Access to Medical Reports
The Access to Medical Reports Act 1988 allows both employers and insurers to a request medical report from a GP. Employers and Insurers are required to seek a patient’s consent prior making a request and a patient must be informed of their right to withhold consent during the process. Where requests are made for copies of your medical records for insurance purposes, we will contact you to discuss the request and confirm you are happy for us to release the records. This is in line with guidance from the British Medical Association (BMA) and the Information Commissioners Office (ICO).
Patients may also request a copy of the report however, there are some exemptions to this right that can be applied in certain circumstances such as:
- Where serious harm to the physical or mental health of the individual or others or would indicate the intentions of the practitioner in respect of the individual.
- Where the report reveals information about another person, or reveals the identity of another person who has supplied information to the practitioner about the individual.
1) Controller contact details
Penge PCN
2) Data Protection Officer contact details
Danielle Gibbons
GP Data Protection Officer
gpdpo@selondonics.nhs.uk
3) Purpose of the processing
To provide the Employers and Insurers with a Medical Reports following the consent of the patient.
4) Lawful basis for processing
The legal basis will be
Article 6(1)(a) “the data subject has given clear consent to the processing of his or her personal data for one or more specific purposes”
And
Article 9(2)(a)”the data subject has given explicit consent to the processing of those personal data for one or more specified purposes”
5) Recipient or categories of recipients of the shared data
The data will be shared with the specified employment or Insurance organisation or specified Officers. Patients may also request a copy of a report.
6) Rights to object
You have absolute right to object to your information being shared for direct marketing.
You have the right to object to some or all the information being shared with Employers or Insurers. Contact the Controller or the practice.
7) Right to access and correct
You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
8) Retention period
The data will be retained for active use during the processing and thereafter according to NHS Policies and the law.
9) Right to Complain.
You have the right to complain to the Information Commissioner’s Office online or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website).
Care Quality Commission
The Care Quality Commission (CQC) is an organisation established in English law by the Health and Social Care Act. The CQC is the regulator for English health and social care services to ensure that safe care is provided. They inspect and produce reports on all English general practices in a rolling 5 year program.
The law allows the Practice to share identifiable patient information with CQC as well as requiring this Practice to share certain types of data with them in certain circumstances, for instance following a significant safety incident.
See more information about the CQC
1) Controller contact details
Penge PCN
2) Data Protection Officer contact details
Danielle Gibbons
GP Data Protection Officer
gpdpo@selondonics.nhs.uk
3) Purpose of the processing
To meet the legal obligation to provide the Department of Health with information and reports on the status, activity and performance of NHS GP practices. This may include identifiable patient data.
4) Lawful basis for processing
The legal basis will be
Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.”
And
Article 9(2)(h) “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;”
5) Recipient or categories of recipients of the shared data
The data will be shared with the Care Quality Commission, its officers and staff and members of the inspection teams that visit us from time to time.
6) Rights to object
You have the right to object to some or all the information being shared with NHS Digital. Contact the Controller or the practice.
7) Right to access and correct
You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
8) Retention period
The data will be retained for active use during the processing and thereafter according to NHS Policies and the law.
9) Right to Complain.
You have the right to complain to the Information Commissioner’s Office online or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website).
Complaints, Subject Access Requests and Freedom of Information Requests
This Practice holds and uses patient data for the purposes of Complaints, Subject Access Requests and Freedom of Information Requests.
We collect and store information about your health and care that has been received directly from you or organisations such as Local Authorities, other GP Practices, NHS Trusts and NHS Integrated Care Systems.
Under UK GDPR and the Data Protection Act 2018, you have the right to see or be given a copy of any personal data we hold about you. To gain access to a copy of your information, you will need to make a Subject Access Request (SAR) to the Practice. You can do so by emailing or contacting us.
Under the Freedom of Information Act 2000, you have the right to request copies of non-personal information held by the Practice. To gain access to a copy of your information, you will need to make a Freedom of Information (FOI) Request to the Practice.
Should you wish to make a complaint to the Practice, then there may be a need for them to view and access your patient data or request some from you directly. This will allow the Practice to investigate your complaint. Information on our complaints process can be found here:
1) Controller contact details
Penge PCN
2) Data Protection Officer contact details
Danielle Gibbons
GP Data Protection Officer
gpdpo@selondonics.nhs.uk
3) Purpose of the processing
Legal Obligations of the Practice to manage, investigate and respond to requests for copies of personal data, FOI requests and complaints.
4) The Lawfulness Conditions and Special Categories
The lawful justifications for the processing and possible sharing of this data are;-
Article 6(1)(c) “the processing is necessary for compliance with any legal obligation to which the controller is subject”
Where your complaint or SAR involves processing of special category data the relevant condition for processing that data will be
Article 9(2)(g) “substantial public interest” as defined by Data Protection Act 2018, Schedule 1, Part 2, Section 6(2)(a) “the exercise of a function conferred on a person by an enactment or rule of law”
5) Recipient or categories of recipients of the shared data
Where a complaint you make is about another organisation, we may share details of your complaint with that organisation. We would only do so after informing you of this.
6) Rights to object
You have the right under Article 21 of the UK GDPR to object to your personal information being processed. Please contact the Practice if you wish to object to the processing of your data. You should be aware that this is a right to raise an objection which is not the same as having an absolute right to have your wishes granted in every circumstance.
GP Practices process personal data under Article 6(1)(c) on a lawful and legitimate basis where the organisation is obliged under law to comply with
- The UK General Data Protection Regulations (GDPR)
- The Data Protection Act 2018
- The Freedom of Information Act
- The NHS Constitution
- The Local Authority Social Services and National Health Service Complaints (England) Regulations 2009
By complying with these laws, the Practice has compelling legitimate grounds for the processing which override the interests, rights and freedoms in the right to object.
7) Right to access and correct
You have the right to access any identifiable personal data that is being processed or shared and to have any inaccuracies corrected.
8) Retention period
The data will be retained for the period as specified in the national records retention schedule.
9) Right to Complain.
You have the right to complain to the Information Commissioner’s Office online or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website).
Direct Care – Emergencies
There are occasions when intervention is necessary in order to save or protect a patient’s life or to prevent them from serious immediate harm, for instance during a collapse or diabetic coma or serious injury or accident. In many of these circumstances the patient may be unconscious or too ill to communicate. In these circumstances we have an overriding duty to try to protect and treat the patient. If necessary we will share your information and possibly sensitive confidential information with other emergency healthcare services, the police or fire brigade, so that you can receive the best treatment.
The law acknowledges this and provides supporting legal justifications.
Individuals have the right to make pre-determined decisions about the type and extend of care they will receive should they fall ill in the future; these are known as “Advance Directives”. If logged in your records these will be honoured despite the observations in the first paragraph.
1) Controller contact details
Penge PCN
2) Data Protection Officer contact details
Danielle Gibbons
GP Data Protection Officer
gpdpo@selondonics.nhs.uk
3) Purpose of the processing
Doctors have a professional responsibility to share data in emergencies to protect their patients or other persons. Often in emergency situations the patient is unable to provide consent.
4) The Lawfulness Conditions and Special Categories
This is a Direct Care purpose. There is a specific legal justification;
Article 6(1)(d) “processing is necessary to protect the vital interests of the data subject or of another natural person”
And
Article 9(2)(c) “processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent”
Or alternatively
Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”
We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”
5) Recipient or categories of recipients of the shared data
The data will be shared with healthcare professionals and other workers in emergency and out of hours services and at local hospitals, diagnostic and treatment centres.
6) Rights to object
You have the right to object to some or all the information being shared with the recipients. Contact the Controller or the practice.
You also have the right to have an “Advance Directive” placed in your records and brought to the attention of relevant healthcare workers or staff.
7) Right to access and correct
You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law. If we share or process your data in an emergency when you have not been able to consent, we will notify you at the earliest opportunity.
8) Retention period
The data will be retained in line with the law and national guidance
9) Right to Complain.
You have the right to complain to the Information Commissioner’s Office online or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website).
“Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.
The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.
In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.
Three circumstances making disclosure of confidential information lawful are:
- where the individual to whom the information relates has consented;
- where disclosure is in the public interest; and
- where there is a legal duty to do so, for example a court order.
Direct Care – Routine Care and Referrals
This practice keeps data on you relating to who you are, where you live, what you do, your family, possibly your friends, your employers, your habits, your problems and diagnoses, the reasons you seek help, your appointments, where you are seen and when you are seen, who by, referrals to specialists and other healthcare providers, tests carried out here and in other places, investigations and scans, treatments and outcomes of treatments, your treatment history, the observations and opinions of other healthcare workers, within and without the NHS as well as comments and aide memoires reasonably made by healthcare professionals in this practice who are appropriately involved in your health care.
When registering for NHS care, all patients who receive NHS care are registered on a national database, the database is held by NHS Digital, a national organisation which has legal responsibilities to collect this data.
NHS GPs have many patients for whom they are responsible and to facilitate efficient and accessible services your GP delegates tasks and responsibilities to others that work with them in their surgeries. They will also share your care with other organisations, predominantly within the surgery but occasionally with outside organisations and particularly with local partner practices forming part of your GPs Primary Care Network (PCN) with whom your practice works closely and collaboratively to provide the most flexible and accessible services for patients. This will mean that GPs from other local practices will at times have access to your full GP record but only when providing direct care to you.
If your health needs require care from others elsewhere outside this practice we will exchange with them whatever information about you that is necessary for them to provide that care. When you make contact with healthcare providers outside the practice but within the NHS it is usual for them to send us information relating to that encounter. We will retain part or all of those reports. Normally we will receive equivalent reports of contacts you have with non NHS services, but this is not always the case.
The sharing of your data, within the practice and with those others outside the practice engaged in your direct care is allowed by Law.
People who have access to your information will only normally have access to that which they need to fulfil their roles, for instance admin staff will normally only see your name, address, contact details, appointment history and registration details in order to book appointments, the practice nurses will normally have access to your immunisation, treatment, significant active and important past histories, your allergies and relevant recent contacts whilst the GP you see or speak to will normally have access to everything in your record.
You have the right to object to our sharing your data in these circumstances, but we have an overriding responsibility to do what is in your best interests. Please see below.
1) Controller contact details
Penge PCN
2) Data Protection Officer contact details
Danielle Gibbons
GP Data Protection Officer
gpdpo@selondonics.nhs.uk
3) Purpose of the processing
Direct Care is care delivered to the individual alone, most of which is provided in the surgery. After a patient agrees to a referral for direct care elsewhere, such as a referral to a specialist in a hospital, necessary and relevant information about the patient, their circumstances and their problem will need to be shared with the other healthcare workers, such as specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.
4) The Lawfulness Conditions and Special Categories
The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:
Article 6(1)(e) ‘…The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”
We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”
5) Recipient or categories of recipients of the shared data
The data will be shared with Health and care professionals and support staff in this surgery and at hospitals, diagnostic and treatment centres who contribute to your personal care
6) Rights to object
You have the right to object to some or all the information being processed under Article 21. Please contact the Controller or the practice. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance
7) Right to access and correct
You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
8) Retention period
The data will be retained in line with the law and national guidance or speak to the practice.
9) Right to Complain.
You have the right to complain to the Information Commissioner’s Office online or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website).
“Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.
The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.
In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.
Driving and Licencing Authority (DVLA)
The Driving and Licencing Authority (DVLA) are required to assess whether licence holders are fit to drive if a patient is recently diagnosed or has a condition which may affect their fitness.
The patient must inform the DVLA if this is the case however in certain circumstances, a GP may contact the DVLA with a Patient’s consent or, if a GP believes their patient will not report their condition, contact the DVLA without consent to protect the public. Please see the following link for further information.
1) Controller contact details
Penge PCN
2) Data Protection Officer contact details
Danielle Gibbons
GP Data Protection Officer
gpdpo@selondonics.nhs.uk
3) Purpose of the processing
To provide the Secretary of State and the Driving and Licencing Authority (DVLA) with information relating to fitness to drive. Although the primary obligation lies with the Patient, circumstances exist where a GP will need to contact DVLA to highlight a concern.
4) The Lawfulness Conditions and Special Categories
The legal basis for us sharing this data under UK GDPR will be.
Article 6(1)(a) “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”.
or
6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
And
Article 9(2)(g) “processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject”
5) Recipient or categories of recipients of the shared data
The data will be shared with the Driving and Licencing Authority (DVLA), its officers and staff and members to assess fitness to drive.
6) Rights to object
You have the right to object to some or all of the information being shared with Driving and Licencing Authority (DVLA) in certain circumstances. Contact the Practice using the details above.
7) Right to access and correct
You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
8) Retention period
The data will be retained for active use during the processing and thereafter according to NHS Policies and the law.
9) Right to Complain.
You have the right to complain to the Information Commissioner’s Office online or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website).
HR, Staffing, Employment, Recruitment and Training
This Practice collects and stores information pertaining to staff for the purposes of HR, employment, recruitment and training.
Information is collected and stored about prospective, current and past employees, including self-employed and temporary staff.
Data is collected for purposes including recruitment, occupational health, vetting checks, staff training and payroll.
We share information with the following organisations with your explicit consent or when the law allows: future employers reference request and HM Revenue & Customs.
1) Controller contact details
Penge PCN
2) Data Protection Officer contact details
Danielle Gibbons
GP Data Protection Officer
gpdpo@selondonics.nhs.uk
3) Purpose of the processing
Legal Obligation
4) The Lawfulness Conditions and Special Categories
The lawful basis for processing, storing and sharing this data under UK Data Protection Legislation are –
Article 6(1)(c) “the processing is necessary for compliance with any legal obligation to which the controller is subject”.
And in addition, an Article 9 condition for processing must also be adhered to: –
Article 9(2)(b) – ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment”.
5) Recipient or categories of recipients of the shared data
The data will be shared with HM Revenue & Customs and future employers where a reference is requested.
6) Rights to object
You do not have to consent to your data being used for this purpose. You can change your mind and withdraw your consent at any time. Contact the Controller or the practice.
7) Right to access and correct
You have the right to access any identifiable data that is being shared and have any inaccuracies corrected.
8) Retention period
The data will be retained for the period as specified in the specific employment protocol(s).
9) Right to Complain.
You have the right to complain to the Information Commissioner’s Office online or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website).
Litigations and Claims
This Practice is legally obliged to investigate any litigation or claims brought against them, and this will require us to access, process and hold some your personal identifiable data. This may include your name, address, date or birth and medical condition and other data we may hold. The data this Practice will need to process will depend on the type of litigation or claim received.
This NHS Litigation Authority operates a scheme which this Practice pays an annual contribution for, and in return the NHS Litigation Authority supports the settlement of any clinical negligence claims the Practice receives.
1) Controller contact details
Penge PCN
2) Data Protection Officer contact details
Danielle Gibbons
GP Data Protection Officer
gpdpo@selondonics.nhs.uk
3) Purpose of the processing
Legal Obligations of the Practice
4) The Lawfulness Conditions and Special Categories
The lawful justifications for the processing and possible sharing of this data under Data Protection Legislation are –
Article 6(1)(c) “the processing is necessary for compliance with any legal obligation to which the controller is subject”.
Article 9(f) “the processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity”
5) Recipient or categories of recipients of the shared data
The data may be shared with organisations such as
- Our solicitors or legal team
- The Court processing the claim.
- Any regulatory body who has a statutory basis for evidencing, overseeing, investigating, or substantiating litigation, a claim or national or professional standards such as the GMC, the Care Quality Commission and other bodies or the outcomes of such action.
6) Rights to object
You have the right under Article 21 of the GDPR to object to your personal information being processed. Please contact the Practice if you wish to object to the processing of your data. You should be aware that this is a right to raise an objection which is not the same as having an absolute right to have your wishes granted in every circumstance.
Practice’s process personal data under Article 6(1)(c) on a lawful and legitimate basis where the organisation is obliged under law to comply with
- The UK General Data Protection Regulations (GDPR)
- The Data Protection Act 2018
- The Freedom of Information Act
- The NHS Constitution
- The Local Authority Social Services and National Health Service Complaints (England) Regulations 2009
By complying with these laws, the Practice has compelling legitimate grounds for the processing which override the interests, rights and freedoms in the right to object.
7) Right to access and correct
You have the right to access any identifiable personal data that is being processed or shared and to have any inaccuracies corrected.
8) Retention period
The data will be retained for the period as specified in the national records retention schedule.
9) Right to Complain.
You have the right to complain to the Information Commissioner’s Office online or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website).
National Screening and Reporting Programs
The NHS provides national screening and reporting programmes so that certain diseases can be detected at an early stage. These currently apply to bowel cancer, breast cancer, aortic aneurysms, and diabetic retinal screening service as well as other exempt programmes. The law allows us to share your contact information with Public Health England and NHS England so that you can be invited to the relevant screening programme and so that nationally exempted programmes can operate effectively with regards to public and patient health.
More information can be found at The UK Government website or NHS Digital (select link for Data Uses and Releases Compendium) or speak to the practice.
1) Controller contact details
Penge PCN
2) Data Protection Officer contact details
Danielle Gibbons
GP Data Protection Officer
gpdpo@selondonics.nhs.uk
3) Purpose of the processing
The NHS provides several national health screening and reporting programs to detect diseases or conditions earlier such as cervical and breast cancer, aortic aneurysm and diabetes. More information can be found at The UK Government website. The information is shared so as to ensure only those who should be called for screening are called and or those at highest risk are prioritised.
4) The Lawfulness Conditions and Special Categories
The sharing is to support Direct Care which is covered under UK Data Protection Legislation.
Article 6(1)(e); “necessary… in the exercise of official authority vested in the controller’ the processing is necessary to perform a task in the public interest.
And
Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”
Or
Article 9(2)(i) ‘processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices…’
We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality” *
5) Recipient or categories of recipients of the shared data
The data will be shared with national and research bodies as allowed by law. Please see links for full details.
6) Rights to object
You have the right to object to this processing of your data and to some or all of the information being shared with the recipients. Contact the Controller or the practice. For national screening programmes: you can opt so that you no longer receive an invitation to a screening programme.
Or speak to your practice.
7) Right to access and correct
You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
8) Retention period
GP medical records will be kept in line with the law and national guidance.
Information on how long records can be kept can be found at NHS England
Or speak to the practice.
9) Right to Complain.
You have the right to complain to the Information Commissioner’s Office online or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website).
10) National Data Opt Out
Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
- improving the quality and standards of care provided
- research into the development of new treatments
- preventing illness and diseases
- monitoring safety
- planning services
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.
Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.
To find out more or to register your choice to opt out, please visit Your NHS Data Matters
On this web page you will:
- See what is meant by confidential patient information.
- Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care.
- Find out more about the benefits of sharing data.
- Understand more about who uses the data.
- Find out how your data is protected
- Be able to access the system to view, set or change your opt-out setting
- Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
- See the situations where the opt-out will not apply
You can also find out more about how patient information is used at:
The Health Research Authority (which covers health and care research); and Understanding Patient Data (which covers how and why patient information is used, the safeguards and how decisions are made)
You can change your mind about your choice at any time.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes. Data would only be used in this way with your specific agreement.
“Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.
The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.
In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.
Three circumstances making disclosure of confidential information lawful are:
- where the individual to whom the information relates has consented;
- where disclosure is in the public interest; and
- where there is a legal duty to do so, for example a court order.
NHS Digital
NHS Digital is the secure haven for NHS patient data, a single secure repository where data collected from all branches of the NHS is processed. NHS Digital provides reports on the performance of the NHS, statistical information, audits, and patient outcomes (visit NHS Digital).
Examples include A/E and outpatient waiting times, the numbers of staff in the NHS, percentage target achievements, payments to GPs etc and more specific targeted data collections and reports such as the Female Genital Mutilation, general practice appointments data and English National Diabetes Audits. GPs are required by the Health and Social Care Act to provide NHS Digital with information when instructed.
This is a legal obligation which overrides any patient wishes. These instructions are called “Directions”. More information on the directions placed on GPs can be found at NHS Digital and NHS Data Sharing
1) Controller contact details
Penge PCN
2) Data Protection Officer contact details
Danielle Gibbons
GP Data Protection Officer
gpdpo@selondonics.nhs.uk
3) Purpose of the processing
To provide the Secretary of State and others with information and reports on the status, activity and performance of the NHS.
4) The Lawfulness Conditions and Special Categories
The legal basis will be
Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.”
And
Article 9(2)(h) “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;”
5) Recipient or categories of recipients of the shared data
The data will be shared with NHS Digital according to directions which can be found at NHS Digital
6) Rights to object
You have the right to object to some or all of the information being shared with NHS Digital. Contact the Controller or the practice.
7) Right to access and correct
You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
8) Retention period
The data will be retained for active use during the processing and thereafter according to NHS Policies and the law.
9) Right to Complain.
You have the right to complain to the Information Commissioner’s Office online or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website).
Patient Communications
This Practice will contact patients at times in relation to services, feedback and new initiatives in the area that they have registered an interest in.
We collect and store information that has been received directly from you when you have consented to this process.
We may share information with the following organisations with your explicit consent or when the law allows.
You have the right to object to your identifiable information being used or shared for this purpose. Please speak to the Practice if you no longer wish to have your data used or be contacted by the Practice in future.
1) Controller contact details
Penge PCN
2) Data Protection Officer contact details
Danielle Gibbons
GP Data Protection Officer
gpdpo@selondonics.nhs.uk
3) Purpose of the processing
Public Task
4) The Lawfulness Conditions and Special Categories
The lawful justifications for the processing and possible sharing of this data are –
Article 6(1)(a) “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”.
5) Recipient or categories of recipients of the shared data
The data will not be shared without your explicit consent or when the law allows.
6) Rights to object
You do not have to consent to the Practice being able to contact you. You can change your mind and withdraw your consent at any time. Contact the Controller for more information.
7) Right to access and correct
You have the right to access any identifiable data that is being shared and have any inaccuracies corrected.
8) Retention period
The data will be retained for the period as specified in the national records retention schedule.
9) Right to Complain.
You have the right to complain to the Information Commissioner’s Office online or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website).
Patient Participation and Engagement Groups
This practice hosts Patient Participation and Engagement groups to improve the quality of services delivered by the practice.
We collect and store information that has been received directly from you if you are actively involved in the Patient Participation or Engagement group. The Practice uses the following methods of patient engagement:
- Bromley Connect PCN
We may share information with the following organisations with your explicit consent or when the law allows:
You have the right to object to your identifiable information being used or shared for this purpose. Please speak to the practice if you no longer wish to have your data used or be a part of the Patient Participation or Engagement group.
1) Controller contact details
Penge PCN
2) Data Protection Officer contact details
Danielle Gibbons
GP Data Protection Officer
gpdpo@selondonics.nhs.uk
3) Purpose of the processing
Public Task
4) The Lawfulness Conditions and Special Categories
The lawful justifications for the processing and possible sharing of this data are; –
Article 6(1)(a) “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”.
5) Recipient or categories of recipients of the shared data
The data will be shared with
6) Rights to object
You do not have to consent to your data being used for the patient participation or engagement groups. You can change your mind and withdraw your consent at any time. Contact the Practice using the contact details above.
7) Right to access and correct
You have the right to access any identifiable data that is being shared and have any inaccuracies corrected.
8) Retention period
The data will be retained for the period as specified in the national records retention schedule.
9) Right to Complain.
You have the right to complain to the Information Commissioner’s Office online or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website).
Payments
Contract holding GPs in the UK receive payments from their respective governments on a tiered basis. Most of the income is derived from baseline capitation payments made according to the number of patients registered with the practice on quarterly payment days. These amounts paid per patient per quarter varies according to the age, sex and other demographic details for each patient.
There are also graduated payments made according to the practice’s achievement of certain agreed national quality targets known as the Quality and Outcomes Framework (QUOF), for instance the proportion of diabetic patients who have had an annual review. Practices can also receive payments for participating in agreed national or local enhanced services, for instance opening early in the morning or late at night or at the weekends.
Practices can also receive payments for certain national initiatives such as immunisation programs and practices may also receive incomes relating to a variety of non-patient related elements such as premises. Finally, there are short term initiatives and projects that practices can take part in. Practices or GPs may also receive income for participating in the education of medical students, junior doctors and GPs themselves as well as research.
In order to make patient-based payments basic and relevant necessary data about you needs to be sent to the various payment services. The release of this data is required by English laws.
1) Controller contact details
Penge PCN
2) Data Protection Officer contact details
Danielle Gibbons
GP Data Protection Officer
gpdpo@selondonics.nhs.uk
3) Purpose of the processing
To enable GPs to receive payments. To provide accountability.
4) The Lawfulness Conditions and Special Categories
The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the UK GDPR:
Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.”
And
Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”
5) Recipient or categories of recipients of the shared data
The data will be shared with Health and care professionals and support staff in this surgery and at hospitals, diagnostic and treatment centres who contribute to your personal care.
6) Rights to object
You have the right to object to some or all the information being processed under Article 21. Please contact the Practice. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance
7) Right to access and correct
You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
8) Retention period
The data will be retained in line with the law and national guidance.
9) Right to Complain.
You have the right to complain to the Information Commissioner’s Office online or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website).
For more information about payments the English GPs please see NHS Digital
Public Health
Public health encompasses everything from national smoking and alcohol policies, the management of epidemics such as flu, the control of large-scale infections such as TB and Hepatitis B to local outbreaks of food poisoning or Measles. Public Health England (PHE) monitors the numbers of certain infections that occur in healthcare settings through routine surveillance programmes and advises on how to prevent and control infection in establishments such as hospitals, care homes and schools.
In order to allow PHE to carry out accurate monitoring of infections, it may rely on information held by the Practice with regards to Healthcare Acquired Infections (HCAIs).
This will necessarily mean the subjects personal and health information being shared with the Public Health organisations.
Some of the relevant legislation includes:
- Health Protection (Notification) Regulations 2010 (SI 2010/659)
- Health Protection (Local Authority Powers) Regulations 2010 (SI 2010/657)
- Health Protection (Part 2A Orders) Regulations 2010 (SI 2010/658)
- Public Health (Control of Disease) Act 1984
- Public Health (Infectious Diseases) Regulations 1988 and
- The Health Service (Control of Patient Information) Regulations 2002
1) Controller contact details
Penge PCN
2) Data Protection Officer contact details
Danielle Gibbons
GP Data Protection Officer
gpdpo@selondonics.nhs.uk
3) Purpose of the processing
There are occasions when medical data needs to be shared with Public Health England, the Local Authority Director of Public Health, or the Health Protection Agency, either under a legal obligation or for reasons of public interest or their equivalents in the devolved nations.
4) The Lawfulness Conditions and Special Categories
The legal bases will be under UK GDPR:
Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject”
and
Article 9(2)(i) “processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices,..”
5) Recipient or categories of recipients of the shared data
The data will be shared with Public Health England and equivalents in the devolved nations.
6) Rights to object
You have the right under Article 21 of the GDPR to object to your personal information being processed. Please contact the Practice if you wish to object to the processing of your data. You should be aware that this is a right to raise an objection which is not the same as having an absolute right to have your wishes granted in every circumstance.
7) Right to access and correct
You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a Court of Law.
8) Retention period
The data will be retained for active use during the period of the public interest and according to legal requirements and Public Health England’s criteria on storing identifiable data.
9) Right to Complain.
You have the right to complain to the Information Commissioner’s Office online or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website).
Reporting Gunshot and Knife Wounds
Patients may require treatment for injuries related to Gunshot and Knife wounds. In certain circumstances, a GP may need to share information with the local Police Force in order to safeguard others.
Wherever possible, patient consent will be obtained however, in limited circumstances, such as where gaining consent is impractical or if the public interest outweighs the patients’ rights, information may be shared without the patient’s knowledge.
1) Controller contact details
Penge PCN
2) Data Protection Officer contact details
Danielle Gibbons
GP Data Protection Officer
gpdpo@selondonics.nhs.uk
3) Purpose of the processing
To provide local Police Force with information relating Gunshot and Knife wounds for the protection of others.
4) The Lawfulness Conditions and Special Categories
The legal basis will be.
Article 6(1)(e) “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.
And
Article 9(2)(g) “processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject”.
5) Recipient or categories of recipients of the shared data
The data will be shared with the local Police Force.
6) Rights to object
You have the right to object to some or all the information being shared with a local police force in certain circumstances. Contact the Controller or the practice.
7) Right to access and correct
You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
8) Retention period
The data will be retained for active use during the processing and thereafter according to NHS Policies and the law.
9) Right to Complain.
You have the right to complain to the Information Commissioner’s Office online or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website).
Research
This practice participates in research. We will only agree to participate in any project if there is an agreed clearly defined reason for the research that is likely to benefit healthcare and patients. Such proposals will normally have a consent process, ethics committee approval, and will be in line with the principles of Article 89(1) of UK GDPR.
Research organisations do not usually approach patients directly but will ask us to contact suitable patients to seek their consent. Occasionally research can be authorised under law without the need to obtain consent. This is known as the section 251 arrangement1. We may also use your medical records to carry out research within the practice.
We share information with the following medical research organisations with your explicit consent or when the law allows: [Practice to insert names e.g., Clinical Practice Research Datalink].
You have the right to object to your identifiable information being used or shared for medical research purposes. Please speak to the practice if you wish to object.
1) Controller contact details
Penge PCN
2) Data Protection Officer contact details
Danielle Gibbons
GP Data Protection Officer
gpdpo@selondonics.nhs.uk
3) Purpose of the processing
Medical research.
4) The Lawfulness Conditions and Special Categories
Identifiable data will be shared with researchers either with explicit consent or, where the law allows, without consent. The lawful justifications are
Article 6(1)(a) “the data subject has given consent to the processing of his or her personal data for one or more specific purposes”.
or
Article 6(1)(e) may apply “necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.”
And in addition, there are three possible Article 9 justifications.
Article 9(2)(a) – ‘the data subject has given explicit consent…’
or
Article 9(2)(j) – ‘processing is necessary for… scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member States law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject’.
or
Article 9(2)(h) – ‘processing is necessary for the purpose of preventative…medicine…the provision of health or social care or treatment or the management of health or social care systems and services…’
5) Recipient or categories of recipients of the shared data
The data will be shared with [Practice to insert name and URLs of research organisations]
6) Rights to object
You do not have to consent to your data being used for research. You can change your mind and withdraw your consent at any time. Contact the Controller or the practice.
You can also register a National Data Opt-out, which removes your data from certain research and planning. You can find out more here: NHS – Opt out of Sharing Your Health Records
7) Right to access and correct
You have the right to access any identifiable data that is being shared and have any inaccuracies corrected.
8) Retention period
The data will be retained for the period as specified in the specific research protocol(s).
9) Right to Complain.
You have the right to complain to the Information Commissioner’s Office online or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website).
Commissioning, Planning, Risk Stratification, Patient Identification
The records we keep enable us to plan for your care.
This practice keeps data on you that we apply searches and algorithms to in order to identify from preventive interventions.
This means using only the data we hold or in certain circumstances linking that data to data held elsewhere by other organisations, and usually processed by organisations within or bound by contracts with the NHS.
If any processing of this data occurs outside the practice your identity will not be visible to the processors. Only this practice will be able to identify you and the results of any calculated factors, such as your risk of having a heart attack in the next 10 years or your risk of being admitted to hospital with a complication of chest disease.
You have the right to object to our processing your data in these circumstances and before any decision based upon that processing is made about you. Processing of this type is only lawfully allowed where it results in individuals being identified with their associated calculated risk. It is not lawful for this processing to be used for other ill-defined purposes, such as “health analytics”.
Despite this we have an overriding responsibility to do what is in your best interests. If we identify you as being at significant risk of having, for example a heart attack or stroke, we are justified in performing that processing in order to provide you with medical care.
1) Controller contact details
Penge PCN
2) Data Protection Officer contact details
Danielle Gibbons
GP Data Protection Officer
gpdpo@selondonics.nhs.uk
3) Purpose of the processing
The practice performs computerised searches of some or all of our records to identify individuals who may be at increased risk of certain conditions or diagnoses i.e., Diabetes, heart disease, risk of falling).
Your records may be amongst those searched. This is often called “risk stratification” or “case finding”. These searches are sometimes carried out by Processors who link our records to other records that they access, such as hospital attendance records. The results of these searches and assessment may then be shared with other healthcare workers, such as specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.
4) The Lawfulness Conditions and Special Categories
The legal basis for this processing is
Article 6(1)(e); “necessary… in the exercise of official authority vested in the controller’.
And
Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”
We will recognise your rights under UK Law collectively known as the “Common Law Duty of Confidentiality”
5) Recipient or categories of recipients of the shared data
The data will be shared for processing with [Practice to insert any Processor] and for subsequent healthcare with [Practice insert ICS / PCO/ frailty service etc]
6) Rights to object
You have the right to object to this processing where it might result in a decision being made about you. That right may be based either on implied consent under the Common Law of Confidentiality, Article 22 of GDPR or as a condition of a Section 251 approval under the HSCA. It can apply to some, or all of the information being shared with the recipients. Your right to object is in relation to your personal circumstances. Contact the Practice using the above details.
7) Right to access and correct
You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
8) Retention period
The data will be retained in line with the law and national guidance.
9) Right to Complain.
You have the right to complain to the Information Commissioner’s Office online or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website).
“Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.
The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.
In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.
Three circumstances making disclosure of confidential information lawful are:
- where the individual to whom the information relates has consented.
- where disclosure is in the public interest; and
- where there is a legal duty to do so, for example a court order.
Safeguarding
Some members of society are recognised as needing protection, for example children and adults with care and support needs (adult hereafter). Safeguarding is the action that is taken to promote the welfare and protect children/ adult from harm. If a child/ adult is suffering or likely to suffer significant harm, professionals have a statutory responsibility to protect them. This statutory responsibility is enshrined within the Care Act 2014, Children Acts 1989 & 2004 & Social Care Act 2014.
Where there is a suspected or actual safeguarding issue professionals should aim to gain agreement to share information but should be mindful of situations where to do so would place a child/ adult at increased risk of harm. Information may be shared without agreement if a professional has reason to believe that there is good reason to do so, and that the sharing of information will enhance safeguarding. When decisions are made to share or withhold information, practitioners should record who has been given the information and why.
This is covered in the following legislation guidance:
- The Mental Capacity Act 2005
- Section 47 of The Children Act 1989
- Section 18 Schedule 1 Part 2 of Data Protection Bill 2018
- Section 45 of the Care Act 2014
For children where who are identified as Child In Need professionals are required to seek consent in regards to sharing information. The relevant guidance is covered:
1) Controller contact details
Penge PCN
2) Data Protection Officer contact details
Danielle Gibbons
GP Data Protection Officer
gpdpo@selondonics.nhs.uk
3) Purpose of the processing
The purpose of the processing is to protect the child or vulnerable adult.
4) The Lawfulness Conditions and Special Categories
The sharing is a legal requirement to protect vulnerable children or adults, therefore for the purposes of safeguarding children and vulnerable adults, the following UK GDPR Article 6 conditions apply:
Article 6(1)(e) “for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”;
Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject”.
And the following Article 9 condition for processing special category personal data:
Article 9(2)(b) “…is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of …social protection law in so far as it is authorised by Union or Member State law.”
We will consider your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”
5) Recipient or categories of recipients of the shared data
The data will be shared with the Nursing Directorate Safeguarding teams and other organisations such as police, NHS or Local Authority where deemed necessary.
6) Rights to object
This sharing is a legal and professional requirement and therefore there is no right to object.
There is also GMC guidance for adult and child safeguarding:
7) Right to access and correct
The Data Subjects or their legal representatives have the right to access the data that is being processed or shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
8) Retention period
The data will be retained for active use during any investigation and thereafter retained in an inactive stored form according to the law and national guidance
9) Right to Complain.
You have the right to complain to the Information Commissioner’s Office online or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website).
“Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.
The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.
In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.
Three circumstances making disclosure of confidential information lawful are:
- where the individual to whom the information relates has consented.
- where disclosure is in the public interest; and
- where there is a legal duty to do so, for example a court order.