Berry Lane Medical Centre keeps data on you relating to who you are, where you live, what you do, your family, possibly your friends, your employers, your habits, your problems and diagnoses, the reasons you seek help, your appointments, where you are seen and when you are seen, who by, referrals to specialists and other healthcare providers, tests carried out here and in other places, investigations and scans, treatments and outcomes of treatments, your treatment history, the observations and opinions of other healthcare workers, within and without the NHS as well as comments and aide memoires reasonably made by healthcare professionals in this practice who are appropriately involved in your health care.
When registering for NHS care, all patients who receive NHS care are registered on a national database, the database is held by NHS Digital, a national organisation which has legal responsibilities to collect NHS information.
GPs have always delegated tasks and responsibilities to others that work with them in their surgeries, on average an NHS GP has between1,500 to 2,500 patients for whom he or she is accountable. It is not possible for the GP to provide hands on personal care for each and every one of those patients in those circumstances, for this reason GPs share your care with others, predominantly within the surgery but occasionally with outside organisations.
If your health needs require care from others elsewhere outside this practice we will exchange with them whatever information about you that is necessary for them to provide that care. When you make contact with healthcare providers outside the practice but within the NHS it is usual for them to send us information relating to that encounter. We will retain part or all of those reports. Normally we will receive equivalent reports of contacts you have with non NHS services but this is not always the case.
Your consent to this sharing of data, within the practice and with those others outside the practice is assumed and is allowed by the Law.
People who have access to your information will only normally have access to that which they need to fulfil their roles, for instance admin staff will normally only see your name, address, contact details, appointment history and registration details in order to book appointments, the practice nurses will normally have access to your immunisation, treatment, significant active and important past histories, your allergies and relevant recent contacts whilst the GP you see or speak to will normally have access to everything in your record.
You have the right to object to our sharing your data in these circumstances but we have an overriding responsibility to do what is in your best interests.
We are required by Articles in the General Data Protection Regulations to provide you with the information in the following subsections.
|Data Who we are?||Berry Lane Medical Centre, Berry Lane, Longridge, Preston, PR3 3JJ.|
Telephone Number – 01772 214880
Our practice is registered with the Information Commissioner’s Office (ICO) to process personal and social categories of
Information under the Data Protection Act 2018 (subject to parliamentary approval) and our registration number is
Data Protection Officer
Dr Steve Griffin - Senior Partner
Helen Stammers -Practice Manager
Telephone Number – 01772 214880
|Purpose of processing||Direct Care is care delivered to the individual alone, most of which is provided in the surgery. After a patient agrees to a referral for direct care elsewhere, such as a referral to a specialist in a hospital, necessary and relevant information about the patient, their circumstances and their problem will need to be shared with the other healthcare workers, such as specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.|
|Lawful basis for processing|
The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:
Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”
We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”*
|What personal information do we need to collect about you and how do we obtain it?|
Personal information about you is collected in a number of ways. This can be from referral details from our staff, other 3rd parties or hospitals, directly from you or your authorised representatives.
We will likely hold the following basic personal information about you: your name, address (including correspondence), telephone numbers, date of birth, next of kin contacts etc. We might also hold your email address, marital status, occupation, and overseas status, place of birth and preferred name or maiden name.
In addition to the above, we may hold sensitive personal information about you which could include:
Notes and reports about your health, treatment and care, including:
- your medical conditions
- results of investigations, such as x-rays and laboratory tests
- future care you may need
- personal information from people who care for and know you, such as relatives and health or social care professionals.
- Other personal information such as smoking status and any learning disabilities
Your religion and ethnic origin
Whether or not you are subject to any protection orders regarding your health, wellbeing and human rights
It is important for us to have a complete picture of you as this will assist staff to deliver appropriate treatment and care plans in accordance with your needs.
|What do we do with your personal information?||Your records are used to directly, manage and deliver healthcare to you to ensure that:|
• The staff involved in your care have accurate and up to date information to assess and advise on the most appropriate care for you.
• Staff have the information they need to be able to assess and improve the quality and type of care you receive.
• Appropriate information is available if you see another healthcare professional, or are referred to a specialist or another part of the NHS, social care or health provider.
|What may we do with your personal information|
The personal information we collect about you may also be used to:
• Remind you about your appointments and send you relevant correspondence
• Review the care we provide to ensure it is of the highest standard and quality, e.g. through audit or service improvement:
• Support the funding of your care e.g. with commissioning organisations;
• Prepare statistics on NHS performance to meet the needs of the population or for the Department of Health and other regulatory bodies;
• Help to train and educate healthcare professionals;
• Report and investigate complaints, claims and untoward incidents;
• Report events to the appropriate authorities when we are required to do so by law;
• Review your suitability for research study or clinical trial
• Contact you with regards to patient satisfaction surveys relating to services you have used within our hospital so as to further improve our services to patients
Where possible, we will always look to anonymise/pseudonymise your personal information so as to protect patient confidentiality, unless there is a legal basis that permits us to use it and we will only use/share the minimum information necessary.
|Who do we share your information with and why?|
We may need to share relevant personal information with other NHS organisations. For example, we may share your information for healthcare purposes with health authorities such as Public Health England, NHS Trusts, other general practitioners (GPs), ambulance services, primary care agencies etc. We will also share information with other parts of the NHS and those contracted to provide services to the NHS in order to support your healthcare needs.
We may need to share information from your health records with other non-NHS organisations from which you are also receiving care, such as Social Services or private care homes. However, we will not disclose any health information to third parties without your explicit consent unless there are circumstances, such as when the health of safety of others is at risk of where current legislation permits or requires it.
There are occasions where the Practice is required by law to share information provided to us with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.
There may also be situations where we are under a duty to share your information, due to a legal requirement. This includes, but is not limited to, disclosure under a court order, sharing with the Care Quality Commission for inspection purposes, the police for the prevention or detection of crime or where there is an overriding public interest to prevent abuse or serious harm to others and other public bodies (e.g. HMRC for the misuse of public funds in order to prevent and detect fraud).
For any request to transfer your date internationally outside the UK/EU, we will make sure that an adequate level of protection is satisfied before the transfer.
The Practice is required to protect your personal information, inform you of how your personal information will be used, and allow you to decide if and how your personal information can be shared. Personal information you provide to the Practice in confidence will only be used for the purposes explained to you and to which you have consented. Unless, there are exceptional circumstances, such as when the health or safety of others is at risk, where the law requires it or there is an overriding public interest to do so. Where there is cause to do this, the Practice will always do its best to notify you of this sharing.
|How we maintain your records?|
Your personal information is held in both paper and electronic forms for specified periods of time as set out in the NHS Records Management Code of Practice for Health and Social Care and National Archieves Requirements.
We hold and process your information in accordance with the Data Protection Act 2018 (subject to Parliamentary approval) as amended by the GDPR 2016, as explained above. In addition, everyone working for the NHS must comply with the Common Law Duty of Confidentiality and various national and professional standards and requirements.
We have a duty to:
• maintain full and accurate records of the care we provide to you;
• keep records about you confidential and secure;
• provide information in a format that is accessible to you.
Use of Email – Some services in the Practice provide the option to communicate with patients via email. Please be aware that the Practice cannot guarantee the security of this information whilst in transit, and by requesting this service you are accepting the risk.
|What are your rights?||If we need to use your personal information for any reasons beyond those stated above, we will discuss this with you and ask for your explicit consent. The Data Protection Act 2018 (subject to parliamentary approval) gives you certain rights, including the right to:|
• Request access to the personal data we hold about you, e.g. in health records. The way in which you can access your own health records is further explained in our “patient access to medical records policy” . Please ask reception for further information.
• Request the correction of inadequate or incomplete information recorded in our health records, subject to certain safeguards. There is no right to have accurate medical records deleted except when ordered by a court of Law.
• Refuse/withdraw consent to the sharing of your health records: Under the Data Protection Act 2018 (subject to parliamentary approval), we are authorised to process, i.e. share, your health records ‘for the management of healthcare systems and services’. Your consent will only be required if we intend to share your health records beyond these purposes, as explained above (e.g. research). Any consent form you will be asked to sign will give you the option to ‘refuse’ consent and will explain how you can ‘withdraw’ any given consent to a later time. The consent form will also warn you about the possible consequences of such refusal/withdrawal.
• Request your personal information to be transferred to other providers on certain occasions.
• Object to the use of your personal information. In certain circumstances you may also have the right to ‘object’ to the processing (i.e. sharing) of your information where the sharing would be for a purpose beyond your care and treatment (e.g. as part of a local/regional data sharing initiative). This so called “Data Opt-out’ initiative, dev eloped by Dame Caldicott, is set to commence in March 2018 and conclude in March 2020. Further information can be found on the following website: https://digital.nhs.uk/national-data-opt-out
• We will always try to keep your information confidential and only share information when absolutely necessary.
If you wish to raise a complaint on how we have handled your personal data, you can contact our Data Protection Officer who will investigate the matter.
The data will be retained in line with the law and national guidance. https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016 or speak to the practice.
Right to Complain.
The Information Commissioner’s Office (ICO) is the body that regulates the Practice under Data Protection and Freedom of Information legislation, you can use this link https://ico.org.uk/global/contact-us/ If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the ICO at:
Information Commissioner’s Office
or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
Fax: 01625 524 510
There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website)
* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as 'judge-made' or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.
The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider's consent.
In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.
Three circumstances making disclosure of confidential information lawful are:
• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.
Download our Full GDPR Privacy Statement