Privacy Policy

New Data Protection Regulation (GDPR)

You may have heard about the new General Data Protection Regulation (“GDPR”), that comes into effect May 25, 2018. To help comply with GDPR consent requirements, we need to confirm that you would like to receive content from us.

Chingford Medical Practice takes your privacy very seriously. We are registered with the Information Commissioner’s Office as a Data Controller and our registration number is Z9702941.

  • Our Data Protection Officer is: Radha Muthaswamy
  • Our Data Controller is: Dr Asad Ashraf

If you have any questions or wish to make a request in relation to your information, please contact us at:

Chingford Medical Practice,
109 York Road,
Chingford,
E4 8LF

Information held about you

This Privacy Notice explains why the GP practice collects information about you and how that information may be used.

Health care professionals who provide you with care maintain records about your health and any treatment or care you have received previously (e.g. NHS Trust, GP Surgery, Walk-in clinic, etc.). These records are used to help to provide you with the best possible healthcare.

Your NHS health care record may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. Records this GP Practice hold about you may include the following information;

Personal Data

  • Details about you, such as your name, address, carers, legal representatives and emergency contact details

Sensitive Data (Special Category Data)

  • Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments, etc.
  • Notes and reports about your health
  • Details about your treatment and care
  • Results of investigations such as laboratory tests, x-rays, etc.
  • Relevant information from other health professionals, relatives or those who care for you

Healthcare providers are permitted to collect, store, use and share this information under Data Protection Legislation which has a specific section related to healthcare information.

To ensure you receive the best possible care, your records are used to facilitate the care you receive. Information held about you may be used to help protect the health of the public and to help us manage the NHS. Information may be used within the GP practice for clinical audit to monitor the quality of the service provided.

What do we do with your information?

  • Refer you to other healthcare providers when you need other services or tests
  • Share samples with laboratories for testing (like blood samples)
  • Share test results with hospitals or community services (like blood tests)
  • allow out of hours Health Care Providers to look at your practice record when you go to an appointment
  • Send prescriptions to a pharmacy
  • Patients are texted in relation to healthcare service
  • Samples are provided to the courier for delivery to pathology
  • Share reports with the coroner
  • Receive reports of appointments you have attended elsewhere such as with the community nurse or if you have had a stay in hospital

Information access and rights

The value of personal data is increasing and technology is rapidly developing. Personal data can be manipulated and used in increasingly sophisticated ways and sometimes on a large scale

Data protection law provides you with a number of rights that the practice must support you with.

Access Requests

You have the right to obtain:

  • confirmation that information is being used, stored or shared by the practice.
  • a copy of information held about you

We will respond to your request within one month of receipt or tell you when it might take longer.

We are required to validate your identity of someone making a request on your behalf

Right to Correction

If information about you is incorrect, you are entitled to request that we correct it

There may be occasions, where we are required by law to maintain the original information – our Data Protection Officer will talk to you about this and you may request that the information is only used during this time.

We will respond to your request within one month of receipt or tell you when it might take longer.

Right to Data Portability

If you change practices, all information held about you will be transferred to your new practice.

Complaints

You also have the right to make complaints and request investigations into the way your information is used. Please contact our Data Protection Officer or visit the link below for more information.

For more detailed information on your rights visit the Information Commissioner’s Office website.

Minuteful Kidney service for patients with diabetes (and/or other conditions)

The data is being processed for the purpose of delivery of a programme, sponsored by NHS Digital, to monitor urine for indications of chronic kidney disease (CKD) which is recommended to be undertaken annually for patients at risk of chronic kidney disease e.g., patients living with diabetes. The programme enables patients to test their kidney function from home. We will share your contact details with Healthy.io to enable them to contact you and send you a test kit. This will help identify patients at risk of kidney disease and help us agree any early interventions that can be put in place for the benefit of your care.

Healthy.io will only use your data for the purposes of delivering their service to you. If you do not wish to receive a home test kit from Healthy.io we will continue to manage your care within the Practice. Healthy.io are required to hold data we send them in line with retention periods outlined in the Records Management code of Practice for Health and Social Care.

Further information about this is available here.

Lawful basis for processing personal data

How do we maintain the confidentiality of your records?

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

  • Data Protection Act 1998 and General Data Protection Regulation 2016
  • Human Rights Act 1998
  • Common Law Duty of Confidentiality
  • Health and Social Care Act 2012
  • NHS Codes of Confidentiality, Information Security and Records Management
  • Information: To Share or Not to Share Review

Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential.

We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), where the law requires information to be passed on and / or in accordance with the new information sharing principle following Dame Fiona Caldicott’s information sharing review (Information to share or not to share) where “The duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles. They should be supported by the policies of their employers, regulators and professional bodies.

Who are our partner organisations?

We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations;

  • NHS Trusts/Foundation Trusts
  • GP’s
  • NHS Commissioning Support Units
  • Independent Contractors such as dentists, opticians, pharmacists
  • Private Sector Providers
  • Voluntary Sector Providers
  • London Ambulance Service
  • Waltham Forest Clinical Commissioning Group
  • Social Care Services
  • Health and Social Care Information Centre (HSCIC)
  • Local Authorities
  • Education Services
  • Fire and Rescue Services
  • Police & Judicial Services
  • Voluntary Sector Providers
  • Private Sector Providers
  • Other ‘data processors’ which you will be informed of

You will be informed who your data will be shared with and in some cases asked for explicit consent for this to happen when this is required.

Covid-19

NHS England has been directed by the government to establish and operate the OpenSAFELY COVID-19 Service and the OpenSAFELY Data Analytics Service. These services provide a secure environment that supports research, clinical audit, service evaluation and health surveillance for COVID-19 and other purposes.

Each GP practice remains the controller of its own GP patient data but is required to let approved users run queries on pseudonymised patient data. This means identifiers are removed and replaced with a pseudonym.

Only approved users are allowed to run these queries, and they will not be able to access information that directly or indirectly identifies individuals.

Patients who do not wish for their data to be used as part of this process can register a type 1 opt out with their GP.

Data Breaches

How do we protect your Information?

We are committed to ensuring the security and confidentiality of your information. There are a number of ways in which we do this:

  • Staff receive annual training about protecting and using personal data
  • Policies are in place for staff to follow and are regularly reviewed
  • We check that only minimum amount of data is shared or accessed
  • Every member of staff uses a  ‘smartcard’ to access the clinical system, this helps ensure that the right people are accessing data – people with a ‘need to know’
  • Smartcard usage can be audited and monitored
  • We use encrypted emails and storage which would make it difficult for someone to ‘intercept’ your information
  • We report and manage incidents to make sure we learn from them and improve
  • We put in place contracts that require providers and suppliers to protect your data as well
  • We do not send your data outside of the EEA

Breaches of data

  • The ICO ( information Controlling officer) will be notified if the data breach is likely to result in a risk to the rights and freedoms of individuals
  • Procedures are in place to effectively detect, report and investigate any personal data breaches
  • Audits (Data Protection Impact Assessments) will be undertaken to ensure that these processes are in place.

Consent

Consent must be freely given, clear, specific , informed and unambiguous. We will seek your consent to

  • Pass information to some third parties (eg solicitors acting on your behalf)
  • Have invasive procedures such as minor surgery carried out

Children

The GDPR sets the age when a child can give their own consent to this processing at 16 years currently. If a child is younger than this, consent will need to be obtained for their continued healthcare from a person holding ‘parental responsibility’.

Further information

Further information about the way in which the NHS uses personal information and your rights in that respect can be found in:

 

Population Health Management (PHM) Privacy Notice
Under data protection law we must tell you about how we use your personal information. This includes the personal information that we share with other organisations and why we do so. Our main GP practice privacy notice is on our website. This additional privacy notice provides details about Population Health Management.  

What is Population Health Management (PHM)?  
PHM is aimed at improving the health of both local and national populations.   It is about improving the physical and mental health outcomes and wellbeing of people and making sure that access to services is fair, timely, and equal.  It helps to reduce the occurrence of ill health and looks at all the wider factors that affect health and care.  

PHM is an approach being implemented across the NHS and this Practice.  Population Health Management requires health and social care, to work together with communities and partner agencies, for example, GP practices, community service providers, hospitals and other health and social care providers.  Organisations will share and combine de-identified information (where information identifying you has been removed) with each other in order to get a view of health and services for the population in a particular area. This information sharing is subject to robust security arrangements and risk assessments.  

How will my Personal Information be used?  
The information needed for PHM will include information about your health and social care. Information about you and your care will be used in a format that does not directly identify you, which we refer to within this privacy notice as pseudonymised. This information will be combined and anything that can identify you (like your name or NHS Number) will be removed and replaced with a unique code. This means that the people working with the data will only see the code and cannot see which patient the information relates to. The information will be used for a number of health and social care related activities such as –  

• Identifying groups of patients that could benefit from direct interventions  
• improving the quality and standards of care provided  
• research into the development of new treatments  
• preventing illness and diseases  
• monitoring safety  
• planning services  

Who will my personal information be shared with?  
Your GP, other health or care providers, Local Councils within NE London and the NHS NEL Integrated Care Board may send the information they hold on their systems to each other.  All of these organisations are legally obliged to protect your information and maintain confidentiality in the same way that your GP or hospital provider is.  

Is using my personal data in this way lawful?
Health Care Providers are permitted by data protection law to use information where it is “necessary for medical purposes”.  This includes caring for you directly as well as management of health services more generally.  The legal basis for sharing your information is GDPR Article 6 (1) (e) “Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.”  

Sharing and using your information in this way helps to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used where allowed by law and in this case, anonymised data is used so that you cannot be identified.  

Can I object to my data being used as part of this programme?
Yes. You have the right to opt out of sharing your personal data being used in this way. You can do this in two ways –  

1. Opt out of all sharing of your data for other uses outside your GP Practice.  This is called a Type 1 opt out and you should request this directly to us, your GP practice. This will be applied not only to this programme but to any others we take part in.  
2. National Data Opt-out (opting out of NHS Digital sharing your data).  You can find out more about and register a National Data Opt-out, or change your choice on nhs.uk/your-nhs-data-matters or by calling 0300 3035678.  

This applies to identifiable patient data about your health which is called confidential patient information.  If you don’t want your confidential patient information to be shared with other organisations for purposes except your own care – either GP data, or other data it holds, such as hospital data – you can register a National Data Opt-out.  

If you have registered a National Data Opt-out, NHS Digital won’t share any confidential patient information about you with other organisations, unless there is an exemption to this, such as where there is a legal requirement or where it is in the public interest to do so, such as helping to manage contagious diseases like coronavirus. You can find out more about exemptions on the NHS website.