Patient Privacy Notice
1) Paxton Green Group Practice (1 Alleyn Park London SE21 8AU) is the Data Controller responsible for the personal information that we hold on you. This includes information that identifies you as a person (e.g. your name, date of birth and where you live) and medical information related to health care services that are being provided, or have been provided in the past. It is necessary for us to hold this information to provide emergency care and also for the prevention, diagnosis and treatment of medical conditions. This notice is issued in compliance with the requirements of the General Data Protection Regulations (2018) and the Data Protection Act (2018).
Data Protection Officer
2) The practice Manager is the Data Protection Officer, whose role is to ensure that your information is processed lawfully and that the practice complies with its data protection obligations and the contents of this privacy statement. If you have any concerns regarding how your data is obtained, stored or used, you should contact the Practice Manager. If you are unhappy with the response you receive, you may refer your concerns to the Information Commissioner’s Office.
National Data Opt Out
- When registering for NHS care, all patients are registered on a national database, the database is held by NHS Digital, a national organisation which has legal responsibilities to collect NHS data.
- Whenever you use a health or care service, including seeing your GP, important information about you is collected in a patient record to ensure you get the best possible care and treatment. The information can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
- improving the quality and standards of care provided
- research into the development of new treatments
- preventing illness and diseases
- monitoring safety
- planning services
All these uses help to provide better health and care for you, your family and future generations, but confidential patient information about your health and care is only used like this where allowed by law. Most of the time, anonymised data is used for research and planning so that you cannot be identified, in which case your confidential patient information isn’t needed.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information, you do not need to do anything. If you do choose to opt-out, your confidential patient information will still be used to support your individual care. To find out more or to register your choice to opt out, please visit www.nhs.uk/your–nhs–data–matters. If you have previously opted out of sharing this information, this will be recognised as part of the new National Data Opt out process.
What we do with your information – data processing
5) Unless we have your consent, we will not use identifiable information from your records for purposes other than your direct health care, unless required to do so by a court order or for the prevention of serious crime or harm to others, including where there may be child safeguarding concerns. In particular, we will not make your information available to other organisations for advertising or marketing purposes without your consent.
Lawful Basis for processing
- The processing of personal data in the delivery of direct health care and for providers’ administrative purposes in this surgery (and in support of direct care elsewhere) is supported under the following Articles 6 and 9 of the General Data Protection Regulations:
- Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’.
- Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…”
- We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”*
“Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.
The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.
In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.
Three circumstances making disclosure of confidential information lawful are:
- where the individual to whom the information relates has consented;
- where disclosure is in the public interest; and
- where there is a legal duty to do so, for example a court order.
Sharing your information with other health professionals.
- Direct Care is care delivered to the individual alone, most of which is provided in the surgery. After a patient agrees to a referral for direct care elsewhere, such as a referral to a specialist in a hospital, necessary and relevant information about the patient, their circumstances and their problem will need to be shared with the other healthcare workers, such as specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care.
- GPs have always delegated tasks and responsibilities to others that work with them in their surgeries. It is not possible for the GP to provide hands on personal care for each one of their patients. GPs therefore share your care with others, predominantly within the surgery, but occasionally with outside organisations. Your consent to this sharing of data, within the practice and with those others outside the practice is assumed and is allowed by the Law.
- If your health needs require care from others elsewhere outside this practice, we will exchange with them the minimal amount of information about you that is necessary for them to provide that care. When you make contact with healthcare providers outside the practice, but within the NHS, it is usual for them to send us information relating to that encounter. We will retain part or all of those reports. Normally we will receive equivalent reports of contacts you have with non-NHS services, but this is not always the case.
- All Practice members of staff have signed confidentiality agreements as part of their employment and only those members of staff that have a valid reason to access your information will be allowed to do so. If you suspect that any of your information has been accessed by staff without a valid purpose, you should notify the Practice Manager/Data Protection Officer and provide evidence.
- Relevant parts of your medical records may, however, be shared with other health or social care professionals, for example, when referring you to hospital or for other care outside the practice. In this case, we will seek your consent for a referral and you will be informed when a referral to another health or social care professional is being made and will be able to request copies of the referral information.
- Paxton Green Group Practice is a member of the Lambeth GP Federations that help administer health care for practice patients. As such, it is sometimes necessary for the Federation to access patient-identifiable information, e.g. for the purposes of managing or identifying patients with specific illnesses or those requiring screening or monitoring. A data sharing agreement is in place with the Federation that covers the use of your information for these purposes, but it is only provided on a strict ‘need to know’ basis and for very specific purposes.
London Care Record
- This practice uses a shared record system called the London Care Record. The London Care Record is a secure view of your health and care information and lets health and care professionals involved in your care see important details about your health when and where they need them. Having a single, secure view of your information helps speed up communication between care professionals across London, improves the safety of care and can save lives.
London Care Record can only be lawfully looked at by staff who are directly involved in your care. Your information isn’t available to anyone who doesn’t need it to provide treatment, care and support to you. Your details are kept safe and won’t be made public, passed on to a third party who is not directly involved in your care, used for advertising or sold. For more information please read the London Care Record privacy notice for South East London here: The London Care Record – South East London ICS (selondonics.org)
Opting out of the London Care Record
You have the right to object to your information being available through London Care Record. Although patients have the right to object and request restrictions on sharing their records, there may be instances where this request will not be upheld due to a clinical need as determined by the direct care giver. Please discuss this with your GP/ health and social care worker and you can find further information in this London Care Record leaflet.
For further information and advice about data protection or your right to object to sharing your data you can contact the team at Lewisham and Greenwich Trust who manage the London Care Record for South East London www.lewishamandgreenwich.nhs.uk/london-care-record or you can call 020 3192 6011 and leave your name and number for someone to contact you.
If you have already requested to stop sharing on ConnectCare/Local Care Record in South East London, then you will not have to request this again for London Care Record.
Summary Care Record
- Basic medical information regarding medication and allergies will be uploaded automatically to the national Summary Care record (SCR) and will be available if you attend hospital anywhere in England. You must let the practice know if you do not consent to this information being uploaded to your SCR. You can also request for additional medical information, such as major diagnoses or conditions being treated, to be included in your SCR so that it is available (with your consent) if you are taken ill away from home. This requires your specific personal agreement and you will have to make a request to the practice to do this and agree what information is uploaded. We suggest that you discuss this with a doctor or nurse in a consultation.
16) Paxton Green Group Practice is a research practice. If we identify that you may be suitable for any specific studies, we will write to you and invite you to take part. You may refuse this request without it affecting the health care that you receive from the practice.
Securely storing your personal information
17) We use computer systems in the practice that store your data securely, both onsite and offsite. We have legal contracts in place with external companies that supply and maintain the systems that we use. These companies act under our direction as Data Processors. This include Emis Health (clinical record system), Informatica (appointment booking system), Docman (document storage system) and Footfall (website management). Other companies may also provide data processing services to the practice.
- We have an interactive practice website that can be accessed without providing personal information. In general, you can visit our web site without telling us who you are and without revealing any information about yourself. There may, however, be occasions when you choose to give us personal information, for example, when you choose to contact us or request information from us. We will ask you when we need information that personally identifies you or allows us to contact you. We collect the personal data that you may volunteer while using our services. We do not collect information about our visitors from other sources, such as public records or bodies, or private organisations. We do not collect or use personal data for any purpose other than:
- To send you confirmation of requests that you have made to us
- To send you information when you request it.
- Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should be aware that we don’t have any control over the other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting these sites.
If you ask others to request information on your behalf
20) If you provide independent consent to third parties (e.g. insurance companies or solicitors) granting access to your records, we will expect to see written evidence of that consent before releasing information. You will have the right to request sight of any information before it is released.
Maintaining the accuracy of your records
- The practice aims to only record and keep information that is accurate, relevant and up to date, although, as medical records often extend back over many years, we cannot always verify the accuracy of records that have been made by others in the past.
- Any factual inaccuracies in the records should be notified to the Practice Manger. We will change anything that is shown to be factually incorrect, but clinical opinions, based on information provided, cannot be changed, although we will record your own interpretation of the facts if they are different from those of the health care professional.
- If you change address, telephone numbers or any other contact details, we will expect you to inform us of the changes. In addition, we will regularly ask you to confirm your details (e.g. when booking appointments or when arranging tests or referrals).
Viewing your records
24) We encourage patients to request on-line access to their medical records and to check that they are accurate. Where on-line access is not possible, we will provide copies of records in any suitable format and within one calendar month from the time that a request is made. Requests for on-line access to your records should be made by completing the form on our practice website (/navigator/register–for–online–services/) and by providing photo ID and proof of address at reception.
Right to Object
25) You have the right to object to some or all of your information being processed (Article 21). Please contact the Practice Manager. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance.
Right to Access and Correct
26) You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law.
27) Data will be retained in line with the law and national guidance. https://digital.nhs.uk/article/1202/Records–Management–Code–of–Practice–for–Healthand–Social–Care–2016. This means that your medical records will be retained until 10 years after your death. If you transfer to another practice, then your records will be transferred to that practice and it will become their responsible to manage the security of your records. Although information will be retained on our practice computer system after you leave the practice, this will become ‘locked’ and any access to that information will be recorded, with a valid reason being required for access. We regularly monitor any access to the records of patients who no longer are under the care of the practice.
Right to Complain
28) You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact–us/ or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
COVID-19 Privacy Notice
(This Privacy Notice is to run alongside our standard Practice Privacy Notice)
Due to the unprecedented challenges that the NHS and we, Paxton Green Group Practice face due to the worldwide COVID-19 pandemic, there is a greater need for public bodies to require additional collection and sharing of personal data to protect against serious threats to public health.
The Secretary of State has served notice under Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 (COPI) to require organisations to process confidential patient information in the manner set out below for purposes set out in Regulation 3(1) of COPI.
Purpose of this Notice
The purpose of this Notice is to require organisations such as Paxton Green Group Practice to process confidential patient information for the purposes set out in Regulation 3(1) of COPI to support the Secretary of State’s response to Covid-19 (Covid-19 Purpose). “Processing” for these purposes is defined in Regulation 3(2) and includes dissemination of confidential patient information to persons and organisations permitted to process confidential patient information under Regulation 3(3) of COPI. This Notice is necessary to require organisations such as Paxton Green Group Practice to lawfully and efficiently process confidential patient information as set out in Regulation 3(2) of COPI for purposes defined in regulation 3(1), for the purposes of research, protecting public health, providing healthcare services to the public and monitoring and managing the Covid-19 outbreak and incidents of exposure.
For further information please go to the NHS digital website:
Review and Expiry of this Notice
This Notice will be reviewed on or before 31 March 2021 and may be extended by The Secretary of State. If no, further notice is sent to Paxton Green Group Practice by The Secretary of State this Notice will expire on 31 March 2021.
Version 4.0 (revised February 2023)