Privacy Notices

General Privacy Notice

Who we are, what we do

AT Medics is a multi-award winning, largest provider of Primary Care services to the NHS in England. We focus on delivering world-class primary care, supported by prodigious education and innovative technology, made bespoke for primary care. We are a GP-led organisation, with quality improvement, multi-professional working and innovation at the heart of what we do.

Our proven track record in clinical turnaround, stabilisation and sustained general management of General Practice has enabled us to continue to grow our footprint as a trusted NHS provider across London. Since 2004, we have maintained a reputation for clinical quality improvement, operational and digital innovation, and high-quality medical education.

Introduction

This privacy notice lets you know what happens to any personal data that you give to us, or any information that we may collect from you or about you from other organisations.As an organisation, we are committed to be transparent about how we use your data and keep it safe, and will continue to provide accessible information to individuals in line with the UK Data Protection Regulations outlined in the General Data Protection Regulation ‘GDPR’ (EU) 2016/679.

Our Privacy Notice explains:

  • Who we are and how we use your information
  • Information about Data Controller and our Data Protection Officer
  • What kinds of personal information about you we hold and use (process)
  • The legal grounds for our processing of your personal information (including when we share it with others)
  • What should you do if your personal information changes?
  • For how long your personal information is retained / stored by us?
  • What are your rights under Data Protection laws

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018) became law on 25th May 2018. The GDPR is a single EU-wide regulation on the protection of confidential and sensitive (special) information, the DPA 2018 deals with elements of UK law that differ from the European Regulation, both came into force in the UK on the 25th May 2018, repealing the previous Data Protection Act (1998).

This Notice describes how we collect, use and process your personal data, and how in doing so, we comply with our legal obligations to you. Your privacy is important to us, and we are committed to protecting and safeguarding your data privacy rights.

Data Protection Regulation & Data Controller

The General Data Protection Regulation requires organisations to register a notification with the Information Commissioner to describe the purposes for which they process personal and sensitive information. Our registration can be viewed online in the public register at: http://ico.org.uk/what_we_cover/register_of_data_controllers.

Any changes to this notice will be published on our website and in a prominent area at the Practice/GP Hub. Our ICO registration number is Z9497012.

For the purpose of applicable data protection legislation (including but not limited to the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”), and the Data Protection Act 2018 the organisation responsible for your personal data is AT Medics Limited.

AT Medics Limited (Head Office, 26-28 Streatham Place, London, SW2 4QY) is the data controller for any personal data that we hold about you.

How we use your information
We primarily use information to enable our clinicians to better treat you and provide your healthcare. However, we also use your information to improve our services by:

  • Reviewing the care, we provide through clinical audit
  • Investigating patient queries, complaints and legal claims
  • Ensuring we receive payment for the care you receive
  • Preparing statistics on NHS performance
  • Auditing NHS accounts and services
  • Undertaking health research and development (with your consent – you may choose whether or not to be involved)
  • Training and educating healthcare professionals.

Why do we need your information?

The health care professionals who provide you with care maintain records about your health and any treatment or care you have received previously. These records help to provide you with the best possible healthcare and treatment.

NHS health records may be electronic, paper-based or a mixture of both. We use a combination of working practices and technology to ensure that your information is kept confidential and secure.

Records about you may include the following information;

  • Details about you, such as your address, your Carer or legal representative and emergency contact details.
  • Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments.
  • Notes and reports about your health.
  • Details about your treatment and care.
  • Results of investigations such as laboratory tests, x-rays etc.
  • Relevant information from other health professionals, relatives or those who care for you.
  • Contact details (including email address, mobile telephone number and home telephone number)

To ensure you receive the best possible care, your records are used to facilitate the care you receive, including contacting you. Information held about you may be used to help protect the health of the public and to help us manage the NHS and the services we provide. Limited information may be used for clinical Audit to monitor the quality of the service we provided.

Sharing your information

We share your personal information with other NHS organisations. For example, we may share your information for healthcare purposes with NHS trusts, General Practitioners and Ambulance Services where they are directly involved in your care. We may need to share information from your health records with other non-NHS organisations, including Social Services. However, we will not disclose any health information to third parties without your explicit consent to do so, unless there are exceptional circumstances, such as when the health and safety of others is at risk or where the law requires it.

We may also be asked by other statutory bodies to share basic information about you, such as your name and address, but not sensitive information from your health records. This would normally be to assist them to carry out their statutory duties. In these circumstances, where it is not practical to obtain your explicit consent, we are informing you through this notice, which is referred to as a Fair Processing Notice, under the Data Protection Act that we may share that data.

These non-NHS organisations may include, but are not restricted to:

  • Social Services
  • Education services
  • Local authorities
  • Police
  • Voluntary sector providers
  • Private sector providers

Other Data Sharing / Access Projects and special cases

Direct Patient Care – Often we have to share information for your medical care, such
as with hospital when we refer you or if you attended an urgent care centre. Many of our services also have electronic links with another GP service, hospital, out of hours or community service so they can see your record that we hold and vice versa when they are dealing with your medical care directly. Please contact the service if you would like more detail.

Special cases and the Law – The law requires us to share information from your medical records in certain circumstances. Information is shared so that the NHS or Public Health England can, for example:

  • plan and manage services;
  • check that the care being provided is safe;
  • prevent infectious diseases from spreading.

We will share information with NHS Digital, the Care Quality Commission and local
health protection team (or Public Health England) when the law requires us to do so.

NHS Digital

  • NHS Digital is a national body which has legal responsibilities to collect information about health and social care services.
  • It collects information from across the NHS in England and provides reports on how the NHS is performing. These reports help to plan and improve services to patients.
  • This service must comply with the law and will send data to NHS Digital, for example, when it is told to do so by the Secretary of State for Health or NHS England under the Health and Social Care Act 2012.
  • More information about NHS Digital and how it uses information can be found at: https://digital.nhs.uk/home
  • NHS Digital sometimes shares names and addresses of patients suspected of committing immigration offences with the Home Office. More information on this can be found here: https://www.gov.uk/government/publications/information-requests-from-the-home-office-to-nhs-digital

Care Quality Commission (CQC)

  • The CQC regulates health and social care services to ensure that safe care is provided.
  • The law says that we must report certain serious events to the CQC, for example, when patient safety has been put at risk.
  • For more information about the CQC see: http://www.cqc.org.uk/

Public Health

  • The law requires us to share data for public health reasons, for example to prevent the spread of infectious diseases or other diseases which threaten the health of the population.
  • We will report the relevant information to local health protection team or Public Health England For more information about Public Health England and disease reporting see: https://www.gov.uk/guidance/notifiable-diseases-and-causative-organisms-how-to-report

National Screening Programmes

  • The NHS provides national screening programmes so that certain diseases can be detected at an early stage.
  • These screening programmes include bowel cancer, breast cancer, cervical cancer, aortic aneurysms and a diabetic eye screening service.
  • The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme.

More information can be found at: https://www.gov.uk/topic/population-screening-programmes

The Health Service Ombudsman (HSO) – HSO was set up by Parliament to provide an independent complaint handling service for complaints that have not been resolved by the NHS in England and UK government departments. The HSO has the power to request access to a patient’s medical records for the purpose of an investigation.

Medical Research – We shares information from medical records:

  • to support medical research when the law allows us to do so, for example to learn more about why people get ill and what treatments might work best;
  • we will also use your medical records to carry out research within the practice/GP Hub.

This is important because:

  • the use of information from GP medical records is very useful in developing new treatments and medicines;
  • medical researchers use information from medical records to help answer important questions about illnesses and disease so that improvements can be made to the care and treatment patients receive.

We share information with medical research organisations with your explicit consent or when the law allows. You have the right to object to your identifiable information being used or shared for medical research purposes. Please speak to the practice/GP Hub if you wish to object.

CCTV – Some of our practices/GP Hubs have CCTV in place for security reasons. These records are kept secure in a similar manner to patient records and follow the ICO code of practice. Information is only shared in the exceptional circumstances set out above.

Risk Stratification – Risk stratification data tools are increasingly being used in the NHS to help determine a person’s risk of suffering a particular condition, preventing an unplanned or (re)admission and identifying a need for preventive intervention.

Information about you is collected from a number of sources including NHS Trusts and from this GP Practice/GP Hub. A risk score is then arrived at through an analysis of your de-identified information and is only provided back to your GP as data controller in an identifiable form. Risk stratification enables your GP to focus on preventing ill health and not just the treatment of sickness. If necessary, your GP may be able to offer you additional services. Please note that you have the right to opt out.

Safeguarding – The service is dedicated to ensuring that the principles and duties of safeguarding adults and children are holistically, consistently and conscientiously applied with the wellbeing of all, at the heart of what we do.

Our legal basis for processing For the General Data Protection Regulation (GDPR) purposes is:
Article 6(1)(e) ‘…exercise of official authority…’.

For the processing of special categories data, the basis is:
Article 9(2)(b) – ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…’

Medicines Management – The service may conduct Medicines Management Reviews of medications prescribed to its patients. This service performs a review of prescribed medications to ensure patients receive the most appropriate, up to date and cost- effective treatments. The reviews are carried out by the CCGs Medicines Management Team under a Data Processing contract with the Practice/GP Hub.

Invoice Validation – Invoice validation is an important process. It involves using your NHS number to check that the CCG is responsible for paying for your treatment. We can also use your NHS number to check whether your care has been funded through specialist commissioning, which NHS England will pay for. The process makes sure that the organisations providing your care are paid correctly. The legal basis to use information for invoice validation is provided under Regulations made under section 251 of the NHS Act 2006 and is based on the advice of the Health

Research Authority’s Confidentiality and Advisory Group (reference CAG 7-07(a) and (b)/2013).

Mobile telephone number and email address – If you provide us with your mobile phone number and email address, we may use this to send you reminders about your appointments or other health screening information. Please let us know if you do not wish to receive reminders /information on your mobile or email. We are obliged to protect any confidential information we hold about you and we take this very seriously; it is imperative that you let us know immediately if you change any of your contact details. This is to ensure we are sure we are actually contacting you and not another person.

Summary Care Record (SCR) – The NHS in England uses a national electronic record called the Summary Care Record (SCR) to support patient care. It contains key information from your GP record. Your SCR provides authorised healthcare staff with faster, secure access to essential information about you in an emergency or when you need unplanned care, where such information would otherwise be unavailable.

Summary Care Records are there to improve the safety and quality of your care. SCR core information comprises your allergies, adverse reactions and medications. An SCR with additional information can also include reason for medication, vaccinations, significant diagnoses / problems, significant procedures, anticipatory care information and end of life care information. Additional information can only be added to your SCR with your agreement.

Please be aware that if you choose to opt-out of SCR, NHS healthcare staff caring for you outside of this surgery may not be aware of your current medications, allergies you suffer from and any bad reactions to medicines you have had, in order to treat you safely in an emergency. Your records will stay as they are now with information being shared by letter, email, fax or phone. If you wish to opt-out of having an SCR please let us know at your registered practice/GP Hub.

Seen in GP Hubs – Unless you decline consent, we will share information from any consultations in our GP Hubs with your registered GP practice as a discharge summary to your registered GP. With your consent, we will pass information on to Secondary Care where we deem it appropriate to refer you for further investigation. Whilst we will not make routine referrals, with your consent, we will make urgent Two Week Wait referrals during consultation if deemed appropriate. We will share the information from any consultations in our GP Hubs with your registered GP practice. Comprehensive Data sharing Agreements in place to have access to care records.

Fraud Prevention – We are required by law to protect the public funds we administer. Primary Care Sheffield may share information provided to it with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

Clinical Audit – Information may be used for clinical audit to monitor the quality of the service provided. Some of this information may be held centrally and used for statistical purposes e.g. the National Diabetes Audit. Where we do this, we take strict measures to ensure that individual patients cannot be identified.

Cabinet Office – The use of data by the Cabinet Office for data matching is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under the Data Protection Act 1998. Data matching by the Cabinet Office is subject to a Code of Practice. You can view further information on the Cabinet Office’s legal powers and the reasons why it matches particular information. https://www.gov.uk/government/publications/code-of-data-matching-practice-for-nationalfraud-initiative

Data linkage with other datasets – Data may be de-identified and linked so that it can be used to improve health care and development and monitor NHS performance. Where data is used for these statistical purposes, stringent measures are taken to ensure individual patients cannot be identified.

When analysing current health services and proposals for developing future services it is sometimes necessary to link separate individual datasets to be able to produce a comprehensive evaluation. This may involve linking primary care GP data with other data such as secondary uses service (SUS) data (inpatient, outpatient and A&E).

In some cases, there may also be a need to link local datasets which could include a range of acute-based services such as radiology, physiotherapy, audiology etc, as well as mental health and community-based services such as Improving Access to Psychological Therapies (IAPT), community nursing, podiatry etc. When carrying out this analysis, the linkage of these datasets is always done using a unique identifier that does not reveal a person’s identity.

The organisation responsible for processing de-identified and linked data under this category, on behalf of the Practice/GP Hub at the local clinical commissioning group. We ensure that the data processor is legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.

Online/Video Consultations – Dr. iQ is an online and video consultation platform for NHS patients, providing fast, safe and effective online consultations with your GP and other clinicians, reducing the need to book and wait for a face-to-face GP appointment. Dr. iQ complies with NHS compliance and security standards.
accuRx is used for online and video consultations. It is used to send advice, notify a patient of normal results, remind them to book appointments.

Electronic Prescription Service (EPS) -Electronic Prescription Service (EPS) is an NHS service that gives you the chance to change how we send your prescription to the place you nominate to get your medicines or appliances from. The purpose of the processing of your personal health data is to enable the electronic transmission of prescriptions to community pharmacies or a dispensing appliance contractor, depending on who you have nominated appliance contractor. This means that we actively seek and record your agreement to the use or disclosure of your information, before any such processing takes place.

Open Exeter – Open Exeter is a web-enabled viewer which provides the facility for healthcare professionals to share/access patient data held on the National Health Application and Infrastructure Services (NHAIS) systems, including cervical screening, breast screening, organ donor, blood donor and home oxygen. Access to Open Exeter is only possible on the N3 network, and via authorised logons/passwords provided by NHS Digital.

Computer System This service operates a Clinical Computer System on which NHS Staff record information securely. This information can then be shared with other clinicians so that everyone caring for you is fully informed about your medical history, including allergies and medication.

Shared Care Records – To support your care and improve the sharing of relevant information to our partner organisations (as above) when they are involved in looking after you, we will share information to other systems. You can opt out of this sharing of your records with our partners at any time if this sharing is based on your consent.

Websites Our websites allow our patients you to have access to practice related information as well as provide an interactive platform to communicate with the practice via E-Consultations in a safe, secure and an effective manner. safely, securely and effectively. Our website also allows new patients to register online. All patient data provided via our websites complies with NHS compliance and security standards.

Third party data processors

In order to deliver the best possible service, the service will share data (where required) with other NHS bodies such as other GP practices and hospitals. In addition, the service will use carefully selected third party service providers. When we use a third party service provider to process data on our behalf then we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately.

Examples of functions that may be carried out by third parties include:

  • Companies that provide IT services & support, including our core clinical systems; systems which manage patient facing services (such as our website and service accessible through the same); data hosting service providers; systems which facilitate appointment bookings or electronic prescription services; document management services etc.
  • Delivery services (for example if we were to arrange for delivery of any medicines to you).
  • Payment providers (if for example you were paying for a prescription or a service such as travel vaccinations).
  • Human Resource and Finance functions
  • Other service providers for the delivery of clinical care
  • Mailing services – enables primary health care organisations send letters, invoices and documents directly from computers and other portable devices.
  • Document management – provides cloud-based storage software for electronic patient document. This includes letters that we receive, scan and upload to the patient record, as well as letters that we receive in an electronic format. Generally, this software enables primary health care organisations capture, file, workflow, view and manage primary care documents efficiently and electronically.
  • Text messaging service providers – cloud-based text messaging services used by GPs to communicate with their patients. The source of the information shared in this way is your electronic GP record for the purposes of direct administrative patient care.

This is not an exhaustive list but it shows some examples of third party providers.

Further details regarding specific third-party processors can be supplied on request to the Data Protection Officer as below.

How do we maintain the confidentiality of your records?

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

  • Data Protection Act 2018
  • The General Data Protection Regulations 2016
  • Human Rights Act 1998
  • Common Law Duty of Confidentiality
  • Health and Social Care Act 2012
  • NHS Codes of Confidentiality, Information Security and Records Management
  • Information: To Share or Not to Share Review

Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential.

We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), where the law requires information to be passed on and / or in accordance with the information sharing principle following Dame Fiona Caldicott’s information sharing review (Information to share or not to share) where “The duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles.

Our policy is to respect the privacy of our patients, their families and our staff and to maintain compliance with the General Data Protection Regulation (GDPR) and all UK specific Data Protection Requirements. Our policy is to ensure all personal data related to our patients will be protected.

All employees and sub-contractors engaged by our service are asked to sign a confidentiality agreement. The service will, if required, sign a separate confidentiality agreement if the client deems it necessary. If a sub-contractor acts as a data processor for AT Medics, an appropriate contract (art 24-28) will be established for the processing of your information.

In certain circumstances you may have the right to withdraw your consent to the processing of data. Please contact the Data Protection Officer in writing if you wish to withdraw your consent. If some circumstances we may need to store your data after your consent has been withdrawn to comply with a legislative requirement.

Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified. Sometimes your information may be requested to be used for research purposes – the surgery will always gain your consent before releasing the information for this purpose in an identifiable format. In some circumstances you can Opt-out of the surgery sharing any of your information for research purposes.

Where do we store your information electronically?

All the personal data we process is processed by our staff in the UK however for the purposes of IT hosting and maintenance this information may be located on servers within the European Union.

No 3rd parties have access to your personal data unless the law allows them to do so and appropriate safeguards have been put in place such as a Data Processor as above). We have a Data Protection regime in place to oversee the effective and secure processing of your personal and or special category (sensitive, confidential) data.

Who are our partner organisations?

We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations:

  • NHS Trusts / Foundation Trusts
  • GP’s / GP Practices
  • Primary Care Networks
  • NHS Commissioning Support Units
  • Independent Contractors such as dentists, opticians, pharmacists
  • Private Sector Providers
  • Voluntary Sector Providers
  • Ambulance Trusts
  • Clinical Commissioning Groups
  • Social Care Services
  • NHS England (NHSE) and NHS Digital (NHSD)
  • Multi Agency Safeguarding Hub (MASH)
  • Local Authorities
  • Education Services
  • Fire and Rescue Services
  • Police & Judicial Services
  • Voluntary Sector Providers
  • Private Sector Providers
  • Other ‘data processors’ which you will be informed of

You will be informed who your data will be shared with and in some cases asked for consent for this to happen when this is required.

Sharing your information without consent

We will normally ask you for your consent, but there are times when we may be required by law to share your information without your consent, for example:

  • where there is a serious risk of harm or abuse to you or other people;
  • Safeguarding matters and investigations
  • where a serious crime, such as assault, is being investigated or where it could be prevented;
  • notification of new births;
  • where we encounter infectious diseases that may endanger the safety of others, such as Meningitis or measles (but not HIV/AIDS);
  • where a formal court order has been issued;
  • where there is a legal requirement, for example if you had committed a Road Traffic Offence.

With your consent we would also like to use your information

There are times that we may want to use your information to contact you or offer you services, not directly about your healthcare, in these instances we will always gain your consent to contact you. We would however like to use your name, contact details and email address to inform you of other services that may benefit you. We will only do this with your consent. There may be occasions where authorised research facilities would like you to take part on innovations, research, improving services or identifying trends, you will be asked to opt into such programmes if you are happy to do so.

At any stage where we would like to use your data for anything other than the specified purposes and where there is no lawful requirement for us to share or process your data, we will ensure that you have the ability to consent and opt out prior to any data processing taking place.

This information is not shared with third parties or used for any marketing and you can unsubscribe at any time via phone, email or by informing the service DPO as below.

We may also use external companies to process personal information, such as for archiving purposes. These companies are bound by contractual agreements to ensure information is kept confidential and secure. All employees and sub-contractors engaged by our service are asked to sign a confidentiality agreement. If a sub-contractor acts as a data processor for AT Medics, an appropriate contract (art 24-28) will be established for the processing of your information.

 How long will we store your information?

We are required under UK law to keep your information and data for the full retention periods as specified by the NHS Records management code of practice for health and social care and national archives requirements. More information on records retention can be found online at (https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016).

Your rights – How can you access, amend move the personal data that you have given to us?

Even if we already hold your personal data, you still have various rights in relation to it. To get in touch about these, please contact us. We will seek to deal with your request without undue delay, and in any event in accordance with the requirements of any applicable laws. Please note that we may keep a record of your communications to help us resolve any issues which you raise.

The right to be informed via Privacy notices such as this one.

The right to free access to any personal information we hold about you. You are entitled to receive a copy of your personal data – free of charge – and within 30 calendar days of our receipt of your subject access request, provided you have submitted the correct proof of identity details.

The right of rectification. If you believe your details are incorrect, we are required to correct inaccurate or incomplete data within one month.

The right to erasure. Ordinarily under GDPR you have the right to have your personal data erased and to prevent processing, however, this right does not apply to GDPR Art 9 – special category data. The processing we conduct is necessary for the purposes of preventative or occupational medicine for medical diagnosis; and for the provision of health and social care systems. Your data is processed by and under the responsibility of healthcare professionals who are subject to a legal obligation of professional secrecy.

The right to restrict processing. You have the right to suppress processing. We can retain just enough information about you to ensure that the restriction is respected in future.

The right to data portability. We can provide you with your personal data in a structured, commonly used, machine readable form when you request your data.

The right to object. You can object to your personal data being used for profiling, direct marketing or research purposes.

You have rights in relation to automated decision making and profiling, to reduce the risk that a potentially damaging decision is taken without human intervention.

Access to your personal information

You have a right under the Data Protection legislation to request access to view or to obtain copies of what information the surgery holds about you and to have it amended should it be inaccurate.

To request this, you need to do the following:

  • Your request should be made to the Practice/GP Hub. (For information from a hospital or other Trust/ NHS organisation you should write direct to them.
  • There is no charge to have a copy of the information held about you
  • We are required to provide you with information within one month
  • You will need to give adequate information (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified, and your records located information we hold about you at any time.

If you wish to have a copy of the information, we hold about you, please contact your registered GP Practice or the relevant GP Hub.

Your right to withdraw consent for us to share your personal information

At any time, you have the right to refuse/withdraw consent to information sharing. The possible consequences will be fully explained to you and could include delays in receiving care. If you wish to discuss this, please contact either the reception at the service you are accessing or by writing to the Practice/GP Hub Manager detailing which services you currently access and the best way for us to contact you to discuss the consent withdrawal.

What should you do if your personal information changes?

You should tell us so that we can update our records please contact the Practice/GP Hub Manager as soon as any of your details change, this is especially important for changes of address or contact details (such as your mobile phone number), the practice will from time to time ask you to confirm that the information we currently hold is accurate and up-to-date.

Objections / Complaints

Should you have any concerns about how your information is managed at the GP, please contact the GP Practice Manager or GP Hub Manager or the Data Protection Officer:
Email: dpo.atm@nhs.net
Postal: AT Medics Limited 26-28 Streatham Place London SW2 4QY

If you are still unhappy following a review by our Caldicott Guardian, you can then complain to the Information Commissioners Office (ICO) via their website (www.ico.gov.uk).

What you need to do next

If you are happy for your data to be used for the purposes described in this privacy notice, then you do not need to do anything. If you have any concerns about how your data is shared, then please contact our Data Protection Officer. If you would like to know more about your rights in respect of the personal data we hold about you, please contact our Data Protection Officer.

Data Protection Officer

The Data Protection Officer is Hasib Aftab of AT Medics Limited. Any queries regarding Data Protection issues should be addressed to him at:
Email: dpo.atm@nhs.net
Postal: AT Medics Limited 26-28 Streatham Place London SW2 4QY

Changes

It is important to point out that we may amend this Privacy Notice from time to time. If you are dissatisfied with any aspect of our Privacy Notice, please contact the Practice/GP Hub Data Protection Officer.

Cookies

Our site uses cookies to distinguish you from other users of our site. This helps us to provide you with a good experience when you browse our site and also allows us to improve our site. By continuing to browse the site, you are agreeing to our use of cookies. A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer or your mobile device if you agree. Cookies contain information that is transferred to your computer’s hard drive or your mobile device.

We use the following cookies:

  • Strictly necessary cookies. These are cookies that are required for the operation of our site. They include, for example, cookies that enable you to login to secure areas of our site;
  • Analytical/performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around our site when they are using it. This helps us to improve the way our site works, for example, by ensuring that users are finding what they are looking for easily;
  • Functionality cookies. These are used to recognise you when you return to our site. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region);
  • Targeting cookies. These cookies record your visit to our site, the pages you have visited and the links you have followed. We will use this information to make our site more relevant to your interests. We may also share this information with third parties for this purpose.

You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site.

Except for essential cookies, all cookies will expire after 12 months.

Care.Data

Information about you and the care you receive is shared, in a secure system, by healthcare staff to support your treatment and care.

It is important that the NHS can use this information to plan and improve services for all patients. We would like to link information from all the different places where you receive care, such as your GP, hospital and community service, to help us provide a full picture. This will allow us to compare the care you received in one area against the care you received in another, so we can see what has worked best.

Information such as your postcode and NHS number, but not your name, will be used to link your records in a secure system, so your identity is protected. Information which does not reveal your identity can then be used by others, such as researchers and those planning health services, to make sure we provide the best care possible for everyone.

How your information is used and shared is controlled by law and strict rules are in place to protect your privacy.

We need to make sure that you know this is happening and the choices you have.

For Further Details please see the documents below:

COVID-19 Privacy Notice

Introduction

This notice describes how we may use your information to protect you and others during the Covid-19 (Coronavirus) outbreak. It supplements our main Privacy Notice which is available on our website.

In the current emergency it has become even more important to share health and care information quickly across relevant organisations, to deliver care to individuals, support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. The health and social care system is facing significant extra pressures due to the Covid-19 outbreak.

Existing law allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. The Secretary of State requires NHS Digital; NHS England and NHS Improvement; Arm’s Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the Covid-19 outbreak. Any arrangements put in place specifically to use or share information during the Covid-19 are temporary and will be limited to the period of the outbreak unless there is another existing legal basis that covers the use and sharing of that data.

During the COVID-19 outbreak London Clinical Commissioning Groups will not process any new requests to opt-out of local data sharing arrangements such as the One London Health and Care Record exemplar, Connecting your Care or The National Data Opt-Out.

All opt-out requests currently submitted will be held until the outbreak ceases at which point, the request to opt-out will be processed.

It may take us longer to respond to Subject Access Requests and Freedom of Information requests whilst we focus our efforts on responding to the outbreak.

In order to look after your health and care needs, we may share your confidential patient information including health and care records with clinical and non-clinical staff in other health and care providers,for example, neighbouring GP practices, hospitals and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email.

We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance, such as Public Health England, for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. During this period of emergency, you may be offered a consultation via telephone or videoconferencing. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.

We may amend this privacy notice at any time so please review it frequently. The date at the top of this page will be amended each time this notice is updated.

Data Controller

AT Medics Limited is the data controller for any personal data that we hold about you.

Data Protection Officer

The Practice Data Protection Officer is Hasib Aftab of AT Medics Limited. Any queries regarding Data Protection issues should be addressed to him at:

Email: dpo.atm@nhs.net
Postal:
AT Medics Limited
26-28 Streatham Place
London, SW2 4QY

Purpose of the processing of your data

The purpose of the envisaged temporary Covid-19 data flows is to effectively treat and prevent the onward spread of COVID-19, as such there is a need to share Patient Identifiable Data and Special Category (or sensitive) information. However, for each new data flow a review will be undertaken to ensure that the minimum amount of personal data is processed and processed securely.

Lawful basis for processing your data

Under the General Data Protection Regulation (EU GDPR), Article 6, 1(c)- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

There are a number of pieces of legislation currently available to allow the processing of personal data and special category data in response to public health breakouts, which includes:

  • Public Health (Control of Disease) Act 1984
  • The Health and Social Care Act 2008 (by virtue of The Care Act 2014)

The relevant basis in UK law is set out in the Data Protection Act (DPA) 2018, in Schedule 1 condition 2. This condition covers the following purposes:

  • preventive or occupational medicine;
  • the assessment of an employee’s working capacity;
  • medical diagnosis;
  • the provision of health care or treatment;
  • the provision of social care (this is likely to include social work, personal care and social support services); or
  • the management of health care systems or services or social care systems or services.

Article 9(3) of the GDPR contains the additional safeguard that you can only rely on this condition if the personal data is being processed by (or under the responsibility of) a professional who is subject to an obligation of professional secrecy. Section 11 of the DPA 2018 makes it clear that in the UK this includes:

  • a health professional or a social work professional; or
  • another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.

By virtue of the Data Protection Act 2018 (c. 12) Schedule 1 — Special categories of personal data and criminal convictions etc data, Part 1 – Conditions relating to employment, health and research etc, paragraph 3(a), processing meet the GDPR Article 9 condition ‘if processing is necessary for reasons of public interest in the area of public health’.

Recipient or categories of recipients of the processed data

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

  • Data Protection Act 2018
  • The General Data Protection Regulations 2016
  • Human Rights Act 1998
  • Common Law Duty of Confidentiality
  • Health and Social Care Act 2012
  • NHS Codes of Confidentiality, Information Security and Records Management
  • Information: To Share or Not to Share Review

Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential.

We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), where the law requires information to be passed on and / or in accordance with the information sharing principle following Dame Fiona Caldicott’s information sharing review (Information to share or not to share) where “The duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles.

Our practice policy is to respect the privacy of our patients, their families and our staff and to maintain compliance with the General Data Protection Regulation (GDPR) and all UK specific Data Protection Requirements. Our policy is to ensure all personal data related to our patients will be protected.

All employees and sub-contractors engaged by our practice are asked to sign a confidentiality agreement. The practice will, if required, sign a separate confidentiality agreement if the client deems it necessary. If a sub-contractor acts as a data processor for AT Medics, an appropriate contract (art 24-28) will be established for the processing of your information.

In certain circumstances you may have the right to withdraw your consent to the processing of data. Please contact the Data Protection Officer in writing if you wish to withdraw your consent. If some circumstances we may need to store your data after your consent has been withdrawn to comply with a legislative requirement.

Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified. Sometimes your information may be requested to be used for research purposes – the surgery will always gain your consent before releasing the information for this purpose in an identifiable format. In some circumstances you can Opt-out of the surgery sharing any of your information for research purposes.

Right to access and correct

All the personal data we process is processed by our staff in the UK however for the purposes of IT hosting and maintenance this information may be located on servers within the European Union.

No 3rd parties have access to your personal data unless the law allows them to do so and appropriate safeguards have been put in place such as a Data Processor as above). We have a Data Protection regime in place to oversee the effective and secure processing of your personal and or special category (sensitive, confidential) data.

Retention period

The data will be retained in line with the law and national guidance. https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016 or speak to the South West London CCG.

Right to Complain

You have the right to complain to the practice, to the Data Protection Officer (details above) or the Information Commissioner’s Office (ICO), you can use this link https://ico.org.uk/global/contact-us/

or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website).

Note: This Privacy Notice issued sets aside the requirements of Common Law Duty of Confidentially for COVID-19 purposes, Regulation 4 Health Service Control of Patient Information Regulations 2002 provides that ‘information may be processed in accordance with these Regulations, notwithstanding any common law obligation of confidence’, meaning that identifiable patient data can be shared with other organisations where it is ‘necessary’ for a COVID-19 purpose.

Three circumstances making disclosure of confidential information lawful are:

  • where the individual to whom the information relates has consented;
  • where disclosure is in the public interest; and
  • where there is a legal duty to do so, for example a court order.

Clinical Commissioning Group Privacy Notice

The purpose of this notice is to inform you of the type of information (including personal information) that Lambeth Clinical Commissioning Group (CCG) holds, how that information is used, who they may share that information with, and how they keep it secure and confidential.

What they do

The CCG is responsible for planning and buying (also known as commissioning) health services from healthcare providers such as hospitals, for the local population to ensure the highest quality of healthcare. They also have a performance and quality monitoring role of these services, which includes responding to any concerns from patients on services offered.

How they collect and use information

Lambeth CCG collects and uses information to allow them to plan the provision of healthcare services. Most of the information they usually collect and use is anonymous. In some circumstances they need your explicit consent to collect your information. They may also ask that the information from your healthcare providers, such as your GP and hospitals, is combined and joined up in order to better support you to stay well and for them to better plan the services they buy.

As outlined in the NHS Constitution, Lambeth CCG are committed to protecting your rights and responsibilities as a patient. These include your right to confidentiality and giving you access to your health information. You have the right to ask whether they have access to your information, and to choose that you do not want your information managed by them for certain purposes.

Examples of how Lambeth CCG use your information

Evaluation and review of services such as checking their quality and efficiency Investigating complaints and legal claim Making sure services can meet patient needs, now and in the future
Preparing statistics on NHS performance Reviewing the care provided to make sure it is of the highest standard If you would like to find out more please contact: slcsu.informationgovernance@nhs.net

Local Care Record Privacy Notice

Your local NHS organisations have a duty to keep complete, accurate and up-to-date information about your health, so that you can receive the best possible care.

Sometimes the people caring for you also need to share some of your information with others that are also supporting you. This could include GPs, hospital based specialists, nurses and health visitors.

To support this information sharing to happen more quickly and to improve the care you receive, a new process has been put in place locally. This will join-up your care records from your local hospital organisations (Guy’s and St Thomas’, King’s College Hospital and South London and Maudsley NHS Foundation Trusts) with GP practice information through existing computer systems. It is called the Local Care Record.

Information is only shared when it is needed to make your care and treatment safer, easier and faster and only with those people directly involved in your care. This could include allowing a hospital doctor to see the medication that a GP has prescribed for you when you go in to hospital or allowing a GP to see what care, tests or treatment you received while in hospital.

Above all it will allow professionals that are supporting you to work with you to make safer and better decisions about your care.

The new system will start to operate in a small number of GP practices and hospital services in October 2015, and other organisations will continue to join during 2015 and 2016.

We are currently engaging with local people about the Local Care Record, to provide you with as much information as possible and allay any potential concerns. We have already attended the local Citizens’ Board, Resilience Interest Group and Older People’s Month events hosted by Age UK. We have also hosted a public meeting in with the local Healthwatch and Patient Participation Groups.

You can choose for your information not to be shared between your local NHS organisations, but please note that not sharing your information may affect the care you receive. Find out more at www.kingshealthpartners.org/localcarerecord

For more information visit our partners’ websites:

Personal Demographics Service (PDS) Privacy Notice

Summary

The Personal Demographics Service (PDS) is the national electronic database of NHS patient details such as name, address, date of birth and NHS Number (known as demographic information).

Data Controller

The Personal Demographics Service (PDS) is the national electronic database of NHS patient details such as name, address, date of birth and NHS Number (known as demographic information).

NHS Digital operates PDS as part of the Spine under direction from the Secretary of State for Health and is the Data Controller. PDS serves as the register of patients registered for, or otherwise in receipt of, health and care services commissioned by NHS organisations in England and Wales. Within NHS Digital, staff at the PDS National Back Office (NBO) carry out a range of activities to manage and maintain the accuracy and quality of records on the PDS along with providing a set of record tracing services for specific defined purposes. A small number of other NHS Digital staff may access PDS records as and when required for the investigation of an incident or complaint.

Level of data

Each individual record on the PDS contains identifiable data. This is to help care providers identify a patient and to facilitate communication with or about them. The data items held include NHS Number, name, date of birth, gender, GP practice, address(es) and contact details (such as telephone numbers and email addresses). Where applicable, data is also held on people’s immigration status to help care providers determine whether they are liable to be charged for some NHS services. Data is also held, where applicable, on certain patient preferences such as nominated pharmacy and whether the record is marked as ‘sensitive’. The full list of data items held on the PDS, along with other information about PDS, can be found on the Demographics pages of the NHS Digital website. No clinical data is held on the PDS.

Collection

Much of the data held on the PDS is collected by NHS care providers from patients or people acting on a patient’s behalf. The NHS care providers collecting the data include GP practices and other primary care contractors (such as pharmacies), secondary and tertiary care providers, and child health, community, learning disability and mental health services. Primary Care Support England also creates and updates PDS records in the discharge of its responsibilities for maintaining patient lists for GP practices.

Some of the data held on the PDS is collected and provided by the Home Office. This is limited to details of visitors and migrants who have paid the Immigration Health Surcharge and these details are used to create a PDS record for individuals in advance of their registration with a GP practice or attendance for NHS care. This data is initially provided by the individuals concerned as part of the visa application process.

Other updates to the PDS include:

  • civil registration births and deaths data collected from the General Register Office.
  • births and deaths data collected from the Isle of Man Government.
  • data on deaths registered in Scotland for patients who have received NHS care in England and therefore have a PDS record.
  • address updates recorded by from NHS care providers across the UK.

At the request of NHS care providers, NBO staff create new records for people who are not already registered. New records can also be created in certain cases where the resolution of data quality issues requires invalidation of existing records and in other cases such as adoption and gender reassignment where a new identity is established for the individual. NBO staff also update records to correct errors identified by PDS users or by software checks, or where automated update processes have not succeeded and require manual checking.

Purposes and sharing

Data is held on PDS to help care providers confirm the identity of patients; to link their care records within an organisation and between different organisations, and to communicate with patients. Access by individual staff to PDS data requires the use of a smartcard, while access via intermediary systems is subject to an assurance and approval framework. Details of all access is logged and maintained for audit or other investigation purposes.

The key processes where PDS data may be accessed and used are as follows:

  • Registration (and de-registration) with a care provider, whether as a patient at a GP practice or as an in-patient, outpatient or day case with a provider of NHS services, generally via a care provider’s own electronic patient record system (e.g. GP practice clinical system or hospital Patient Administration System).
  • Registration with a GP practice involves processing of PDS data by the National Health Authority Information System (NHAIS) systems used by Primary Care Support England (PCSE) to manage GP practice lists, to check for previous details of a patient’s GP registration.
  • Checking by care providers for any updates to the details for a registered patient, either via a care provider’s own system (e.g. GP practice clinical system or hospital Patient Administration System) or by logging into the Demographics screens on the Summary Care Record application (SCRa). This is also available to local authority social care services where they are working in partnership with NHS organisations to provide shared care for a patient.
  • Checking by care providers for details of a patient’s chargeable status in the case of visitors and migrants by logging into the Demographics screens on the Summary Care Record application (SCRa)
  • Referral for care, typically a GP referral for secondary care, using the national eReferrals Service (eRS)
  • Prescribing medication using the national Electronic Prescriptions Service (EPS).
  • Creation and update of a patient’s Summary Care Record (SCR).
  • Electronic transmission via the GP2GP service of a patient’s medical records between the old and new GP practices when re-registering.

NHS Digital also processes PDS data to provide extracts of patient demographic data for the Secondary Uses Service (SUS) and for the Medical Research Information Service (MRIS), both operated by NHS Digital. A range of reports is also available to relevant organisations through Spine Demographics Reporting Service (SDRS) to support the management of NHS services, including some health screening services. PDS data extracts may also be provided to external organisations for specific purposes subject to there being an appropriate legal basis and the relevant approval processes being followed. Disclosures of PDS data are recorded on the Data Release Register

There are a number of regional NHS data processing centres, known as Data Services for Commissioners Regional Offices (DSCROs) and staff in these offices may apply for access to PDS records. This is only allowed for specified purposes in connection with checking the validity of patient information and confirming responsibilities for commissioning of patient care.

NHS Digital also processes PDS data for validation and integrity checking purposes, identifying potential data quality issues to be investigated and resolved by NBO staff who will access individual records to identify issues and make corrections. Some less complex cases are also handled by staff at the National Service Desk operated by NHS Digital.

In addition to health and care purposes, where requested and where appropriate, the NBO may trace and provide administrative non-clinical information from the PDS to organisations and agencies with statutory responsibilities for specific public services. This is undertaken only where there is an applicable legal basis.

These tracing services are categorised under the following four headings:

  • NHS Data Management (this includes batch tracing to confirm NHS Numbers and other details for patients receiving services from health and care providers)
  • Health & Care Management (this includes letter forwarding and checking currency of patient registrations)
  • Death Registration
  • Record tracing (this includes tracing for law enforcement purposes, including police services, National Crime Agency, Home Office Immigration, court orders and Criminal Cases Review Commission)

There is also a Letter Forwarding tracing service which NHS Digital provides under its statutory obligation to protect the welfare of an individual. No information about live individuals is provided by this function.

Further information regarding these services is available.

Opt-out/contact

Patients registered for NHS services are required to have a record on the PDS, and therefore cannot ‘opt out’ of the PDS. However, they can request that their record is marked ‘Sensitive’ which limits the detail that can be seen by anyone viewing their PDS record to name, NHS Number and DOB, with no contact or location details visible. This is normally done by the patient requesting that their GP contacts NBO to apply the ‘Sensitive’ flag.

Where NHS Digital releases data for a secondary purpose (such as medical research), patients may choose for their identifiable data to not be released in this way.  More information is available on this web page.  Such releases are not made from PDS itself (and are not handled by the NBO team), but from the MRIS service which has the capability to apply opt-outs.

Streatham High Practice Patient Paper Records Privacy Notice

“In order to reduce the amount of historic patient paper records (known as Lloyd George envelopes), the GP practice is working alongside OHSEL within South East London Clinical Commissioning Group (CCG) to transfer all paper-based primary care medical records for each patient at the Practice to an electronic copy. This contains notes made during primary care consultations, letters, test results and other documents relating to health care for the patient. The electronic copy will be saved on the practice’s EMIS Web server and attached to each patient record.

Egton have been chosen as the provider of this service, and will be using Restore Scan to undertake the work.

The processing is in accordance with GDPR Article 6(1)(b) processing is necessary for the performance of a contract and special category data are processed in accordance with GDPR Article 9(2)(h) processing is necessary for the management of health or social care systems and services.”

Summary Care Records Privacy Notice

summary-care
A Summary Care Record is an electronic record containing key health information, which can be made available to NHS healthcare staff caring for you in an emergency or when your GP practice is closed. If you haven’t already made your choice, please make it now.

Yes I would like a Summary Care Record

You do not need to do anything and a Summary Care Record will be made for you.

No I do not want a Summary Care Record

There are two ways to opt out from the Summary Care Record.

Your existing health record at your GP practice will continue to be used as it is now.

If you are still unsure

Please ask us for a leaflet at reception if you are still unsure about the Summary Care Record which provides more information to help you decide. You can also phone the Summary Care Record information line on 0300 123 3020 or visit the website at systems.hscic.gov.uk/scr

Information sharing with other services

We may need to share your medical information with other organisations involved in the delivery of your care e.g. Podiatry or District Nursing. We will not share identifiable information with anyone that isn’t involved in your care unless legally required to.

You would have been asked to opt in or out when you registered at one of our GP surgeries as follows: “Are you happy for us to Share Out your full medical records electronically with other services involved in your care and/or to view (Share In) medical records held by other services?”

If you wish to reconsider or do not consider that you have opted in or out, you may contact our practice reception to discuss further and appropriate action will be taken.