GDPR Policy

Kirby Road Surgery conforms with the legal obligations set out in the Data Protection Act (2018) and the EU General Data Protection Regulation (GDPR). The Practice collects and utilises data about workers, employees, and consultants, both to manage our relationships with these individuals and in the course of conducting our business. Following the United Kingdom (UK) leaving the EU, during the transition period the GDPR will still apply to the UK. After the transition period, the GDPR will be implemented officially into British Law and referred to as the “UK GDPR”.

How we use your information and the law.

Kirby Road Surgery will be what’s known as the “Controller” of the personal data that you provide to us.

We collect personal data about you, which does not include any special types of information or location-based information. This does include name, address and contact details (such as email and mobile number/ house number etc).

We also collect sensitive confidential data known as “special category personal data”, in the form of health information, religious belief, ethnicity, and sex during the services we provide to you and or linked to your healthcare through other health providers or third party organisations.

Why does the practice need this information?

The surgery maintains records about your health and any treatment or care you have received previously (at an NHS Trust, other GP Surgery, Walk-in clinic, etc.) as these records help to provide you with the best healthcare possible.

NHS health records can come in a variety of forms, including:

  • Electronic
  • On paper
  • A mixture of both

The surgery utilises a combination of working practices and technology to ensure that your information is kept confidential and secure at all times.

Detailed records which the Practice hold about you may include the following information:

  • Details about you, such as your address, carer, legal representative, emergency contact details
  • Any contact the practice has had with you, such as appointments, clinic visits, emergency appointments, etc.
  • Notes and reports about your health
  • Details about your treatment and care, both past and pending
  • Results of past investigations such as laboratory tests, x-rays etc
  • Relevant information from other health professionals, relatives, or those who care for you
  • Contact details (including email address, mobile telephone number and home telephone number)

To ensure you receive only the best healthcare, your records are used to facilitate the care you receive, including contacting you. Information held about you may also be used to help protect the health of the public and to help us contribute towards managing the NHS. Information may be used within the surgery for clinical audit to monitor the quality of the service provided.

How does the practice lawfully use your data?

The practice needs to know your personal, sensitive and confidential data in order to provide you with Healthcare services as a General Practice (GP). Under the General Data Protection Regulation, we will be lawfully using your information in accordance with: –

Article 6, e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;”

Article 9, (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems

This document applies to the personal data of our patients and the data you have given us about your carers/family members.

Risk Stratification

Risk stratification data tools are being used in the NHS more than ever to help determine a person’s risk of suffering from a certain condition, preventing an unplanned or (re)admission to hospital, and identifying a need for preventive intervention.

Information about you is collected from a variety of sources, including NHS Trusts and from Kirby Road Surgery. A risk score is then determined from an analysis of your de-identified information and is only provided back to your GP as data controller in an identifiable form. Risk stratification helps your GP to focus on preventing ill health, not just the treatment of sickness. If necessary, your GP may be able to offer you additional services.

You have the right to opt out of your data being used in this way.

Patient Communication

Kirby Road Surgery will use your name and contact details to inform you of NHS services, provide information about your health, or information about the management of the NHS service.

There may be occasions where authorised research facilities would like you to partake in research (should you have a specific condition) in order to try improve health outcomes. Contact details may be utilised by the practice to ensure you receive further information about such research opportunities.

Safeguarding

Kirby Road Surgery is dedicated to ensuring that the principles and duties of safeguarding adults and children are holistically, consistently and conscientiously applied, as patient welfare is at the centre of what we do.

Our legal basis for processing for the General Data Protection Regulation (GDPR) purposes is:  

Article 6(1)(e) ‘…exercise of official authority…’.

For the processing of special categories data, the basis is:

Article 9(2)(b) – ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…’

Categories of personal data

The data collected by Practice staff in the event of a safeguarding situation will be as much personal information as is necessary or possible to obtain in order to handle the situation. In addition to some basic demographic and contact details, we will also process details of what the safeguarding concern is. This is likely to be special category information (such as health information).

Sources of the data

Kirby Road Surgery will either receive or collect information when someone contacts the organisation with safeguarding concerns, or we believe there may be safeguarding concerns, and make enquiries to relevant providers.

Recipients of personal data

The information is used by Kirby Road Surgery when handling a safeguarding incident or concern. We may share information accordingly to ensure duty of care and investigation as required with other partners, such as local authorities, the police or healthcare professionals (i.e. GP or mental health team).

How do we uphold the confidentiality of your records?

Kirby Road Surgery are committed to protecting your privacy and will only use information collected lawfully in accordance with:

  • Data Protection Act 2018
  • The General Data Protection Regulations 2016
  • Human Rights Act 1998
  • Common Law Duty of Confidentiality
  • Health and Social Care Act 2012
  • NHS Codes of Confidentiality, Information Security and Records Management
  • Information: To Share or Not to Share Review

All members of staff who work for an NHS organisation, including those at the practice, has a legal obligation to keep information about a patient confidential.

Kirby Road Surgery will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), where the law requires information to be passed on and/ or in accordance with the information sharing principle following Dame Fiona Caldicott’s information sharing review (Information to share or not to share) where:

“The duty to share information can be as important as the duty to protect patient confidentiality.”

This statement means that health professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles.

Our practice policy is to respect the privacy of our patients, their families, our staff and to maintain compliance with the General Data Protection Regulations (GDPR) and all UK specific Data Protection Requirements. Our policy is to ensure all personal data related to our patients will be securely protected.

All employees and sub-contractors engaged by Kirby Road Surgery are asked to sign a confidentiality agreement. The surgery will, if required, sign a separate confidentiality agreement if the client deems it necessary. If a sub-contractor acts as a data processor for Kirby Road Surgery, an appropriate contract (art 24-28) will be established for the processing of your information.

In specific circumstances, you may have the right to withdraw your consent to the processing of data.

Please contact the Managing Partner in writing if you wish to withdraw your consent. In some circumstances, we may need to store your data after your consent has been withdrawn in order to comply with legislation.

Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified.

Sometimes your information may be requested to be used for research purposes – the surgery will gain your consent before releasing the information for this purpose in an identifiable format. In some circumstances, you can Opt-out of the surgery sharing any of your information for research purposes.

With consent, we would also like to utilise your information to…

Kirby Road Surgery would like to use your name and contact details to inform you of other services that may benefit you, with your consent only.

There may be occasions where authorised research facilities would like you to take part in innovations, research, improving services or identifying trends.

At any stage where we would like to utilise your data for anything other than the specified purposes, and where there is no lawful requirement for us to share/ process your personal data, we will ensure that you have the opportunity to consent and opt out prior to any data processing taking place.

This information is not shared with third parties or used for any marketing purposes, and you can unsubscribe at any time via phone, email or by informing the practice DPO as below

National Opt-Out Facility

You can choose whether your confidential patient information is used for research and planning.

Who can use your confidential patient information for research and planning?

It is used by the NHS, local authorities, university and hospital researchers, medical colleges and pharmaceutical companies researching new treatments.

Making your data opt-out choice

At any time, you can decide to opt out of sharing your confidential information for research and planning.

There may still be times when your information is used: for example, during an epidemic where there might be a risk to you or to other individuals’ health.

You can also still provide consent to partake in a specific research project.

Will opting-out affect your care and treatment?

No, your confidential information will still be used for your individual care. Choosing to opt out will in no way affect your care and treatment. You will still be invited for all screening services applicable to you.

What should you do next?

You do not need to do anything if you are happy about how your information is used.

If you do not want your information to be used for research and planning, you can choose to opt out securely online or through a telephone service.

You can change your decision at any time. To find out more, or to make your choice visit NHS: Your Data Matters or call 0300 303 5678

Where do we store your information electronically?

All the personal data we process is processed by staff in the UK, however for the purposes of IT hosting and maintenance, this information may be located on servers within the European Union.

No 3rd parties have access to your personal data unless the law allows them to do so and appropriate safeguards have been put in place. We have a Data Protection regime in place to oversee the effective and secure processing of your personal and or special category (sensitive, confidential) data.

Who are our partner organisations?

We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations;

  • NHS Trusts / Foundation Trusts
  • GP’s
  • NHS Commissioning Support Units
  • Independent Contractors such as dentists, opticians, pharmacists
  • Private Sector Providers
  • Voluntary Sector Providers
  • Ambulance Trusts
  • Clinical Commissioning Groups
  • Social Care Services
  • NHS England (NHSE) and NHS Digital (NHSD)
  • Multi Agency Safeguarding Hub (MASH)
  • Local Authorities
  • Education Services
  • Fire and Rescue Services
  • Police & Judicial Services
  • Voluntary Sector Providers
  • Private Sector Providers
  • Other ‘data processors’ which you will be informed of

You will be notified who your data will be shared with.

This practice operates a Clinical Computer System on which NHS Staff record information securely. This information can then be securely shared with other clinicians, so that all clinicians involved in your care are fully informed about your medical history, this includes details about any allergies you have.

To provide high quality continuous care, unless you have asked us not to, we will make your information available to trusted organisations. Such organisations will ask your consent before your information is viewed.

Shared Care Records

To further support your care and improve the sharing of relevant information to our partner organisations, we will share information to other systems. The general principle is that information is passed to these systems unless you request this does not happen, but that system users should ask for your consent before viewing your record.

Kirby Road Surgery may also use external companies to process information, such as for archiving purposes. These companies are bound by contractual agreements to ensure information is kept confidential and secure at all times. We request that all employees and sub-contractors employed by our surgery sign a confidentiality agreement. If a sub-contractor acts as a data processor for Kirby Road Surgery, an appropriate contract (art 24-28) will be established for the processing of information.

Sharing your information without consent

In normal circumstances, we will seek your consent, but there are times when we may be required in order to comply with the law to share your information without your consent, for example:

  • Where there is a serious risk of harm or abuse to you or another individual
  • Where a serious crime, such as assault, is being investigated or where it could be prevented
  • Notification of new births
  • Where we encounter infectious diseases that may endanger the safety of others, such as meningitis or measles (but not HIV/AIDS)
  • Where a formal court order has been issued to the practice
  • Where there is a legal requirement, such as being involved in a Road Traffic Offence.

How long will Kirby Road Surgery store your information?

The practice is required under UK law to keep your information and data for the full retention periods as specified by the NHS Records management code of practice for health and social care and national archives requirements.

More information on records retention can be found online via the NHS Digital Website

How can you access, amend or move the confidential data that you have provided to the surgery?

Even if the organisation already holds your personal data, you still have rights in relation to it. To get in touch about these, please contact us via email. The administration staff will seek to deal with your request without delay, and in any event in accordance with the requirements of any applicable laws. The surgery will keep a record of your communications to help us resolve any issues which you may raise.

Right to object: If we are using your data because we deem it necessary for our legitimate interests to do so, and you do not agree, you have the right to object. The practice will respond to your request within 30 days (although we may be permitted to extend this period, in which case you will be notified).

Generally, we will only disagree with you if certain limited conditions apply.

Right to withdraw consent: where we have obtained your full consent to process your data for certain activities (for example for a research project), or consent to market to you, you may withdraw your consent at any time.

Right to erasure: in certain situations (for example, if we have processed your data unlawfully), you have the right to request us to “erase” your data. The surgery will respond to your request within 30 days (although we may be permitted to extend this period) and will only disagree with you if certain limited conditions apply.

If we do agree to your request, we will remove your data but will assume that you would prefer us to keep a note of your name on our register of individuals who would prefer not to be contacted. That way, we will minimise the chances of you being contacted in the future where your data is collected in unconnected circumstances. If you would prefer us not to do this, you are within your right to inform us of this.

Right of data portability: you have the right to transfer your data from us to another data controller. We will help with this via a GP to GP data transfer as well as a transfer of your hard copy notes.

Access to your personal information

Data Subject Access Requests (DSAR): you have a right under the Data Protection legislation to request access to view or to obtain copies of what information the surgery holds about you and to have it amended should it prove to be inaccurate. To request this, you need to do the following:

  • Your request should be made to Kirby Road Surgery– for information from the hospital you should write direct to them
  • There is no monetary charge to have a copy of the information held about you
  • We are required to respond to you within one month
  • You will need to give adequate information (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified, and your records located

What should you do if your personal information changes?

You should tell us at the next available opportunity so that we can update our records to reflect this. You can do this by contacting the Surgery or from filling out our online form.

Kirby Road Surgery will occasionally ask you to confirm that the information we currently hold is accurate.

Objections / Complaints

Should you have any concerns about how your information is managed at the GP, please contact the GP Practice Manager or the Data Protection Officer as above. If you are still unhappy following a review by the GP practice, you have a right to lodge a complaint with a supervisory authority:

Information Commissioner:
Wycliffe house
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 01625 545745
Visit the website

If you are happy for your data to be extracted and used for the purposes described in this policy, then you do not need to do anything. If you have any concerns about how your data is shared, then please contact the Practice Data Protection Officer.

If you would like to know more about your rights in respect of the personal data we hold about you, please contact the Data Protection Officer as below.

Data Protection Officer:

The Practice Data Protection Officer is Paul Couldrey of PCIG Consulting Limited. Any queries regarding Data Protection issues should be addressed to him at:

Email: [email protected]
Postal: PCIG Consulting Limited
7 Westacre Drive
Quarry Bank
Dudley
West Midlands
DY5 2EE

Changes:

It is important to point out that we may amend this document from time to time. If you are dissatisfied with any aspect of our Privacy Notice, please contact the Practice Data Protection Officer.