Introduction

At Petroc Group Practice, we have a legal duty to explain how we use any personal information we collect about you at the organisation. This is in both electronic and paper format. 

Why do we have to provide this privacy notice?

We are required to provide you with this privacy notice by law. It provides information about how we use the personal and healthcare information we collect, store and hold about you. If you have any questions about this privacy notice or are unclear about how we process or use your personal information or have any other issue regarding your personal and healthcare information, then please contact our Data Protection Officer Umar Sabat (ciosicb.dpo@nhs.net)

The main things the law says we must tell you about what we do with your personal data are:

●        We must let you know why we collect personal and healthcare information about you

●        We must let you know how we use any personal and/or healthcare information we hold about you

●        We need to inform you in respect of what we do with it

●        We need to tell you about who we share it with or pass it on to and why

●       We need to let you know how long we can keep it for

The General Data Protection Regulation (GDPR) became law on 24 May 2016. This was a single EU-wide regulation on the protection of confidential and sensitive information. It entered into force in the UK on the 25 May 2018, repealing the Data Protection Act (1998). Following Brexit, the GDPR became incorporated into the Data Protection Act 2018 (DPA18) at Part 2, Chapter 2 titled The UK GDPR.

For the purpose of applicable data protection legislation (including but not limited to the Data Protection Act 2018 (DPA2018) and Part 2 the UK GDPR).

Who We Are

Petroc Group Practice is the Data Controller for the personal information we hold about our patients.

Data Controller: Petroc Group Practice

Data Protection Officer (DPO):

NHS Cornwall and Isles of Scilly Integrated Care Board

Email: ciosicb.dpo@nhs.net

Using your information

We will use your information so that we can check and review the quality of care we provide. This helps us improve our services to you.

·         We will share relevant information from your medical record with other health or social care staff or organisations when they provide you with care. For example, your GP will share information when they refer you to a specialist in a hospital or your GP will send details about your prescription to your chosen pharmacy.

 

·         More information on how we share your information with organisations who are directly involved in your care can be found here: https://www.devonandcornwallcarerecord.nhs.uk/

 

·         Healthcare staff working in A&E and out of hours care will also have access to your information. For example, it is important that staff who are treating you in an emergency know if you have any allergic reactions. This will involve the use of your Summary Care Record For more information see NHS E Summary Care Record or alternatively speak to this organisation.

 

You have the right to object to information being shared for your own care. Please speak to this organisation if you wish to object. You also have the right to have any mistakes or errors corrected.

Registering for NHS care

·        All patients who receive NHS care are registered on a national database (NHS Spine). The Spine is held and maintained by NHS England, a national organisation which has legal responsibilities to collect NHS data. This enables healthcare organisations to identify patients correctly and provide NHS services safely and efficiently.

 

·        More information can be found at NHS England - Spine 

Identifying patients who might be at risk of certain diseases (Risk Stratification and Population Health Management)

·         Your medical records will be searched by a computer programme so that we can identify patients who might be at high risk from certain diseases such as heart disease or unplanned admissions to hospital. This means we can offer patients additional care or support as early as possible.  

·         This process will involve linking information from your GP record with information from other health or social care services you have used. A risk score is then arrived at through an analysis of your de-identified information is only provided back to your GP as data controller in an identifiable form. Risk stratification enables your GP to focus on preventing ill health and not just the treatment of sickness. Information which identifies you will only be seen by this organisation.

·         More information: please speak to the organisation. 

Safeguarding

·         Sometimes we need to share information so that other people, including healthcare staff, children or others with safeguarding needs, are protected from risk of harm. 

·         In certain circumstances we may share information without your consent where there is a legal or professional duty to do so.

o   This may occur when:

o   Protecting children or vulnerable adults.

o   Preventing serious harm.

o   Assisting safeguarding investigations.

o   Meeting statutory safeguarding obligations.

These circumstances are rare, and we do not need your consent or agreement to do this. 

Medicines Management

·         The Practice may conduct Medicines Management Reviews of medications prescribed to its patients. This service performs a review of prescribed medications to ensure patients receive the most appropriate, up to date and cost-effective treatments.

 

Artificial Intelligence (AI) 

·       Prior to using AI, a full data protection impact assessment has been compiled, and any AI use will comply with the strict UK data protection laws that also includes UK GDPR. 

·       Clinicians may use AI software during consultations to support both the compiling and documenting of a patients clinical record. There are two main types of personal data that will be processed during a consultation, including the patient’s name, contact details, medical history, diagnosis, treatment information, and any other information shared during consultations. There may also be an audio recording of the clinician, although this is to detail their professional identifiers, such as name and title. Should you not wish the clinician to use any AI during your consultation, please make them aware of this.

·       Any use of AI will:

o   Comply with UK GDPR and Data Protection Act 2018 requirements.

o   Be subject to Data Protection Impact Assessments.

o   Operate within NHS information governance standards.

o   Remain under the supervision of qualified healthcare professionals.

·         Where AI is used during consultations, it may assist clinicians with note-taking, documentation and clinical record preparation.

·         Patients may discuss any concerns regarding AI use with their clinician.

Telephone Calls

Where telephone calls to and from the practice are recorded, recordings are used for:

• Staff training.
• Quality assurance.
• Investigating complaints.
• Patient and staff safety.
• Managing abusive or threatening behaviour.

Access to recordings is restricted to authorised personnel.

Medical Research and Clinical Audits

We may use information from patient records to support:

·         Clinical audit.

·         Service evaluation.

·         Healthcare improvement.

·         Medical research where permitted by law.

 

This organisation shares information from medical records to support medical research when the law allows us to do so, for example to learn more about why people get ill and what treatments might work best. We will also use your medical records to carry out research within the organisation.

 

The use of information from GP medical records is very useful in developing new treatments and medicines; medical researchers use information from these records to help to answer important questions about illnesses and disease so that improvements can be made to the care and treatment patients receive.

 

·         Where identifiable information is used for research, appropriate legal safeguards or consent requirements will apply.

·         You have the right to object to your identifiable information being used or shared for medical research purposes. Please speak to the organisation if you wish to object.  

Checking the quality of care – national clinical audits

•         This organisation contributes to national clinical audits so that healthcare can be checked and reviewed. Information from medical records can help doctors and other healthcare workers to measure and check the quality of care that is provided to you.
•         The results of the checks or audits can show where organisations are doing well and where they need to improve. These results are also used to recommend improvements to patient care. 
•         Data is sent to NHS England, a national body with legal responsibilities to collect data
•         The data will include information about you, such as your NHS Number and date of birth, and information about your health which is recorded in coded form – for example the code for diabetes or high blood pressure.
•      We will only share your information for national clinical audits or checking purposes when the law allows.For more information about national clinical audits see the Healthcare Quality Improvements Partnership website.
•        You have the right to object to your identifiable information being shared for national clinical audits. Please contact the organisation if you wish to object 

Access to your personal information

Data Subject Access Requests (DSAR): You have a right under the Data Protection legislation to request access to view or to obtain copies of what information the surgery holds about you and to have it amended should it be inaccurate. To request this, you need to do the following:

·       Your request should be made to the Practice – for information from the hospital you should write direct to them

·       There is no charge to have a copy of the information held about you

·       We are required to respond to you within one month

·       You will need to give adequate information (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified, and your records located information we hold about you at any time.

What should you do if your personal information changes?

You should tell us so that we can update our records. Please contact the Practice as soon as any of your details change, this is especially important for changes of address or contact details (such as your mobile phone number).  The practice will from time to time ask you to confirm that the information we currently hold is accurate and up-to-date.

 

We are required by law to provide you with the following information about how we handle your information:

 

Data Controller	Petroc Group Practice
Data Protection Officer	Umar Sabat (ciosicb.dpo@nhs.net)
Purpose of the processing	To give direct health or social care to individual patients. An example is, when a patient agrees to a referral for direct care, such as to a hospital, relevant information about the patient will be shared with the other healthcare staff to enable them to give appropriate advice, investigations, treatments and/or care. To check and review the quality of care. (This is called audit and clinical governance). Medical research and to check the quality of care which is given to patients (this is called national clinical audit).
Lawful basis for processing	These purposes are supported under the following sections of the GDPR: Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’; and Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services...”   The following sections of the GDPR mean that we can use medical records for research and to check the quality of care (national clinical audits): Article 6(1)(e) – ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’. For medical research: Article 9(2)(a) – ‘the data subject has given explicit consent…’ Healthcare staff will also respect and comply with their obligations under the common law duty of confidence.
Recipient or categories of recipients of the processed data	The data will be shared with: ●        NHS Trusts / Foundation Trusts ●       111; Out of hours services;  ●        GP’s ●        eMBED Health   ●        Independent Contractors such as dentists, opticians, pharmacists ●        Private Sector Providers ●        Voluntary Sector Providers ●        Ambulance Trusts ●        Clinical Commissioning Groups ●        Social Care Services ●        NHS England (NHSE) and NHS Digital (NHSD) ●        Local Authorities ●        Education Services ●        Fire and Rescue Services ●        Police & Judicial Services ●        Voluntary Sector Providers ●        Private Sector Providers ●        Other ‘data processors’ which you will be informed of For more information on where medical research the data will be shared with please contact the practice. For national clinical audits which check the quality of care the data will be shared with NHS England.
Rights to object and the national data opt-out	You have the right to object to information being shared between those who are providing you with direct care. This may affect the care you receive – please speak to the practice. You are not able to object to your name, address and other demographic information being sent to NHS England. This is necessary if you wish to be registered to receive NHS care.  You are not able to object when information is legitimately shared for safeguarding reasons. In appropriate circumstances it is a legal and professional requirement to share information for safeguarding reasons. This is to protect people from harm. The information will be shared with the local safeguarding service.  For more information on this see: https://cios.icb.nhs.uk/health/safeguarding/  The national data opt-out model provides an easy way for you to opt-out of information that identifies you being used or shared for medical research purposes and quality checking or audit purposes.  Please contact the practice if you wish to opt-out. Further information is available from NHS England.
Right to access and correct	You have the right to access your medical record and have any errors or mistakes corrected.  We are not aware of any circumstances in which you will have the right to delete correct information from your medical record; although you are free to obtain your own legal advice if you believe there is no lawful purpose for which we hold the information and contact us if you hold a different view.
Retention period	Records will be kept in line with the law and national guidance. Information on how long records are kept can be found in the Records Management Code of Practice.
Right to complain	In the unlikely event that you are unhappy with any element of our data-processing methods, do please contact the Practice Manager in the first instance. If you feel that we have not addressed your concern appropriately, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). Further details, visit https://ico.org.uk/for-the-public/ and select “Make a complaint” or telephone: 0303 123 1113.
Data we get from other organisations	We receive information about your health from other organisations who are involved in providing you with health and social care. For example, if you go to hospital for treatment or an operation the hospital will send us a letter to let us know what happens. This means your GP medical record is kept up-to date when you receive care from other parts of the health service.

 

Health and social care services in Devon and Cornwall have developed a system to share patient data efficiently and quickly and, ultimately, improve the care you receive.

This shared system is called the Devon and Cornwall Care Record.

It’s important that anyone treating you has access to your shared record so they have all the information they need to care for you. This applies to your routine appointments and also in urgent situations such as going to A&E, calling 111 or going to an out-of-hours appointment.  

It’s also quicker for staff to access a shared record than to try to contact other staff by phone or email.  

Only authorised health and care staff can access the Devon and Cornwall Care Record and the information they see is carefully checked so that it relates to their job. Also, systems do not share all your data – just data that services have agreed is necessary to include.

For more information about the Devon and Cornwall Care Record, please go to https://www.devonandcornwallcarerecord.nhs.uk/