legal obligation to maintain the confidentiality of patient information.
All of our staff and associated healthcare team members receive appropriate and regular training to ensure they are aware of their personal responsibilities and have legal and contractual obligations to uphold confidentiality, enforceable through disciplinary procedures. Only a limited number of authorised staff have access to personal information where it is appropriate to their role and is strictly on a need-to-know basis. All data is also processed in line with the Caldicott Principles. All staff, visitors and third party contractors sign confidentiality and Caldicott agreements and the Practice operates a clear desk, clear screen policy at all times.
We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), or where the law requires information to be passed on.
Who are our partner organisations?
We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations:
- NHS Trusts
- Specialist Trusts
- Independent Contractors such as dentists, opticians, pharmacists
- Private Sector Providers
- Voluntary Sector Providers
- Ambulance Trusts
- Clinical Commissioning Groups
- Social Care Services
- Local Authorities
- Education Services
- Fire and Rescue Services
- Other ‘data processors’ for example solicitors or insurance companies with your consent
Access to personal information
You have a right to access/view information the Practice holds about you, and to have it amended or removed should it be proven to be factually inaccurate. This is known as ‘the right of subject access’. If we do hold information about you we will:
- give you a description of it and tell you why we are holding it (this notice)
- tell you who it could be disclosed to (this notice)
- let you have a copy of the information in an intelligible form
- allow you to view your medical information if you are unable to use the Patient Online Access service
If you would like to make a ‘subject access request’, please contact the Practice, providing consent in writing. Please note that only excessive or repetitive requests which are not justified will be charged for, from the 25th May 2018.
Change of Details
It is important that you tell the person treating you if any of your details such as your name or address have changed or if any of your details such as date of birth is incorrect in order for this to be amended. You have a responsibility to inform us of any changes so our records are accurate and up to date for you.
The GDPR and Data Protection Act require organisations to register a notification with the Information Commissioner to describe the purposes for which they process personal and sensitive information. This information is publicly available on the Information Commissioners Office website www.ico.org.uk. The practice is registered as a data controller with the ICO. The registration number is Z6377845 and can be viewed online in the public register at www.ico.gov.uk.
Who is the Data Controller?
The Data Controller, responsible for keeping your information secure and confidential is The Alexandra Practice. This is because the organisation is classed as the data controller. We can be contacted on 0161 860 4400 or at www.thealexandrapractice.co.uk/ then ‘Get Help’.
Data Protection Officer: This role held centrally within Central Manchester; our named DPO is Shavarnah Purves, Senior Information Governance Officer, Manchester Health and Care Commissioning. Use contact email address: firstname.lastname@example.org.
Data Processors: All Practice staff are classed as data processors. This is because anyone who handles data has responsibilities under the law. If you gain copies of your information you then become a data processor as do any third parties which you consent to receiving your data e.g. solicitors, family members collecting letters. The Practice has strict rules on consent and collection of medical / personal information and photo identification is always sought. This is not intended to hinder your access to your data; it is simply to protect it. We have contracts in place with all of our third parties to ensure they fulfil their responsibilities under the law.
Senior Information Risk Officer: Our SIRO is Dr A Larkin. He has lead responsibility for the Practice information governance systems.
Caldicott Guardian: Our Caldicott Guardian is Dr S Campbell. He has lead responsibility for ensuring information is protected and shared safely and responsibly. Staff may need to seek his guidance when dealing with requests for information. Responsibility is also delegated to your regular doctor if Dr S Campbell is not available.
Lead Data Processor: Our Lead data processor is Melanie Jones. As the Practice Manager she governs the day to day operations and processes relating to information governance and adherence to GDPR and the Data Protection Act.
Any changes to this notice will be published on our website and on the Practice notice boards.
Reporting concerns: If you have any concerns regarding this notice or how your data is handled we hope that in the first instance you will discuss this with us. You can talk to the Practice Manager, Dr A Larkin or in writing via www.thealexandrapractice.co.uk/ then ‘Get Help’.
Patients have the right to report concerns to the Information Commissioners Office (ICO). The Information Commissioner’s Office is the Regulator for the GDPR and the Data Protection Act and offer independent advice and guidance on the law and personal data, including your rights and how to access your personal information. Our registration number is Z6377845 and patients can report at www.ico.gov.uk or on: 0303 123 1113
Further information about the way in which the NHS uses personal information and your rights can be found at: NHS: Your health records.
The notice is available in child friendly format and large font at: www.thealexandrapractice.co.uk.
Reviewed: 11.05.2022 MJ / Version 2 / Review due: 11.05.2024 or as needed