ICO Registration No: Z6036535
Data Protection Officer:
Dr Julian Hargreaves
Senior Information Risk Owner:
We have updated this document on 17th January 2020 and made the following changes:
This page explains to you the types of personal data we hold about you and how we may use this information for the benefit of your health and wellbeing. We want to advise you on how we allow, or do not allow, your electronic health record to be made available to other organisations, across a variety of healthcare settings. Confidentiality is one of the keystones of medicine and is central to maintaining trust in the doctor-patient relationship. Information you give us is treated in the strictest confidence. This information should be carefully considered and any concerns you have about the data we hold, and how we use it, should be raised with us.
Newburn Surgery aims to ensure the highest standard of medical care for our patients. To help us to do this we keep records about you, your health and the care we have provided or plan to provide to you.
Below we outline how that information is used, with whom we may share that information, how we keep it secure (confidential) and what your rights are in relation to this.
The Health Care Professionals (HCP) who provide you with care, maintain records about your health and any treatment or care you have received previously (e.g. NHS Trust, GP surgery, Community clinics or staff etc). These records help to provide you with the best possible healthcare and
NHS health records may be electronic, on paper or a mixture of both and we use a combination of working practices and technology to ensure that your information is kept confidential and secure.
As your registered GP practice we hold your electronic health record. Prior to 2008 your records were on paper. We made the decision to be as paperless as possible so all paper records have been scanned and are stored electronically on our clinical system. Your medical records contain sensitive information about you, your health and your wellbeing.
The following list provides an example of the type of information (both past and present) that can be held within your record:
To ensure you receive the best possible direct care, your records are used to facilitate the care you receive. Information held about you may also be used to help protect the health of the public and to help us manage the NHS. Information may be used for clinical audit to monitor the quality of the service provided and to plan NHS services.
Some of this information will be held centrally and used for statistical purposes, such as NHS performance and activity. Where we do this, we take strict measures to ensure that individual patients cannot be identified.
Sometimes your information may be requested to be used for research purposes – the organisation will always endeavor to gain your consent before releasing the information.
It does not include access to information for purposes such as insurance, advertising or marketing.
Information may be requested for financial validation and Care Quality Commission purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified. During Care Quality Commission inspections, the inspectors are required to review random patient records.
We may also process your information when investigating concerns, complaints or legal claims. It could also be used to help staff to review the care they provide to make sure it is of the highest standards, training and educating staff.
The NHS Care Record Guarantee for England sets out the rules that govern how patient information is used in the NHS and what control patients can have over this.
The NHS Constitution establishes the principles and values of the NHS in England. It sets out rights to which patients, public and staff are entitled, and pledges which the NHS is committed to achieve, together with responsibilities which the public, patients and staff owe to one another to ensure that the NHS operates fairly and effectively.
We do use automated searches and processes that utilise the information you have shared with us for the purpose of improving your care. Examples might include: producing reminders for reviews or to prompt where you may benefit from additional testing. With very few exceptions (eg the annual flu invitation campaign), these prompts are reviewed by a member of staff to validate them.
The term "direct care" means a clinical health activity concerned with the prevention and investigation and treatment of illness. It includes supporting your ability to function and improve your participation in life and society. It also includes the assurance of safe and high quality care and treatment undertaken by one or more registered and regulated health or social professionals and their team with whom you have a legitimate relationship for your care purposes.
We are committed to protecting your privacy and will only use information that may identify you (known as personal information) in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), the Data Protection Act 2018, other laws such as the Health and Social Care Act 2012 and Article 8 of the Human Rights Act, however only the minimum necessary identifiers are used in processing personal information for this purpose. We also have a Common Law Duty of Confidentiality to protect your information. This means that where a legal basis for using your personal or confidential information does not exist, we will not do so.
Apart from direct health care, sensitive personal information (including special categories of data) may also be used in the following cases:
The Legal Basis for the Processing is covered under Article 6 (1)(e) of the General Data Protection Regulation where “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” and Article 9 (2)(h) where:
“processing is necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee medical diagnosis the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union Or Member State law or pursuant to contract with a health professional…”.
We are committed to protecting your privacy and will only use information collected lawfully in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679), Data Protection Act 2018 (which is overseen by the Information Commissioner’s Office), Human Rights Act, the Common Law Duty of Confidentiality and the NHS Codes of Confidentiality and Security.
Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential. Anyone who received information from an NHS organisation has a legal duty to keep it confidential.
All persons in the practice sign a confidentiality agreement that explicitly makes clear their duties in relation to personal information and data concerning health, and the consequences of breaching that duty.
Please be aware that your information will be accessed by non-clinical practice staff in order to perform tasks enabling the functioning of the practice. These are, but not limited to:
We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (e.g. life or death situations) or where the law requires information to be passed on.
The NHS Digital Code of Practice on Confidential Information applies to all of our staff, and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. All practice staff are expected to make sure information is kept confidential and receive annual training on how to do this. This is monitored by the practice and can be enforced through disciplinary procedures.
We also ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only and protect personal and confidential information held on equipment such as laptops with encryption (which masks data so that unauthorised users cannot see or make sense of it).
To protect your confidentiality, we will not normally disclose any medical information about you over the telephone, or by email, unless we are sure that we are talking to you. This means that we will not disclose information to your family, friends and colleagues about any medical matters at all, unless we know that we have your consent to do so.
We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where information that could or does identify a person is processed. We have a senior person responsible for protecting the confidentiality of patient information and enabling appropriate information sharing. This person is called the Caldicott Guardian. The Caldicott Guardian for the practice is Dr Julian Hargreaves, who can be contacted using the contact details at the top of this document. We also have a Senior Information Risk Owner (SIRO) who is responsible for owning the practice’s information risk. The SIRO is Julie Dixon. The Data Protection Officer for the practice is detailed at the start of this policy. Their details can be found at the top of this notice.
We are registered with the Information Commissioner’s Office (ICO) as a data controller which describes the purposes for which we process personal data. A copy of the registration is available from the ICO’s web site by searching on our practice name.
If you are referred to or attend another health or care organisation, we will share information with them in order that you receive the best and safest possible care. Examples of these organisations include:
We are an active partner in the the Newcastle Outer West Primary Care Network. Primary Care Networks are an NHS iniative to help practices work together, by sharing resource and expertise, to improve the health and wellbeing of their patients.
As part of this initiative we have an additional data sharing agreement with the following practices:
Practices within the network will from time to time undertake work on each others' behalf, which may include seeing patients and undertaking quality improvement work. This will involve being able to view the entire medical record. The practices are bound by the same codes of conduct and strict confidentiality rules.
Patients may opt out of his data sharing by informing the practice in writing but it will affect data sharing with community services and may affect the quality of care you receive from other organisations.
This practice operates a clinical computer system, SystmOne, on which NHS staff record information securely. SystmOne is a UK based company and all our information is stored in data centres in the UK that meet or exceed Government security requirements. Only persons on the secure, dedicated NHS network can access SystmOne.
There is a sharing agreement in place with Newcastle Community Services (which provides community services such as the district nurses) so that everyone caring for you is fully informed about your relevant medical history.
Similarly, sharing agreements are in place with Vocare who provide our GP Out of Hours service, who offer both additional in hours and urgent out of hours appointments. As they are acting as our deputies, we will share information as though you were seeing a doctor in our practice; this information being necessary to provide you with the same level of care you expect from the practice.
To provide around the clock safe care, unless you have asked us not to, we will make information available to trusted organisations who also use SystmOne Web locally. Wherever possible, staff will ask your consent before information is viewed, but by accessing the service or asking us to refer you, you are agreeing to the sharing of that information.
The practice can also access the SystmOne Shared Record to view other organisations’ details. As your GP and therefore care co-ordinator, when you joined the practice there is implied consent for us to view information relevant to provide you with direct care.
You can opt out of the SystmOne record sharing by informing the practice in writing, though this may affect the quality of care you receive if we cannot communicate effectively.
The Summary Care Record is a national scheme linked to the central NHS secure network (“spine”) to share information about the medicines you are prescribed and any allergies or other adverse reactions you have experienced. This information is uploaded to a central NHS database automatically from the GP clinical record.
The spine is also used in practice for electronic transportation of referral letters to the hospital and medication requests to your nominated pharmacy.
Health Professionals at other organisations will only be able to access this information with your permission. This might be important if you need urgent medical care when the GP practice is closed. Out of Hours medical services can look at your SCR if they need to treat you when the practice is closed. They will ask for consent before they look at your records. In an emergency and if you are unconscious, staff may look at your SCR without your agreement to let them give you the best possible care. Whenever NHS staff look at your SCR, a record will be kept so we can always check who has looked at your information. The general principle is that information is passed to these systems unless you request this does not happen, but that system users should ask for your consent before viewing your records.
You have the right to opt-out of having a summary care record by informing the practice in writing, though this can place your health at risk if that information is not available in an emergency.
This is a national scheme to share more detailed information including your current medical problems and your care wishes. Health Professionals at other organisations will only be able to access this information with your permission. This information will only be available to other agencies if you have given us your permission to share it.
This is a local initiative to share health and care information in the North East. The information shared is similar to that in the Summary Care Record with Additional Information. Unlike the Summary Care Record, no information is transferred out of the GP clinical system or stored elsewhere. In the future, the practice will also be able to view information in other health and care organisations’ systems - as your care co-ordinators it is assumed that you have given us permission to view that information for the purposes of providing you care.
Health and Care Professionals at other organisations will normally ask your permission to access the shared record; however, by accessing the service whether by self referral or by asking us to refer, it is assumed that you are agreeing to them accessing the shared record for the purposes of caring for you.
More information about the GNCR and which organisations are involved can be found at : Great North Care Record
Depending on their role, Health and Care Professionals can currently view:
They are unable to read consultation notes or any information that we have ‘locked’. You can ask for any information you consider to be sensitive to be locked.
You have the right to opt-out of allowing the GNCR to view your record summary by informing the practice in writing, though this can place your health at risk if that information is not available in an emergency. Note also that opting-out of the GNCR will also result in opting out of the SystmOne Shared Record – the two systems share the same opt out code.
The practice may conduct medicines management reviews of medications prescribed to its patients. This service performs a review of prescribed medications to ensure patients receive the most appropriate, up to date and cost-effective treatments. These reviews are carried out by pharmacists either from our Primary Care Network, from North East Commissioning Support Service or from the Newcastle Pharmacy Hub.
We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations. This will be anonymised where possible:
The court can insist that we disclose medical records to them.
Solicitors also often ask for medical reports. These will always be accompanied by your signed consent for us to disclose information. We will not normally release details about other people that are contained in your records e.g. spouse, children, parent etc., unless we also have their consent.
Social Services may require medical reports on you from time to time. These will often be accompanied by your signed consent to disclose information. Failure to co-operate with these agencies can lead to loss of benefit or other support. However, if we have not received your signed consent we will not normally disclose information about you.
Other Government Departments such as the Department of Work and Pensions, or the DLVA, may ask for medical information. They will have sought consent as part of the process; the law currently requires us to provide information to them if they have assured us that they have your consent, we are not provided with a copy of that consent. We will supply only that information which is relevant and necessary.
Life assurance companies frequently ask for medical reports on prospective clients. These are always accompanied by your signed consent. We will only disclose the relevant medical information according to your consent. You have the right, should you request it, to see reports prepared for insurance companies or employers before they are sent.
We will normally ask you for your consent, but there are times when we may be required by law to share your information without your consent, for example:
The practice is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using our website, then you can be assured that it will only be used in accordance with this Fair Processing Notice.
You may choose to restrict the collection or use of your personal information in the following ways:
The GDPR and DPA 2018 allows you to find out what information about you is held on a computer and in manual records. Where information from which you can be identified is held, you have the right to ask to:
These rights apply in circumstances where relevant conditions are met.
It is important that you tell us if any of your details such as your name, address or telephone number have changed or if any of your details such as date of birth is incorrect in order for this to be amended. You have a responsibility to inform us of any changes so our records are kept accurate and up to date for you.
You have a right under the GDPR and DPA 2018 to access/view what information the practice holds about you, and to have it amended or removed should it be inaccurate. This is known as ‘the right of subject access’. If we do hold information about you, we will:
If you would like to make a ‘subject access request’, this can be accepted either verbally or, preferrably for the avoidance of doubt and errors, in writing to the Practice.
You will need to give us adequate information e.g. full name, address, date of birth, NHS number etc., to enable us to identify you and provide the correct information.
You will be informed whether a charge will be made for printed copies (a charge will only be made in certain circumstances).
You will receive a response within calendar one month. Where the request is excessive you will be informed if it will take longer for us to respond to your request.
The practice has a leaflet available on making a Subject Access Request, this is available on our website or please ask at reception if you require a copy.
All records will be retained in line with the Department of Health, The Records Management Code of Practice for Health and Social Care 2016 and will not be held for longer than necessary. This is available on the NHS Digital website at: NHS Records Management Code of Practice. Confidential information is securely destroyed in accordance with this code of practice. This complies with Article 5 of the GDPR Principle 5: kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.
If you are happy for your data to be extracted and used for the purposes described in this Fair Processing Notice, then you do not need to do anything.
If you do not want your personal data being extracted and used for the purposes described in this Fair Processing Notice, then you need to let us know as soon as possible in writing to the Practice.
Please note that withdrawing your consent from sharing data may, in some circumstances, cause a delay in your receiving care which may result in harm to your health or death if we or other organisations do not have a complete care record.
In some instances, you are allowed to request that your confidential information is not used beyond your own care and treatment and to have your objections considered. To support this, patients are able to register objections with the GP Practice to either prevent their identifiable data being released outside of the GP Practice (known as a Type 1 objection) or to prevent their identifiable data from any health and social care setting being released by NHS Digital (known as a Type 2 objection) where in either case it is for purposes other than direct patient care. If your wishes cannot be followed, you will be told the reasons (including the legal basis) for that decision. There are certain circumstances where a person is unable to opt out, but these are only where the law permits this, such as in adult or children’s safeguarding situations.
You have a right in law to refuse or withdraw previously granted consent to the use of your personal information. There are possible consequences of not sharing such as the effect this may have on your care and treatment but these will be explained to you to help with making your decision.
If you wish to exercise your right to opt-out, or to speak to somebody to understand what impact this may have, if any, please contact the Practice using the contact details at the bottom of this document.
The Freedom of Information Act 2000 (FOIA) gives people a general right of access to information held by or on behalf of public authorities, promoting a culture of openness and accountability across the public sector.
What sort of information can I request?
In theory, you can request any information that the practice holds about you, that does not fall under an exemption. Your request should be in writing for clarity and can be either posted or emailed to the practice.
We will inform you in advance if any work you request should it attract a fee.
If you have any concerns about how we use or share your information, or you do not wish us to share your information, then please contact the Surgery.
We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. If you have any queries or concerns about how your information is managed at the practice, please contact the Practice.
Information will be held for the purposes of the complaint with your consent and will be used in the investigation and as part of any necessary enquiries.
If you have any further queries on the uses of your information, please contact:
Data Protection Officer
If you are not content with the outcome of your confidentiality and data protection concern / complaint raised with the practice you have the right to apply directly to the Information Commissioner’s Office for a decision.
Information Commissioner’s Office (ICO)
For independent advice about data protection, privacy, data sharing issues and your rights you can contact:
Information Commissioner’s Office
Telephone: 0303 123 1113 (local rate) or 01625 545 745 or +44 1625 545 745 (outside UK)
Visit the ICO website
We keep our Fair Processing Notice under regular review. This Fair Processing Notice will be reviewed on an ongoing basis and changes will be posted on our website.
Updated Jan 2020
111 is the NHS non-emergency number. It’s fast, easy and free. Call 111 and speak to a highly trained adviser, supported by healthcare professionals.
How likely are you to recommend this Surgery to friends and family if they needed similar care or treatment? Please spend 2 minutes to take the Friends and Family Test.
The NHS website. Take control of your health and wellbeing. Get medical advice, information about healthcare services and support for a healthy life.
Patient is one of the most trusted medical resources online, supplying evidence based information on a wide range of medical and health topics to patients and health professionals.