Fair Processing Notice

Data protection and confidentiality

 

BACK TO MAIN INDEX

 

Our identity – who we are, what we do

The practice is part of the Hurley Group. The group is a traditional GP Partnership but we are rather unique in that we run several GP practices walk in centres, urgent care centres and a health services for unwell doctors (Practitioner Health Services)

 

The reasons why we collect and use patient data

We collect data on patients, so we can delivery direct patient care and this means we can process patient data lawfully under the General Data Protection Regulations 2018 (GDPR). We are therefore known as a Data Controller.

The health care professionals who provide you with care maintain records about your health and any treatment or care you have received previously (e.g. NHS Trust, GP Surgery, Walk-in clinic, etc.). These records help to provide you with the best possible healthcare.

NHS health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. Records which this service hold about you may include the following information and they areretained until a person dies;

  • Details about you, such as your address, email address, telephone number, legal representative, emergency contact details
  • Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments, etc
  • Notes and reports about your health
  • Details about your treatment and care
  • Results of investigations such as laboratory tests, x-rays etc
  • Relevant information from other health professionals, relatives or those who care for you

To ensure you receive the best possible care, your records are used to facilitate the care you receive. Information held about you may be used to help protect the health of the public and to help us manage the NHS. Information may be used within our services for clinical audit to monitor the quality of the service provided.

Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified.

Sometimes your information may be requested to be used for research purposes – the surgery will always gain your consent before releasing the information for this purpose – further detail below

 

How do we maintain the confidentiality of your records?

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

  • General Data Protection Regulation 2018
  • Data Protection Act 1998
  • Human Rights Act 1998
  • Common Law Duty of Confidentiality
  • Health and Social Care Act 2012
  • NHS Codes of Confidentiality and Information
  • Information: To Share or Not to Share Review

Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential. All our staff undergo yearly training on data protection.

We will only ever use or pass on health information about you if others involved in your care have a genuine need for it. We will not disclose your health information to any 3rd party without your permission unless:

  • there are exceptional circumstances (i.e. life or death situations),
  • where the law requires information to be passed on (e.g. in event of a serious crime)
  • in accordance with the new information sharing principle following Dame Fiona’s Caldicott information sharing review (Information to share or not to share) where “The duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles.
 

Hurley Group Oversight

We have assigned a Data Protection Officer who has oversight of the handling of information within the Hurley Group. They oversee and makes decisions on information sharing
and are accountable for information risk.

If you wish to contact the Data Protection Officer please use the following link or contact the service.

Contact the Data Protection Officer

 

Other Data Sharing / Access Projects and special cases

Direct Patient Care

Often we have to share information for your medical care, such as with hospital when we refer you or if you attended an urgent care centre. Many of our services also have electronic links with another GP service, hospital, out of hours or community service so they can see your record that we hold and vice versa when they are dealing with your medical care directly. Please contact the service if you would like more detail.

 

Special cases and the Law

The law requires us to share information from your medical records in certain circumstances. Information is sha red so that the NHS or Public Health England can, for example:

  • plan and manage services;
  • check that the care being provided is safe;
  • prevent infectious diseases from spreading.

We will share information with NHS Digital, the Care Quality Commission and local health protection team (or Public Health England) when the law requires us to do so.

 

NHS Digital

  • NHS Digital is a national body which has legal responsibilities to collect information about health and social care services.
  • It collects information from across the NHS in England and provides reports on how the NHS is performing. These reports help to plan and improve services to patients.
  • This practice must comply with the law and will send data to NHS Digital, for example, when it is told to do so by the Secretary of State for Health or NHS England under the Health and Social Care Act 2012.
  • More information about NHS Digital and how it uses information can be found via their website
  • NHS Digital sometimes shares names and addresses of patients suspected of committing immigration offences with the Home Office. More information on this can be found on the government website
 

General Practice Data for Planning and Research

  • This new service replaces existing GP data extraction services on 1st September 2021
  • It shares pseudonymised data i.e. it will not collect your name or where you live. Any other data that could directly identify you, for example NHS number, General Practice Local Patient Number, full postcode and date of birth, is replaced with unique codes which are produced by de-identification software before the data is shared with NHS Digital.

The service will collect:

  1. data on your sex, ethnicity and sexual orientation
  2. clinical codes and data about diagnoses, symptoms, observations, test results, medications, allergies, immunisations, referrals and recalls, and appointments, including information about your physical, mental and sexual health
  3. data about staff who have treated you
 

Care Quality Commission (CQC)

  • The CQC regulates health and social care services to ensure that safe care is provided.
  • The law says that we must report certain serious events to the CQC, for example, when patient safety has been put at risk.
  • For more information about the CQC see their website
 

Public Health

  • The law requires us to share data for public health reasons, for example to prevent the spread of infectious diseases or other diseases which threaten the health of the population.
  • We will report the relevant information to local health protection team or Public Health England.

For more information about Public Health England and disease reporting see the government website 

 

National screening programmes

  • The NHS provides national screening programmes so that certain diseases can be detected at an early stage.
  • These screening programmes include bowel cancer, breast cancer, cervical cancer, aortic aneurysms and a diabetic eye screening service.
  • The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme.

More information can be found on the governement website

 

Medical Research

Hurley Group shares information from medical records:

  • to support medical research when the law allows us to do so, for example to learn more about why people get ill and what treatments might work best;
  • we will also use your medical records to carry out research within the practice.

This is important because:

  • the use of information from GP medical records is very useful in developing new treatments and medicines;
  • medical researchers use information from medical records to help answer important questions about illnesses and disease so that improvements can be made to the care and treatment patients receive.

We share information with medical research organisations with your explicit consent or when the law allows.

You have the right to object to your identifiable information being used or shared for medical research purposes. Please speak to the practice if you wish to object

 

CCTV

Some of our practices have CCTV in place for security reasons. These records are kept secure in a similar manner to patient records and follow the ICO code of practice

Information is only shared in the exceptional circumstances set out above

 

Video Consultations

If either you or one of our clinicians have requested a video consultation using the Hurley Group’s Video Consultation solution, it will be treated as any other consultation you have with your GP.

However, you will need to be aware of the following:

The Hurley Group takes your privacy and the security of your personal information very seriously will ensure that it is kept secure and protected. To ensure the safety of your personal information all communication between the GP and patient devices is encrypted to NHS standards. However, you should be aware that no communication over the internet is 100% secure. If you have any concerns about this, you may request a face to face or telephone appointment. Video consultations are entirely voluntary and are offered to extend the access and provide the patient choice.

The Video Consultation application itself cannot protect users from spyware so you should always ensure that you have adequate anti-virus/malware protection on any device you use for the video consultation. If you choose to use the Video Consultation solution on your mobile device you should make adequate provision to ensure the security of the device you choose to use.

We will always conduct a video consultation in a quiet, private space, free of interruptions where others cannot overhear. You are responsible for ensuring that you are in an appropriate environment and recommend that you find a quiet, private place to speak to us.

You will be provided with instructions for joining the video consultation as per the process set outfor the video solution in use. You will be required to provide your consent to the terms and conditions of the service and the invitation in order for you to proceed with the scheduled consultation. If you share an account with other people, such as your family members, they may have access to some information about the consultation. If you are using a public or shared device then you should be aware that some of your personal information may be stored locally on the computer you are using.

Should we seek to record the video consultation we will obtain and document your consent to do so. We will also explain why a recording will help in providing clinical care, who can access the recording, where and how it will be stored securely, how long it will be stored for and how it will be used (i.e. that the recording will not be used for any other purpose except for direct care without the patient’s express permission).

 

Risk Stratification

Risk stratification data tools are increasingly being used in the NHS to help determine a person’s risk of suffering a particular condition, preventing an unplanned or (re)admission and identifying a need for preventive intervention. Information about you is collected from a number of sources including NHS Trusts and from this GP Practice. A risk score is then arrived at through an analysis of your de-identified information and is only provided back to your GP as data controller in an identifiable form. Risk stratification enables your GP to focus on preventing ill health and not just the treatment of sickness. If necessary, your GP may be able to offer you additional services. Please note that you have the right to opt out.

 

Online Consultations (eConsults)

Hurley Group utilises online consultations. Information entered in an online consultation is stored in your clinical record just as it would be if you had seen the Doctor face-to-face. It is subject to the same information rules as anything else in your clinical record.

 

Hurley eHub

As part of our commitment to improving quality of care, many of our online consultations are now done remotely, on behalf of all of the surgeries in the Hurley Group (the ‘eHub’). Our Doctors who work in the eHub work for a range of surgeries across the Hurley Group. This means that you may be contacted by a doctor who works at a different surgery to the one you go to. However, they are fully employed by the Hurley Group and subject to the same confidentiality and information governance rules as described in this Notice

 

North Lambeth eHub

The North Lambeth eHub processes online consultations for multiple practices in the North Lambeth Primary Care Network, similar to the Hurley eHub. In some instances, the practice may pass a consultation to our local “eHub” who are local clinicians and staff from local GP practices in North Lambeth who work collectively to deliver additional healthcare for our community. These clinicians have full access to your records to enable safe and effective care. All clinicians and administrators in this role are honorary employees of the Hurley Group and follow the same strict information governance guidance they would adhere to in their own practice. The practices involved are:

  • Hurley Clinic and Riverside Practices
  • Waterloo Health Centre
  • Lambeth Walk Group Practice

If you require further information, please contact the Data Protection Officer

 

The Discovery Project

This is a new project looking to create a new data service where the local providers of your care (like your GP Surgery and hospitals) will link up their data more seamlessly in order to provide you with better quality care. Your local health and social ca re providers all have their own IT systems which hold your information in different places and this service aims to pull that data together to create a better picture of you and your care needs.

Only the Hurley Group has access to this data via strict access controls

 

Business Intelligence/AI

We use Business Intelligence tools to help us understand and develop the effectiveness of our services. This work is supported by our partner ‘Practice Unbound’, who develop the Business Intelligence systems that we use. Information is only accessible by The Hurley Group (and Practice Unbound’s nominated technical lead as part of their work for us). Information is not shared with anyone else.

The Hurley Group AI project processes copied data to understand and sort online consultations and documents related to our patients. This is done under Lawful basis under Article 6 - 6 (e) of the Data Protection Act 2018. This data is already held by us as Data Controller and is kept onsite on an isolated server. No data is transferred out of this server. Only 6 individuals have access which include our Data Processors (Deloitte) users. There are no solely automated decisions made by this AI. Data use for AI training will be removed at the completion of the project (Likely to be October 2020).

Profiling is used for online consultation assessment but does not finally determine any healthcare decision but is used to:

  • initially categorise a patient’s self-described symptoms
  • match the patient based on that categorisation to the first available clinician with health speciality knowledge relating to that categorisation
  • enhance the clinician’s care decision process

The consequence of this profiling is to assign to an GP practice employee. They can subsequently manually pass to another more appropriate user if required. No clinical decisions are made by the AI and there is no solely automated decision making, a human is always involved.

 

SmartSurvey

Our Practitioner Health Services use a survey tool called SmartSurvey to process registrations forms and user feedback. We do not store data on SmartSurvey and any personal data collected via the SmartSurvey tool is deleted once it has been added to your clinical record. We do not ask for any personal identifiable information in user surveys and these are usually anonymised returns.

 

Access to personal information

You have a right under the General Data Protection Regulations 2018 to request access to view or to obtain copies of what information the surgery holds about you and to have it amended should it be inaccurate. In order to request this, you need to do the following:

  • Your request must be made in writing to the service - for information from the hospital you should write direct to them
  • There is no charge for this
  • We are required to respond to you within one calendar month
  • You will need to give adequate information (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified and your records located
 

Objections / Complaints

Should you have any concerns about how your information is managed, please contact the service Manager or the Data Protection Officer via DPOhurleygroup@nhs.net. If you are still unhappy following a review by the service, you can then complain to the Information Commissioners Office (ICO) via their website

 

Opting out of Data Sharing

If you are happy for your data to be extracted and used for the purposes described in this fair processing notice then you do not need to do anything.

If you do not want your personal data being extracted and leaving the GP practice for any of the purposes described, you need to let us know as soon as possible.

We will then enter clinical codes into your records that will prevent data leaving the practice and / or leaving the central information system at NHS Digital.

From the 25th of May you will be able to do this online. See the NHS Digital website for more details

 

Other Useful Sources of Information

Understanding Patient Data is a highly recommended source of information for patients that helps explain how your data is used in the health service. Click here to find out more