Privacy Policies 

How we use your personal information

Introduction

The Practice is fully committed to protecting the personal data of its patients, employees, suppliers and other stakeholders in accordance with the requirements of the General Data Protection Regulation (GDPR). We take the privacy of personal data very seriously and have initiated a variety of methods and controls to ensure we know what data we collect and hold and that we protect that data appropriately.

Privacy Notice – Practice

1.1      Policy statement

NHS England collects information with the purpose of improving health and care for everyone. The information collected is used to:

  • Run the health service
  • Manage epidemics
  • Plan for the future
  • Research health conditions, diseases and treatments

NHS England is a data controller and has a legal duty, in line with the UK General Data Protection Regulation (UK GDPR), to explain why it is using patient data and what data is being used. Similarly, Wyre Integrated Network has a duty to advise patients of the purpose of personal data and the methods by which patient personal data will be processed.

All staff should be aware of the practice privacy notice and be able to advise patients, their relatives and carers what information is collected, how that information may be used and with whom the organisation will share that information. 

The first principle of data protection is that personal data must be processed fairly and lawfully. Being transparent and providing accessible information to patients about how their personal data is used is a key element of the UK GDPR.

Further reading can be found here.

UK General Data Protection Regulation (UK GDPR) and GDPR – The Perfect Practice eLearning courses are available in the HUB.

1.2      Status

The organisation aims to design and implement policies and procedures that meet the diverse needs of our service and workforce, ensuring that none are placed at a disadvantage over others, in accordance with the Equality Act 2010. Consideration has been given to the impact this policy might have regarding the individual protected characteristics of those to whom it applies.

This document and any procedures contained within it are non-contractual and may be modified or withdrawn at any time. For the avoidance of doubt, it does not form part of your contract of employment. Furthermore, this document applies to all employees of the organisation and other individuals performing functions in relation to the practice such as agency workers, locums and contractors.

2       Compliance with regulations

2.1      UK GDPR

The background to the UK GDPR was that in May 2018, GDPR replaced the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way in which organisations across the region approach data privacy.

Post-Brexit, in January 2021, the GDPR became formally known as UK GDPR and was incorporated within the Data Protection Act 2018 (DPA18) at Chapter 2.

In accordance with the UK GDPR, this organisation will ensure that information provided to subjects about how their data is processed will be:

  • Concise, transparent, intelligible, and easily accessible
  • Written in clear and plain language, particularly if addressed to a child
  • Free of charge

DPA18 will ensure continuity by putting in place the same data protection regime in UK law pre- and post-Brexit.

2.2      Article 5 compliance

In accordance with Article 5 of the UK GDPR, this organisation will ensure that any personal data is: 

  • Processed lawfully, fairly and in a transparent manner in relation to the data subject
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed
  • Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay 
  • Kept in a form that permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed
  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage by using appropriate technical or organisational measures

Article 5 also stipulates that the controller shall be responsible for, and be able to demonstrate compliance with, the above. 

Note: For clarity, a data controller is the entity that determines the purposes, conditions and means of the processing of personal data, whereas a data subject is a natural person whose personal data is processed by a controller or processor.

2.3      Communicating privacy information

A privacy notice is to provide a statement that discloses some or all the ways in which the organisation gathers, uses, discloses and manages a patient’s data, its purpose it to fulfil a legal requirement to protect a patient’s privacy.

At this organisation, this privacy notice is displayed on our website, through signage in the waiting room and in writing during patient registration. We will:

  • Inform patients how their data will be used and for what purpose
  • Allow patients to opt-out of sharing their data, should they so wish

2.4      What data will be collected?

The following data will be collected:

  • Patient details (name, date of birth, NHS number)
  • Address and NOK information
  • Medical notes (paper and electronic) 
  • Details of treatment and care, including medications
  • Results of tests (pathology, X-ray, etc.)
  • Any other pertinent information 

2.5      National data opt-out programme

The national data opt-out programme affords patients the opportunity to make an informed choice about whether they wish their confidential patient information to be used solely for their individual care and treatment or also used for research and planning purposes.

NHSE have provided a document titled Understanding the national data opt-out.

Patients who wish to opt-out of data collection can register a national data opt-out. Further reading can be found at this NHSE webpage titled Setting or changing a national data opt-out choice. This includes information regarding children and their privacy.

This organisation has proved compliance by publishing the organisational privacy notice and submitting the Data Security and Protection Toolkit assessment. 

Further information about opting out can be found in the NHS England webpage titled Make a choice about sharing data from your health records.

2.6      Patients in secure settings

There are special arrangements for patients in prison or other similar secure settings known as detained and secure estates. A health and care professional can help register a patient’s opt-out choice. 

Further reading can be found at the NHS E webpage titled Guidance for detained and secure estates.

3       General practice data for planning and research data collection

3.1      About

This data collection will help the NHS to improve health and care services for everyone by collecting patient data that can be used to do this. 

The GPDPR is designed to help the NHS to:

  • Monitor the long-term safety and effectiveness of care
  • Plan how to deliver better health and care services
  • Prevent the spread of infectious diseases
  • Identify new treatments and medicines through health research

3.2      Data sharing

Data may be shared from GP medical records for:

  • Any living patient registered at a GP practice in England when the collection started. This includes children and adults
  • Any patient who died after this data sharing started and was previously registered at a GP practice in England when the data collection started

NHS England will not share the patient’s name or demographic details. 

Any other data that could directly identify the patient will be replaced with unique codes which are produced by de-identification software before the data is shared with NHSE including:

  • NHS number
  • General Practice Local Patient Number
  • Full postcode
  • Date of birth

This process is called pseudonymisation and means that no one will be able to directly identify the patient in the data.  

It should be noted that NHSE will be able to use the same software to convert the unique codes back to data that could directly identify the patient in certain circumstances, and where there is a valid legal reason. 

For further reading, refer to the NHSE webpage titled About the GPDPR programme

3.3      What information can and cannot be shared

NHSE will collect structured and coded data from patient medical records including:

  • Data about diagnoses, symptoms, observations, test results, medications, allergies, immunisations, referrals, recalls and appointments including information about physical, mental and sexual health
  • Data on sex, ethnicity and sexual orientation
  • Data about staff who have treated patients

NHSE will not collect:

  • Name and address (except for postcode, protected in a unique coded form)
  • Written notes (free text), such as the details of conversations with doctors and nurses
  • Images, letters and documents  
  • Coded data that is not needed due to its age – for example medication, referral and appointment data that is over 10 years old
  • Coded data that GPs are not permitted to share by law – for example certain codes about gender re-assignment

Further reading can be sought from the NHSE webpage titled Looking after your data.

3.4      Opting out

Primary care organisations have been required to honour the National Data Opt-out (NDO-O) since 31 July 2022 and practices should now be complying with the NDO-O unless there is a specific reason not to do so.

This means that patients who do not want their identifiable patient data to be shared for purposes except for their own care can opt-out by registering to Type 1 opt-out or, set out their data opt-out choice via the national data opt-out (NDO-O)

Patients can do both.

Further reading can be found in NHS E webpage titled Compliance with the national data opt-out.

3.5      Available resources

The following resources are available for staff at this organisation:

Further information is available within the National data opt-out guidance.

4       Further information

4.1      Privacy notice checklists

The Information Commissioner’s Office has provided a privacy notice checklist that can be used to support.

4.2      Privacy notice template

A privacy notice template can be found at Annex A.

4.3      Notifications for patients

Annex B – Social media/website information update

Annex C – Text messaging and telephone message information

Annex D – Staff opt-out guidance

Annex A – Practice privacy notice

As a registered patient, Wyre Integrated Network has a legal duty to explain how we use any personal information we collect about you at the organisation. We collect records about your health and the treatment you receive in both electronic and paper format.

Why do we have to provide this privacy notice?

We are required to provide you with this privacy notice by law. It provides information about how we use the personal and healthcare information we collect, store and hold about you. If you have any questions about this privacy notice or are unclear about how we process or use your personal information or have any other issue regarding your personal and healthcare information, then please contact our Data Protection Officer Hayley Digman  [email protected]

The main things the law says we must tell you about what we do with your personal data are:

  • We must let you know why we collect personal and healthcare information about you
  • We must let you know how we use any personal and/or healthcare information we hold about you
  • We need to inform you in respect of what we do with it
  • We need to tell you about who we share it with or pass it on to and why
  • We need to let you know how long we can keep it for

What is a privacy notice?

A privacy notice (or ‘fair processing notice’) explains the information we collect about our patients and how it is used. Being open and providing clear information to patients about how an organisation uses their personal data is an essential requirement of the new UK General Data Protection Regulations (UK GDPR).

Under the UK GDPR, we must process personal data in a fair and lawful manner. This applies to everything that is done with a patient’s personal information. This means that the organisation must:

  • Have lawful and appropriate reasons for the use or collection of personal data
  • Not use the data in a way that may cause harm to the individuals (e.g., improper sharing of their information with third parties)
  • Be open about how the data will be used and provide appropriate privacy notices when collecting personal data
  • Handle personal data in line with the appropriate legislation and guidance 
  • Not use the collected data inappropriately or unlawfully 

What is fair processing?

Personal data must be processed in a fair manner – the UK GDPR says that information should be treated as being obtained fairly if it is provided by a person who is legally authorised or required to provide it. Fair processing means that the organisation has to be clear and open with people about how their information is used.

This organisation manages patient information in accordance with existing laws and with guidance from organisations that govern the provision of healthcare in England such as the Department of Health and Social Care (DHSC) and the General Medical Council (GMC).

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

This means ensuring that your personal confidential data (PCD) is handled clearly and transparently and in a reasonably expected way. 

The Health and Social Care Act 2012 changed the way that personal confidential data is processed so it is important that our patients are aware of and understand these changes and that you have an opportunity to object and know how to do so.

The healthcare professionals who provide you with care maintain records about your health and any NHS treatment or care you have received (e.g., NHS Trust, GP surgery, walk-in clinic, etc.). These records help to provide you with the best possible healthcare.

NHS health records may be processed electronically, on paper or a mixture of both and we use a combination of working practices and technology to ensure that your information is kept confidential and secure.

Who is the data controller?

This organisation is registered as a data controller under the Data Protection Act 2018. Our registration number is ZB085590 and our registration can be viewed online in the public register at www.ico.gov.uk. This means we are responsible for handling your personal and healthcare information and collecting and storing it appropriately when you are seen by us as a patient.

We may also process your information for a particular purpose and therefore we may also be data processors. The purposes for which we use your information are set out in this privacy notice.

What type of information do we collect about you?

Information held by this organisation may include the following:

  • Your contact details (such as your name, address and email address)
  • Details and contact numbers of your next of kin
  • Your age range, gender, ethnicity
  • Details in relation to your medical history
  • The reason for your visit to the organisation
  • Any contact the organisation and/or your practice has had with you including appointments (emergency or scheduled), clinic visits, etc.
  • Notes and reports about your health, details of diagnosis and consultations with our GPs and other health professionals within the healthcare environment involved in your direct healthcare
  • Details about the treatment and care received
  • Results of investigations such as laboratory tests, x-rays, etc.
  • Relevant information from other health professionals, relatives or those who care for you
  • Recordings of telephone conversations between yourself and the organisation

Information collected about you from others

We collect and hold data for the purpose of providing healthcare services to our patients and we will ensure that the information is kept confidential. However, we can disclose personal information if:

  • It is required by law
  • You provide your consent – either implicitly for the sake of your own care or explicitly for other purposes
  • It is justified to be in the public interest

To ensure you receive the best possible care, your records are used to enable the care you receive. Information held about you may be used to help protect the health of the public and to help us to manage the NHS. 

Information may be used for clinical audit purposes to monitor the quality of services provided, may be held centrally and may be used for statistical purposes. Where we do this, we ensure that patient records cannot be identified. Sometimes your information may be requested to be used for clinical research purposes – the organisation will always endeavour to gain your consent before releasing the information.

Improvements in information technology are also making it possible for us to share data with other healthcare providers with the objective of providing you with better care. You can choose to withdraw your consent to your data being used in this way. When the organisation is about to participate in any new data-sharing scheme, we will make patients aware by displaying prominent notices and on our website at least four weeks before the scheme is due to start. We will also explain clearly what you have to do to ‘opt-out’ of each new scheme.

A patient can object to their personal information being shared with other healthcare providers but if this limits the treatment that you can receive then the doctor will explain this to you at the time.

What is special category data?

The law states that personal information about your health falls into a special category of information because it is extremely sensitive. Reasons that may entitle us to use and process your information may be as follows:

Public interest Where we may need to handle your personal information when it is considered to be in the public interest. For example, when there is an outbreak of a specific disease and we need to contact you for treatment or we need to pass your information to relevant organisations to ensure you receive advice and/or treatment 
Consent When you have given us consent 
Vital interest If you are incapable of giving consent and we have to use your information to protect your vital interests (e.g., if you have had an accident and you need emergency treatment) 
Defending a claim If we need your information to defend a legal claim against us by you or by another party 
 Providing you with medical care  Where we need your information to provide you with medical and healthcare services

The legal justification for collecting and using your information

The law says we need a legal basis to handle your personal and healthcare information.

Contract We have a contract to deliver healthcare services to you. This contract provides that we are under a legal obligation to ensure that we deliver medical and healthcare services to the public. 
Consent Sometimes we also rely on the fact that you give us consent to use your personal and healthcare information so that we can take care of your healthcare needs. Please note that you have the right to withdraw consent at any time if you no longer wish to receive services from us. 
Necessary care Providing you with the appropriate healthcare where necessary The law refers to this as ‘protecting your vital interests’ where you may be in a position not to be able to consent. 
Law Sometimes the law obliges us to provide your information to an organisation 

How do we use your information?

Your data is collected for the purpose of providing direct patient care; however, we are able to disclose this information if it is required by law, if you give consent or if it is justified in the public interest. 

In order to comply with its legal obligations, this organisation may have to send data to NHS England when directed by the Secretary of State for Health under the Health and Social Care Act 2012. Additionally, we may have to contribute to national clinical audits and will send the data that is required by NHS England as the law allows. This may include demographic data, such as date of birth, and information about your health which is recorded in coded form; for example, the clinical code for diabetes or high blood pressure.

Under the UK General Data Protection Regulation, we will be lawfully using your information in accordance with: 

  • Article 6, (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • Article 9, (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems

Who can we provide your personal information to and why?

Whenever you use a health or care service, such as attending the local hospital or using the district nursing service, clinical information about you is collected to help ensure you get the best possible care and treatment. This information may be passed to other approved organisations where there is a legal basis to do so, to help with planning services, improving care, researching to develop new treatments and preventing illness. All of this helps in providing better care to you and your family and future generations.

However, as explained in this privacy notice, confidential information about your health and care is only used in this way as allowed by law and would never be used for any other purpose without your clear and explicit consent.

We may pass your personal information on to the following people or organisations because these organisations may require your information to assist them in the provision of your direct healthcare needs. It therefore may be important for them to be able to access your information in order to ensure they may deliver their services to you:

  • Hospital professionals (such as doctors, consultants, nurses etc.)
  • Other GPs/doctors
  • Primary Care Networks
  • NHS Trusts/Foundation Trusts/Specialist Trusts
  • NHS Commissioning Support Units
  • NHS England (NHSE) 
  • Integrated Care Boards (ICBs)
  • Multi-agency Safeguarding Hub (MASH)
  • Independent contractors such as dentists, opticians, pharmacists
  • Any other person who is involved in providing services related to your general healthcare including mental health professionals
  • Private sector providers including pharmaceutical companies to allow for the provision of medical equipment, dressings, hosiery etc.
  • Voluntary sector providers
  • Ambulance Trusts
  • Local authority
  • Social care services
  • Education services
  • Other ‘data processors’, e.g., Diabetes UK

You will be informed who your data will be shared with and in some cases asked for explicit consent for this to happen when this is required.

Who may we provide your information to:

  • For the purposes of complying with the law, e.g., the police or court order
  • Anyone you have given your consent to, to view or receive your record, or part of your record. If you give another person or organisation consent to access your record, we will need to contact you to verify your consent before we release that record. It is important that you are clear and understand how much and what aspects of your record you give consent to be disclosed
  • Computer systems – we operate a clinical computer system on which NHS staff record information securely. This information can then be shared with other clinicians so that everyone caring for you is fully informed about your medical history including allergies and medication. We will make information available to our partner organisations (above) unless you have declined data sharing to ensure you receive appropriate and safe care. Wherever possible, staff will ask your consent before your information is viewed.
  • Extended access – we provide extended access services to our patients so that you can access medical services outside of our normal working hours. To provide you with this service, we have formal arrangements in place with the ICB whereby certain key ‘hubs’ offer this service for you as a patient to access outside of our opening hours.

This means those key ‘hubs’ will have to have access to your medical record to be able to offer you the service. Please note to ensure that those hubs comply with the law and to protect the use of your information, we have very robust data sharing agreements and other clear arrangements in place to ensure your data is always protected and used for those purposes only.

  • Data extraction by the ICB at times extracts medical information about you but the information we pass to them via our computer systems cannot identify you to them 

This information only refers to you by way of a code that only your own practice can identify (it is pseudo-anonymised). This therefore protects you from anyone who may have access to this information at the ICB from ever identifying you by seeing the medical information and we will never give them the information that would enable them to do this.

Your rights as a patient

The law gives you certain rights to your personal and healthcare information that we hold as set out below:

Access and Subject Access Requests You have a right under the Data Protection legislation to request access to view or to obtain copies of what information the organisation holds about you and to have it amended should it be inaccurate. To request this, you need to do the following: Your request should be made to the Practice Business Manager at your Doctor’s practice or the PCN Business Manager at WIN. For information from a hospital or other Trust/NHS organisation you should write directly to them There is no charge to have a copy of the information held about you. However, we may, in some limited and exceptional circumstances, have to make an administrative charge for any extra copies if the information requested is excessive, complex or repetitive We are required to provide you with information within one month. We would ask therefore that any requests you make are in writing and it is made clear to us what and how much information you require You will need to give adequate information (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified, and your records located  
Correction We want to make sure that your personal information is accurate and up to date. You may ask us to correct any information you think is inaccurate. It is especially important that you make sure you tell us if your contact details including your mobile phone number have changed 
Removal You have the right to ask for your information to be removed. However, if we require this information to assist us in providing you with appropriate medical services and diagnosis for your healthcare, then removal may not be possible 
Objection We cannot share your information with anyone else for a purpose that is not directly related to your health, e.g., medical research, educational purposes etc. 
Transfer You have the right to request that your personal and/or healthcare information is transferred, in an electronic form (or other form), to another organisation but we will require your clear consent to be able to do this. 

How long do we keep your personal information?

We are required under UK law to keep your information and data for the full retention periods as specified by the NHSE – Records Management Code of Practice 2023 for health and social care and national archives requirements.

Where do we store your information electronically?

All the personal data we process is processed by our staff in the UK. However, for the purposes of IT hosting and maintenance this information may be located on servers within the European Union. 

No third parties have access to your personal data unless the law allows them to do so and appropriate safeguards have been put in place such as a data processor as above. We have data protection processes in place to oversee the effective and secure processing of your personal and/or special category data.

This organisation uses a clinical system provided by a data processor called EMIS. With effect from 10 June 2019, EMIS started storing the organisation’s EMIS web data in a highly secure, third-party cloud hosted environment, namely Amazon Web Services (‘AWS’). 

Data does remain in the UK and will be fully encrypted both in transit and at rest. In doing this, there will be no change to the control of access to your data and the hosted service provider will not have any access to the decryption keys. AWS is one of the world’s largest cloud companies, already supporting numerous public sector clients (including the NHS), and it offers the highest levels of security and support.

Maintaining your confidentiality and accessing your records

We are committed to protecting your privacy and will only use information collected lawfully in accordance with the UK General Data Protection Regulations (which is overseen by the Information Commissioner’s Office), Human Rights Act, the Common Law Duty of Confidentiality and the NHS Codes of Confidentiality and Security. Every staff member who works for an NHS organisation has a legal obligation to maintain the confidentiality of patient information.

All of our staff, contractors and locums receive appropriate and regular training to ensure they are aware of their personal responsibilities and have legal and contractual obligations to uphold confidentiality, enforceable through disciplinary procedures. Only a limited number of authorised staff have access to personal information where it is appropriate to their role and this is strictly on a need-to-know basis. If a sub-contractor acts as a data processor the organisation, an appropriate contract (Article 24-28) will be established for the processing of your information. 

We always maintain our duty of confidentiality to you. We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e., life or death situations) or where the law requires information to be passed on and/or in accordance with the information sharing principle following Dame Fiona Caldicott’s information sharing review (Information to share or not to share) where “The duty to share information can be as important as the duty to protect patient confidentiality.” 

This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles.

Our organisational policy is to respect the privacy of our patients, their families and our staff and to maintain compliance with the UK General Data Protection Regulation (UK GDPR) and all UK specific data protection requirements. Our policy is to ensure all personal data related to our patients will be protected. 

In certain circumstances you may have the right to withdraw your consent to the processing of data. Please contact the organisation in writing if you wish to withdraw your consent. In some circumstances we may need to store your data after your consent has been withdrawn to comply with a legislative requirement.

Sharing your information without consent

We will normally ask you for your consent but there are times when we may be required by law to share your information without your consent, for example: 

  • Where there is a serious risk of harm or abuse to you or other people
  • Safeguarding matters and investigations
  • Where a serious crime, such as assault, is being investigated or where it could be prevented
  • Notification of new births
  • Where we encounter infectious diseases that may endanger the safety of others, such as meningitis or measles (but not HIV/AIDS)
  • Where a formal court order has been issued
  • Where there is a legal requirement, for example if you had committed a road traffic offence.

Third party processors

To enable us to deliver the best possible services, we will share data (where required) with other NHS bodies such as hospitals. In addition, the organisation will use carefully selected third party service providers. When we use a third-party service provider to process data on our behalf then we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately. Examples of functions that may be carried out by third parties include:

  • Companies that provide IT services and support, including our core clinical systems, systems that manage patient facing services (such as our website and service accessible through the same), data hosting service providers, systems that facilitate appointment bookings or electronic prescription services and document management services etc.
  • Further details regarding specific third-party processors can be supplied on request to the data protection officer as below.

Third parties mentioned on your medical record

Sometimes we record information about third parties mentioned by you to us during any consultation. We are under an obligation to make sure we also protect that third party’s rights as an individual and to ensure that references to them that may breach their rights to confidentiality are removed before we send any information to any other party including yourself. Third parties can include spouses, partners and other family members.

Anonymised information

Sometimes we may provide information about you in an anonymised form. If we do so, then none of the information we provide to any other party will identify you as an individual and cannot be traced back to you.

Audit

Auditing of clinical notes is done by this organisation as part of its commitment to the effective management of healthcare whilst acting as a data processor.

Article 9.2.h is applicable to the management of healthcare services and “permits processing necessary for the purposes of medical diagnosis, provision of healthcare and treatment, provision of social care and the management of healthcare systems or services or social care systems or services.’” No consent is required to audit clinical notes for this purpose. 

Furthermore, compliance with Article 9(2)(h) requires that certain safeguards are met. The processing must be undertaken by or under the responsibility of a professional subject to the obligation of professional secrecy or by another person who is subject to an obligation of secrecy.

Auditing clinical management is no different to a multi-disciplinary team meeting discussion whereby management is reviewed and agreed. It would be realistically impossible to require consent for every patient reviewed that is unnecessary. It is also prudent to audit under Health and Social Care Act 2008 (Regulated Activities) Regulations 2014: Regulation 17: Good Governance.

Computer System

This organisation operates a clinical computer system on which NHS staff record information securely. This information can then be shared with other clinicians so that everyone caring for you is fully informed about your medical history including allergies and medication.

To provide around the clock safe care, unless you have asked us not to, we will make information available to our partner organisations. Wherever possible, their staff will ask your consent before your information is viewed.

GP connect service

We use a facility called GP Connect to support your direct care. GP Connect makes patient information available to all appropriate clinicians when and where they need it, to support direct patient care, leading to improvements in both care and outcomes. GP Connect is not used for any purpose other than direct care.

Authorised clinicians such as GPs, NHS 111 clinicians, care home nurses (if you are in a care home), secondary care trusts and social care clinicians are able to access the GP records of the patients they are treating via GP connect. 

The NHS 111 service (and other services determined locally e.g., other GP practices in a Primary Care Network) will be able to book appointments for patients at GP practices and other local services.

Invoice validation

Your information may be shared if you have received treatment to determine which ICB is responsible for paying for your treatment. This information may include your name, address and treatment date. All of this information is held securely and confidentially; it will not be used for any other purpose or shared with any third parties.

NHS health checks

Cohorts of our patients aged 40-74 not previously diagnosed with cardiovascular disease are eligible to be invited for an NHS Health Check. Nobody outside the healthcare team at this organisation will see confidential information about you during the invitation process.

Patient communication

As we are obliged to protect any confidential information we hold about you, it is imperative that you let us know immediately if you change any of your contact details. 

We may contact you using SMS texting to your mobile phone should we need to notify you about appointments and other services that we provide to you involving your direct care. This is to ensure we are sure we are contacting you and not another person. As this is operated on an ‘opt-out’ basis we will assume that you have given us permission to contact you via SMS if you have provided your mobile telephone number. Please let the organisation know if you wish to opt-out of this SMS service. We may also contact you using the email address you have provided to us. 

Primary care networks

The objective of primary care networks (PCNs) is for group practices together to create more collaborative workforces that ease the pressure of GPs, leaving them better able to focus on patient care. All areas within England are covered by a PCN.

Primary Care Networks form a key building block of the NHS long-term plan. Bringing general practices together to work at scale has been a policy priority for some years for a range of reasons including improving the ability of practices to recruit and retain staff, to manage financial and estates pressures, to provide a wider range of services to patients and to integrate with the wider health and care system more easily. 

All GP practices have come together in geographical networks covering populations of approximately 30–50,000 patients to take advantage of additional funding attached to the GP contract. This size is consistent with the size of the primary care homes that exist in many places in the country but are much smaller than most GP federations. 

This means that this organisation may share your information with other practices within the Primary Care Network to provide you with your care and treatment.

Risk stratification

Risk stratification is a mechanism used to identify and subsequently manage those patients deemed as being at high risk of requiring urgent or emergency care. Usually this includes patients with long-term conditions, e.g., cancer. Your information is collected by a number of sources including this organisation.

This information is processed electronically and given a risk score which is relayed to your GP who can then decide on any necessary actions to ensure that you receive the most appropriate care.

Safeguarding

The organisation is dedicated to ensuring that the principles and duties of safeguarding adults and children are consistently and conscientiously applied with the wellbeing of all at the heart of what we do. 

Our legal basis for processing for UK General Data Protection Regulation (UK GDPR) purposes is:

  • Article 6(1)(e) ‘…exercise of official authority…’.

For the processing of special categories data, the basis is: 

  • Article 9(2)(b) – ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…’

Safeguarding information such as referrals to safeguarding teams is retained by this organisation when handling a safeguarding concern or incident. We may share information accordingly to ensure a duty of care and investigation as required with other partners such as local authorities, the police or healthcare professionals (i.e., the mental health team).

Shared care

To support your care and improve the sharing of relevant information to our partner organisations (as above) when they are involved in looking after you, we will share information to other systems. 

You can opt-out of this sharing of your records with our partners at any time if this sharing is based on your consent. 

Summary care records

During the height of the COVID-19 pandemic changes were made to the Summary Care Record (SCR) to make additional patient information available to all appropriate clinicians when and where they needed it to support direct patient care, leading to improvements in both care and outcomes.

These changes to the SCR will remain in place unless you decide otherwise.

Regardless of your past decisions about your SCR preferences, you will still have the same options that you currently have in place to opt-out of having a SCR, including the opportunity to opt back in to having a SCR or opt back in to allow the sharing of additional information.

You can exercise these choices by doing the following:

  • Choosing to have a SCR with all information shared. This means that any authorised, registered and regulated health and care professionals will be able to see a detailed SCR, including core and additional information if they need to provide you with direct care.
  • Choosing to have a SCR with core information only. This means that any authorised, registered and regulated health and care professionals will be able to see limited information about allergies and medications in your SCR if they need to provide you with direct care.
  • Choosing to opt-out of having a SCR altogether. This means that you do not want any information shared with other authorised, registered and regulated health and care professionals involved in your direct care. You will not be able to change this preference at the time if you require direct care away from your GP practice. This means that no authorised, registered and regulated health and care professionals will be able to see information held in your GP records if they need to provide you with direct care, including in an emergency.

To make these changes, you should inform your GP practice or complete this form and return it to your GP practice.

Telephone system

Our telephone system records all telephone calls. Recordings are retained for up to three years and are used periodically for the purposes of seeking clarification where there is a dispute as to what was said and for staff training. Access to these recordings is restricted to senior staff.

Organisation website

Our website does use cookies to optimise your experience. Using this feature means that you have agreed to the use of cookies as required by the EU Data Protection Directive 95/46/EC. You have the option to decline the use of cookies on your first visit to the website. The only website this privacy notice applies to is this organisation’s website. 

If you use a link to any other website from the organisation’s website then you will need to read their respective privacy notice. We take no responsibility (legal or otherwise) for the content of other websites.

Opt-outs

National opt-out facility

This is used by the NHS, local authorities, university and hospital researchers, medical colleges and pharmaceutical companies researching new treatments.

You can choose to opt-out of sharing your confidential patient information for research and planning. There may still be times when your confidential patient information is used; for example, during an epidemic where there might be a risk to you or to other people’s health. You can also still consent to take part in a specific research project.

Your confidential patient information will still be used for your individual care. Choosing to opt-out will not affect your care and treatment. You will still be invited for screening services such as screening for bowel cancer.

You do not need to do anything if you are happy about how your confidential patient information is used.

If you do not want your confidential patient information to be used for research and planning, you can choose to opt-out by using one of the following: 

  • Online service – patients registering need to know their NHS number or their postcode as registered at their GP practice 
  • Telephone service 0300 303 5678 which is open Monday to Friday between 0900 and 1700
  • NHS App – for use by patients aged 13 and over (95% of surgeries are now connected to the NHS App). The app can be downloaded from the App Store or Google play

Photocopies of proof of applicant’s name (e.g., passport, UK driving licence etc.) and address (e.g., utility bill, payslip etc.) need to be sent with the application. It can take up to 14 days to process the form once it arrives at NHS, PO Box 884, Leeds, LS1 9TZ.

  • Getting a healthcare professional to assist patients in prison or other secure settings to register an opt-out choice. For patients detained in such settings, guidance is available on NHS E webpage titled Guidance for detained and secure estates.

Note: Unfortunately, the national data opt-out cannot be applied by this organisation.

General Practice Data for Planning and Research opt-out (GPDPR)

The NHS needs data about the patients it treats to plan and deliver its services and to ensure that the care and treatment provided is safe and effective. The General Practice Data for Planning and Research data collection will help the NHS to improve health and care services for everyone by collecting patient data that can be used to do this. 

For example, patient data can help the NHS to:

  • Monitor the long-term safety and effectiveness of car
  • Plan how to deliver better health and care services
  • Prevent the spread of infectious diseases
  • Identify new treatments and medicines through health research

GP practices already share patient data for these purposes but this new data collection will be more efficient and effective. This means that GPs can get on with looking after their patients and NHS England can provide controlled access to patient data to the NHS and other organisations who need to use it, to improve health and care for everyone.

Contributing to research projects will benefit us all as better and safer treatments are introduced more quickly and effectively without compromising your privacy and confidentiality.

NHS England has engaged with the British Medical Association (BMA), Royal College of GPs (RCGP) and the National Data Guardian (NDG) to ensure relevant safeguards are in place for patients and GP practices.

What patient data is shared about you with NHS England?

The collection date is still to be confirmed, although when it has been, patient data will be collected from GP medical records about:

  • Any living patient registered at a GP practice in England when the collection started – this includes children and adults
  • Any patient who died after the data collection started and was previously registered at a GP practice in England when the data collection started

They will not collect your name or where you live. Any other data that could directly identify you, for example NHS number, General Practice Local Patient Number, postcode and date of birth, is replaced with unique codes that are produced by de-identification software before the data is shared with NHS England.

This process is called pseudonymisation and means that no one will be able to directly identify you from the data. The diagram helps to explain what this means. The diagram below helps to explain what this means and using the terms in the diagram, the data we share would be described as de-personalised.

Image provided by Understanding Patient Data under licence.

The data collected by NHS England

We will share structured and coded data from GP medical records that is needed for specific health and social care purposes as explained above.

Data that directly identifies you as an individual patient, including your NHS number, General Practice Local Patient Number, postcode, date of birth and if relevant date of death, is replaced with unique codes produced by de-identification software before it is sent to NHS England. This means that no one will be able to directly identify you in the data.

NHS England will collect:

  • Data on your sex, ethnicity, and sexual orientation
  • Clinical codes and data about diagnoses, symptoms, observations, test results, medications, allergies, immunisations, referrals and recalls and appointments including information about your physical, mental, and sexual health
  • Data about the staff who have treated you

More detailed information about the patient data collected is contained within the Data Provision Noticed issued to GP practices.

NHS England will not collect:

  • Your name and address (except for your postcode in unique coded form)
  • Written notes (free text) such as the details of conversations with doctors and nurses
  • Images, letters and documents
  • Coded data that is not needed due to its age – for example medication, referral and appointment data that is over 10 years old
  • Coded data that GPs are not permitted to share by law – for example certain codes about IVF treatment and certain information about gender re-assignment

NHS England legal basis for collecting, analysing and sharing patient data

When NHSE collects, analyses, publishes and shares patient data, there are strict laws in place that it must follow. Under the UK General Data Protection Regulation (UK GDPR), this includes explaining to patients what legal provisions apply under UK GDPR that allows it to process patient data. The UK GDPR protects everyone’s data.

NHSE has been directed by the Secretary of State for Health and Social Care under the General Practice Data for Planning and Research Directions 2021 to collect and analyse data from GP practices for health and social care purposes including policy, planning, commissioning, public health and research purposes. NHSE is the controller of the patient data collected and analysed under the GDPR jointly with the Secretary of State for Health and Social Care.

All GP practices in England are legally required to share data with NHSE for this purpose under the Health and Social Care Act 2012. More information about this requirement is contained in the Data Provision Notice issued by NHSE to GP practices.

NHSE has various powers to publish anonymous statistical data and to share patient data under sections 260 and 261 of the 2012 Act. It also has powers to share data under other Acts, for example the Statistics and Registration Service Act 2007.

Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002 (COPI) also allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency. The Secretary of State issued legal notices under COPI (COPI Notices) requiring NHSE, arm’s-length bodies (such as UK Health Security Agency), local authorities, NHS trusts, ICBs and GP practices to share confidential patient information to respond to the COVID-19 outbreak. 

It should be noted that COPI came to an end on 30 June 2022 and was not renewed. 

How NHS England uses patient data

NHSE will analyse and link the patient data we collect with other patient data we hold to create national data sets and for data quality purposes. NHSE will be able to use the de-identification software to convert the unique codes back to data that could directly identify patients in certain circumstances for these purposes, where this is necessary and where there is a valid legal reason. There are strict internal approvals which need to be in place before NHSE can do this and this will be subject to independent scrutiny and oversight by the Independent Group Advising on the Release of Data (IGARD).

These national data sets are analysed and used by NHSE to produce national statistics and management information including public dashboards about health and social care which are published. NHSE never publishes any patient data that could identify any individual. All data they publish is anonymous statistical data.

For more information about data NHSE publishes see Data and Information and Data Dashboards.

Who does NHS England share patient data with?

All data that is shared by NHSE is subject to robust rules relating to privacy, security and confidentiality and only the minimum amount of data necessary to achieve the relevant health and social care purpose will be shared.

All requests to access patient data from this collection, other than anonymous aggregate statistical data, will be assessed by NHSE’s Data Access Request Service to make sure that organisations have a legal basis to use the data and that it will be used safely, securely and appropriately.

These requests for access to patient data will also be subject to independent scrutiny and oversight by the Independent Group Advising on the Release of Data (IGARD). Organisations approved to use this data will be required to enter into a data sharing agreement with NHSE regulating the use of the data.

There are several organisations that are likely to need access to different elements of patient data from the General Practice Data for Planning and Research collection. These include but may not be limited to:

  • The Department of Health and Social Care (DHSC) and its executive agencies including UK Health Security Agency (UKHSA) and other government departments
  • NHS England
  • Primary Care Networks (PCNs) and Integrated Care Boards (ICBs)
  • Local Authorities
  • Research organisations including universities, charities, clinical research organisations that run clinical trials and pharmaceutical companies

If the request is approved, the data will either be made available within a secure data access environment within the NHSE infrastructure or, where the needs of the recipient cannot be met this way, as a direct dissemination of data. NHSE plans to reduce the amount of data being processed outside central, secure data environments and increase the data it makes available to be accessed via its secure data access environment. 

Data will always be shared in the uniquely coded form (de-personalised data in the diagram above) unless in the circumstances of any specific request it is necessary for it to be provided in an identifiable form (personally identifiable data in the diagram above), for example, when express patient consent has been given to a researcher to link patient data from the General Practice for Planning and Research collection to data the researcher has already obtained from the patient. It is therefore possible for NHSE to convert the unique codes back to data that could directly identify patients in certain circumstances, and where there is a valid legal reason which permits this without breaching the common law duty of confidentiality. 

This would include:

  • Where the data is needed by a health professional for the patient’s own care and treatment
  • Where the patient has expressly consented to this, for example to participate in a clinical trial
  • Where there is a legal obligation, for example where there are COPI Notices 
  • Where approval has been provided by the Health Research Authority or the Secretary of State with support from the Confidentiality Advisory Group (CAG) under Regulation 5 of the Health Service (Control of Patient Information) Regulations 2002 (COPI) – this is sometimes known as a ‘section 251 approval’

This would mean that the data was personally identifiable in the diagram above. Re-identification of the data would only take place following approval of the specific request through the Data Access Request Service and subject to independent assurance by IGARD and consultation with the Professional Advisory Group which is made up of representatives from the BMA and the RCGP. If patients have registered a national data opt-out this would be applied in accordance with the national data opt-out policy before any identifiable patient data (personally identifiable data in the diagram above) about the patient was shared. 

Details of who NHSE has shared data with, in what form and for what purposes are published on its data release register.

Where does NHS England store patient data?

NHSE only stores and processes patient data for this data collection within the United Kingdom (UK). Fully anonymous data (that does not allow patients to be directly or indirectly identified), for example statistical data that is published, may be stored and processed outside of the UK.

Some of the NHSE processors may process patient data outside of the UK. If they do, they will always ensure that the transfer outside of the UK complies with data protection laws.

What to do if you have any questions

Should you have any questions about our privacy policy or the information we hold about you, you can:

  1. Contact the organisation via email at [email protected]. PCNs are data controllers for the data they hold about their patients (for more information, refer to the BMA guidance on this subject) 
  • Ask to speak to the PCN Business Manager 

Objections or complaints

If you are unhappy with any element of our data processing methods, contact the PCN Business Manager in the first instance. If you feel that we have not addressed your concern appropriately, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). 

The ICO can be contacted on https://ico.org.uk and select “Raising a concern” or telephone: 0303 123 1113.

The ICO is the regulator for data protection and offers independent advice and guidance on the law and personal data including your rights and how to access your personal information.

Changes to our privacy policy

We regularly review our privacy policy and any updates will be published on our website and on posters to reflect the changes. 

Annex B – Social media/website information

Using your health data for planning and research

You can decide whether you wish to have your information extracted and there are two main options available to you.

Option 1:

Type 1 opt-out applies at organisational level and means that your medical record is not extracted from the organisation for any purpose other than for direct patient care. You can opt-out at any time. Opting out will mean that no further extractions will be taken from your medical record.

For a Type 1 Opt-out, you need to contact the practice by phone, email or post to let us know that you wish to opt-out. 

Further information is available here.

Option 2: 

The National Data Opt-out (NDO-O) allows data to be extracted by NHS England for its lawful purposes but it cannot share this information with anyone else for research and planning purposes. You can opt-out at any time.

NDO-O – you need to inform NHS England. Unfortunately, this cannot be done by the practice for you. You can opt in or out at any time and complete this by any of the following methods:

  • Telephone service 0300 303 5678 which is open Monday to Friday between 0900 and 1700
  • NHS App – For use by patients aged 13 and over (95% of surgeries are now connected to the NHS App). The app can be downloaded from the App Store or Google Play
  • Photocopies of proof of the applicant’s name (e.g., passport, UK driving licence etc.) and address (e.g., utility bill, payslip etc.) need to be sent with the application.

It can take up to 14 days to process the form once it arrives at NHS, PO Box 884, Leeds. LS1 9TZ

Further information on NDO-O is available here.

Annex C – Patient text messaging and telephone message templates

Text message content template

You can opt-out of your health information being shared with NHS England for planning and research before the commencement date. 

Visit https://www.nhs.uk/your-nhs-data-matters/manage-your-choice/ for more information.

Patient information for website template

The way in which patient data gathering is done by NHS England is changing. There is currently a lot of information online and in the news about your choices and opting out of these collections. You can opt-out of your GP record being shared with NHS England for planning and research and this should be done before the commencement date.

For more information, please visit our privacy notice at [insert link to practice privacy notice] to find out more.

Email response template

Thank you for your email regarding the sharing of patient data and being able to opt-out of these collections. The NHS England GP Data extraction is a legally required activity for this practice; however, you do have a right to opt-out of the sharing of your data for research and planning purposes. 

NHS England provides a detailed guide for patients on how the information it extracts is used and how you can opt-out. This can be found at https://digital.nhs.uk/data-and-information/data-collections-and-data-sets/data-collections/general-practice-data-for-planning-and-research

Please be aware that there are two types of opt-out:

Type 1 Opt-out – applies at organisational level and means that the patient’s medical record is not extracted from the organisation for any purpose other than for direct patient care.

If you wish to opt-out, please let us know. 

National Data Opt-out (NDO-O) – allows data to be extracted by NHS England for its lawful purposes but it cannot share this information with anyone else for research and planning purposes.

If you wish to apply NDO-O, you must do this directly with NHS England. You can do this in any of the following ways:

  • Telephone service 0300 303 5678 which is open Monday to Friday between 0900 and 1700.
  • NHS App – For use by patients aged 13 and over (95% of surgeries are now connected to the NHS App). The app can be downloaded from the App Store or Google Play.
  • Print and post” registration form:

https://assets.nhs.uk/prod/documents/Manage_your_choice_1.1.pdf

Photocopies of proof of applicant’s name (e.g., passport, UK driving licence etc.) and address (e.g., utility bill, payslip etc.) need to be sent with the application to:

National Data Opt-out

Contact Centre

NHS England

7 and 8 Wellington Place

LEEDS

LS1 4AP

Note, it can take up to 14 days to process the form.

Telephone message template

We have received numerous enquiries about patient data being extracted by NHS England to be used for research and planning. You, as a patient, have the right to opt-out of your information being used in this way. 

Extensive information about this process can be found by visiting our website [insert website address] or, if you do not have internet access, please speak with a member of our reception team who will be very happy to explain this to you.

Annex D – Organisational staff opt-out guidance

This guidance is provided to all staff who may be required to respond to queries about the current data opt-outs available.

Who is NHS England?

  • NHS England is the national information and technology partner for the health and care system
  • It provides information and data to the health service so that it can plan effectively and monitor progress, create and maintain the technological infrastructure that keeps the health service running and links systems together to provide seamless care and develops information standards that improve the way different parts of the system communicate
  • NHS England is the national custodian for health and care data in England and has responsibility for standardising, collecting, analysing, publishing and sharing data and information from across the health and social care system, including general practice

What does it do with the data it collects?

  • Patient data collected from general practice is needed to support a wide variety of research and analysis to help run and improve health and care services. 

Whilst the data collected in other care settings such as hospitals is valuable in understanding and improving specific services, it is the patient data in general practice that helps NHS England to understand whether the health and care system as a whole is working for patients.

  • Research the long-term impact of coronavirus on the population
  • Analyse healthcare inequalities
  • Research and develop cures for serious illnesses

What type of data does NHS England extract from the organisation?

  • Diagnoses and symptoms
  • Observations
  • Test results
  • Medications
  • Allergies and immunisations
  • Referrals, recalls and appointments
  • The patient’s sex, ethnicity and sexual orientation
  • Data about staff who have treated the patient

If a patient wishes to opt-out of data sharing, there are two types of opt-out:

  • National Data Opt-out (NDO-O) allows data to be extracted by NHS England for its lawful purposes but it cannot share this information with anyone else for research and planning purposes.

How does a patient opt-out?

  •  – the patient must inform the practice of their decision and this is coded at the practice locally to their clinical record.
  •  – the patient must do this themselves with NHS England. Unfortunately, this cannot be done by the organisation. The patient can do this by:
  •  0300 303 5678 which is open Monday to Friday between 0900 and 1700.
  •  – For use by patients aged 13 and over (95% of surgeries are now connected to the NHS App). The app can be downloaded from the App Store or Google play

https://assets.nhs.uk/prod/documents/Manage_your_choice_1.1.pdf

Photocopies of proof of applicant’s name (e.g., passport, UK driving licence etc.) and address (e.g., utility bill, payslip etc.) need to be sent with the application to:

National Data Opt-out

Contact Centre

NHS England

7 and 8 Wellington Place

LEEDS

LS1 4AP

Note, it can take up to 14 days to process the form.

  • Getting a healthcare professional to assist patients in prison or other secure settings to register an opt-out choice. For patients detained in such settings, guidance is available on NHS England and a proxy form is available to assist in registration.

Coding the patient record

If the patient wishes to opt-out – use code 827241000000103 Dissent from secondary use of general practitioner patient identifiable data (finding).

If the patient wishes to opt in – use code 827261000000102 Dissent withdrawn for secondary use of general practitioner.

Privacy Notice – Candidates applying for work

Privacy notice – Candidates applying for work

Introduction

1.1      Principles

NHS England is a data controller and has a legal duty, in line with the UK General Data Protection Regulation (UK GDPR), to explain why it is using data and what data is being used. Similarly, Wyre Integrated Network has a duty to advise candidates applying for work of the purpose of personal data and the methods by which their personal data will be processed.

Every candidate should be aware of the candidate privacy notice and understand how information may be used and with whom the organisation will share that information.    

The first principle of data protection is that personal data must be processed fairly and lawfully. Being transparent and providing accessible information to persons about how their personal data is used is a key element of the UK General Data Protection Regulation.

UK General Data Protection Regulation (UK GDPR) and GDPR – The Perfect Practice eLearning courses are available in the HUB.

1.2      Status

The organisation aims to design and implement policies and procedures that meet the diverse needs of our service and workforce, ensuring that none are placed at a disadvantage over others, in accordance with the Equality Act 2010. Consideration has been given to the impact this policy might have regarding the individual protected characteristics of those to whom it applies.

This document and any procedures contained within it are non-contractual and may be modified or withdrawn at any time. For the avoidance of doubt, it does not form part of your contract of employment. Furthermore, this document applies to all employees of the organisation and other individuals performing functions in relation to the practice such as agency workers, locums and contractors.

2       Compliance with regulations

2.1      UK GDPR

In accordance with the UK GDPR, this organisation will ensure that information provided to subjects about how their data is processed will be:

  • Concise, transparent, intelligible and easily accessible
  • Written in clear and plain language, particularly if addressed to a child
  • Free of charge

2.2      Article 5 compliance

In accordance with Article 5 of the UK GDPR, this organisation will ensure that any personal data is: 

  • Processed lawfully, fairly and in a transparent manner in relation to the data subject
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed
  • Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate having regard to the purposes for which it is processed is erased or rectified without delay 
  • Kept in a form that permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed
  • Processed in a manner that ensures the appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage by using appropriate technical or organisational measures

Article 5 also stipulates that the controller shall be responsible for, and be able to demonstrate compliance with, the above. 

2.3      Communicating privacy information

At this organisation, this privacy notice is displayed on our website and is available in writing if requested.

We will:

  • Inform candidates how their data will be used and for what purpose
  • Allow candidates to opt out of sharing their data should they so wish

3       Further information

3.1      Privacy notice checklists

The Information Commissioner’s Office has provided a privacy notice checklist that can be used to support the writing of the organisation’s privacy notice. The checklist can be found by following this link.

3.2      Privacy notice template

A privacy notice template can be found at Annex A.

It is recognised that the type and style of privacy notices may vary. However, this privacy notice template has been reviewed as appropriate by a current Data Protection Officer. It is acknowledged to be extensive and covers all eventualities that may occur around information governance. 

Annex A – Candidates applying for work privacy notice

Introduction

At Wyre Integrated Network, we have a legal duty to explain how we use any personal information we collect about you at the organisation. We collect records during the recruitment stage and then data is continued to be collected for any successful candidate. This is in both electronic and paper format.    

This privacy notice applies to personal information processed by or on behalf of this organisation. We are required to provide you with this privacy notice by law. It provides information on how we use the personal and healthcare information we collect, store and hold about you. If you have any questions about this privacy notice or are unclear about how we process or use your personal information or have any other issue regarding your personal and healthcare information, then please contact our data protection officer Hayley Digman  [email protected]

This notice explains:

  • Who we are, how we use your information and our Data Protection Officer (DPO)
  • What kind of personal information about you we process 
  • What the legal grounds are for our processing of your personal information (including when we share it with others) 
  • What you should do if your personal information changes 
  • How long your personal information is retained by us 
  • What your rights are under data protection laws 

The UK General Data Protection Regulation (UK GDPR) became law on 24th May 2016. This is a single EU-wide regulation on the protection of confidential and sensitive information. It entered into force in the UK on the 25th May 2018, repealing the Data Protection Act (1998). 

For applicable data protection legislation (including but not limited to the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”), and the Data Protection Act 2018 (DPA2018) the organisation responsible for your personal data is Wyre Integrated Network.

This notice describes how we collect, use and process your personal data and how, in doing so, we comply with our legal obligations to you. Your privacy is important to us and we are committed to protecting and safeguarding your data privacy rights. This privacy policy applies to the personal data collected from candidates applying for roles within the organisation.

How we use your information and the law

This organisation will be what is known as the ‘controller’ of the personal data you provide to us. Upon applying for work with the organisation you will be asked to supply the following personal information:

  • Name
  • Address
  • Telephone numbers
  • Email address 
  • Date of birth
  • Previous employment data
  • Recruitment information such as your application form and CV, references, qualifications and membership of any professional bodies and details of your employment history, skills and experience
  • Information about your current level of remuneration, including benefit entitlements
  • Whether or not you have a disability for which the organisation needs to make reasonable adjustments during the recruitment process
  • Information in relation to your right to work in the UK [as per the Rights to Work in the UK –  guide to checking]
  • Information from the Disclosure and Barring Service (DBS) in order to administer relevant checks and procedures
  • Vaccination and immunisation status/information

The information that we ask you to provide to the organisation is required for the following reasons:

  • In order for us to review your application
  • In order for us to contact you with interview details
  • To comply with appropriate employment law
  • To ensure that we can provide any reasonable adjustments as necessary

The organisation may collect this information in a variety of ways, for example from application forms, CVs or resumes, obtained from your passport or other identity documents such as your driving licence and from forms completed by you or through interviews, meetings or other assessments including on-line tests.

This personal data might be provided to us by you, or someone else (such as a former employer’s reference, information from background check providers including criminal records checks permitted by law) or it could be created by us.

The organisation will seek information from third parties only once a job offer has been made to you and we will inform you that we are doing so.

Your personal data will be stored in a range of different places including in your application record, in the organisation’s HR management systems and in other IT systems (including the organisation’s email system).

Throughout the application process we will collect data and add this to your personnel file i.e., interview question answers, interview scores etc. 

Special categories of personal data

Some special categories of personal data, such as information about health or medical conditions, is processed to carry out employment law obligations (such as those in relation to job applicants with disabilities).

For some roles, the organisation is obliged to seek information about criminal convictions and offences. Where we seek this information, we do so because it is necessary for us to carry out our obligations and exercise specific rights in relation to employment.

Where the organisation processes other special categories of personal data such as information about ethnic origin, sexual orientation or religion or belief, this is done for the purposes of equal opportunities monitoring. This is to carry out its obligations and exercise specific rights in relation to employment.

Automated decision-making

Employment decisions are not based solely on automated decision-making.

How do we lawfully use your data?

We need to know your personal, sensitive and confidential data in order to employ you. Under the General Data Protection Regulation we will be lawfully using your information in accordance with: 

  • Article 6, (b) Necessary for performance of/entering into contract with you 
  • Article 9(2) (b) Necessary for controller to fulfil employment rights or obligations in employment

This notice applies to the personal data of our candidates applying for work at this organisation.

How do we maintain the confidentiality of your record?

We are committed to protecting your privacy and will only use information collected lawfully in accordance with: 

We will only ever use or pass on information about you to others who have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e., life or death situations) or where the law requires information to be passed on.

Our policy is to respect the privacy of our candidates and to maintain compliance with the UK General Data Protection Regulation (UK GDPR) and all UK specific Data Protection Requirements. Our policy is to ensure all personal data will be protected. 

All employees and sub-contractors engaged by this organisation are asked to sign a confidentiality agreement. The organisation will, if required, sign a separate confidentiality agreement if the client deems it necessary. If a sub-contractor acts as a data processor for the organisation, an appropriate contract (art 24-28) will be established for the processing of your information.

Where do we store your information electronically?

All the personal data we process is processed by our organisation in the UK. However, for the purposes of IT hosting and maintenance this information may be located on servers within the European Union. 

No third parties have access to your personal data unless the law allows them to do so and appropriate safeguards have been put in place.  We have a data protection regime in place to oversee the effective and secure processing of your personal and or special category (sensitive, confidential) data.

Who are our partner organisations?

We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations:

  • Primary Care Networks
  • Integrated Care Systems
  • NHS Commissioning Support Units 
  • Clinical Commissioning Groups 
  • NHS England (NHSE) and NHS Digital (NHSD) 
  • Local authorities
  • CQC
  • Private sector providers providing employment services
  • Other ‘data processors’ which you will be informed of 

Sharing your personal data

Your information may be shared internally for the purpose of the recruitment exercise including with members of the HR and recruitment team, interviewers in the recruitment process, managers in the business area with the vacancy and IT staff if access to the data is necessary for performance of their roles.

The organisation will not share your personal data with third parties except those engaged for the purposes of the recruitment process or unless your application for employment is successful and we make you an offer of employment.  We will then share your data with former employers to obtain references for you, employment background check providers to obtain necessary background checks and the Disclosure and Barring Service to obtain necessary criminal record checks.

You will be informed who your data will be shared with and in some cases asked for consent for this to happen when this is required.

We may also use external companies to process personal information such as for archiving purposes. These companies are bound by contractual agreements to ensure information is kept confidential and secure.  All employees and sub-contractors engaged by this organisation are asked to sign a confidentiality agreement. If a sub-contractor acts as a data processor for the organisation, an appropriate contract (art 24-28) will be established for the processing of your information.

Who is the data controller?

This organisation is registered as a data controller under the Data Protection Act 2018. Our registration number is ZB085590 and our registration can be viewed online in the public register at http://www.ico.gov.uk. This means we are responsible for handling your personal and healthcare information and collecting and storing it appropriately.

We may also process your information for a particular purpose and therefore we may also be data processors. The purposes for which we use your information are set out in this privacy notice.

How long do we keep your personal information?

We are required under UK law to keep your information and data for the full retention periods as specified by the NHS Records Management Code of Practice for health and social care and national archives requirements.

If your application is unsuccessful, the organisation will hold your personal data for a period of six months following the recruitment process. If you agree to allow the organisation to keep your personal data on file, for consideration for future job opportunities, we will hold your data for a further six months.  At the end of that period (or once you withdraw consent), your data will be deleted or destroyed.  

If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your employment.  

More information on records retention can be found online at: NHSE – Records Management Code of Practice 2023.

Storing DBS certificates

The correct storage of DBS certificate information is important. The code of practice requires that the information revealed is considered only for the purpose for which it was obtained and should be destroyed after six months.

How can you access, amend or move the personal data that you have given to us?

Even if we already hold your personal data, you still have various rights in relation to it. For further information about this, please contact the PCN Business Manager. We will seek to deal with your request without undue delay and in any event in accordance with the requirements of any applicable laws. Please note that we may keep a record of your communications to help us resolve any issues which you raise.

  • Right to object: If we are using your data because we deem it necessary for our legitimate interests to do so, and you do not agree, you have the right to object. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases). Generally, we will only disagree with you if certain limited conditions apply.
  • Right to withdraw consent: Where we have obtained your consent to process your personal data for certain activities (for example for a research project), or consent to market to you, you may withdraw your consent at any time.
  • Right to erasure: In certain situations (for example, where we have processed your data unlawfully), you have the right to request us to “erase” your personal data. We will respond to your request within 30 days (although we may be allowed to extend this period in certain cases) and will only disagree with you if certain limited conditions apply. If we do agree to your request, we will delete your data but will generally assume that you would prefer us to keep a note of your name on our register of individuals who would prefer not to be contacted. That way, we will minimise the chances of you being contacted in the future where your data is collected in unconnected circumstances. If you would prefer us not to do this, you are free to say so. 
  • Right of data portability: If you wish, you have the right to transfer your data from us to another data controller.

Your rights as a candidate applying for work

Data Subject Access Requests (DSAR): You have a right under the data protection legislation to request access to view or to obtain copies of what information this organisation holds about you and to have it amended should it be inaccurate. To request this, you need to do the following: 

  • Your request should be made to PCN Business Manager
  • There is no charge to have a copy of the information held about you. However, we may, in some limited and exceptional circumstances, have to make an administrative charge for any extra copies if the information requested is excessive, complex or repetitive
  • We are required to provide you with information within one month. We would ask therefore that any requests you make are in writing and it is made clear to us what and how much information you require
  • You will need to give adequate information (for example full name, address, date of birth and details of your request) so that your identity can be verified, and your records located

What should you do if your personal information changes?

You should tell us so that we can update our records. Please contact the PCN Business Manager as soon as any of your details change, this is especially important for changes of address or contact details (such as your mobile phone number). 

What to do if you have any questions

Should you have any questions about this privacy policy or the information we hold about you, you can:

  1. Contact the organisation via telephone on 01253 957225
  • Ask to speak to the PCN Business Manager

The data protection officer (DPO) for this organisation is Hayley Gidman. 

Objections or complaints

In the unlikely event that you are unhappy with any element of our data-processing methods, do please contact the PCN Business Manager at Wyre Integrated Network, Thornton Medical Centre, Church Road, Thornton Cleveleys, FY5 2TZ in the first instance. If you feel that we have not addressed your concern appropriately, you have the right to lodge a complaint with the ICO. For further details, visit ico.gov.uk and select “Raising a concern” or telephone: 0303 123 1113

The Information Commissioner’s Office is the regulator for the General Data Processing Regulations and offers independent advice and guidance on the law and personal data including your rights and how to access your personal information.

Changes to our privacy policy

We regularly review our employee privacy policy, and any updates will be published to reflect the changes. 

Privacy Notice – Website

We are committed to protecting your privacy. You can access our website without giving us any information about yourself. But sometimes we do need information to provide services that you request, and this statement of privacy explains data collection and use in those situations.

In general, you can visit our web site without telling us who you are and without revealing any information about yourself. However there may be occasions when you choose to give us personal information, for example, when you choose to contact us or request information from us. We will ask you when we need information that personally identifies you or allows us to contact you.

We collect the personal data that you may volunteer while using our services. We do not collect information about our visitors from other sources, such as public records or bodies, or private organisations. We do not collect or use personal data for any purpose other than that indicated below:

  • To send you confirmation of requests that you have made to us
  • To send you information when you request it.

We intend to protect the quality and integrity of your personally identifiable information and we have implemented appropriate technical and organisational measures to do so. We ensure that your personal data will not be disclosed to State institutions and authorities except if required by law or other regulation.

Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should be aware that we don’t have any control over the other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting these sites.

Privacy Notice – Children

The Village Practice has a legal duty to explain how we use any personal information we collect about you, as a registered patient, at the organisation. Staff at this organisation maintain records about your health and the treatment you receive in electronic and paper format.

WHAT IS A PRIVACY NOTICE AND WHY DOES IT APPLY TO ME?

A privacy notice tells people how organisations use information that they hold about them. A new law called the UK General Data Protection Regulation 2016, also known as GDPR, says that we need to provide you with this privacy notice and let you know:

  • What information we hold about you
  • How we keep this especially important information safe and secure and where we keep it
  • How we use your information
  • Who we share your information with
  • What your rights are
  • When the law gives us permission to use your information

WHY DOES THE LAW SAY YOU CAN USE MY INFORMATION?

The law gives us permission to use your information in situations where we need it to take care of you. Because information about your health is very personal, sensitive and private to you, the law is very strict about how we use it.

So, before we can use your information in the ways we have set out in this privacy notice, we have to have a good reason in law which is called a ‘lawful basis’.  Not only do we have to do that, but we also have to show that your information falls into a special group or category because it is very sensitive. By doing this, the law makes sure we only use your information to look after you and that we do not use it for any other reason.

If you would like more information about this, please ask to speak to our data protection officer (DPO) mentioned in this privacy notice who will explain this in more detail.

ABOUT US

We, at The Village Practice, are responsible for collecting, storing and handling your information when you are registered with us as a patient. Because we do this, the law says we are the data controller. Sometimes we may use your information for a particular purpose and, when we do so, the law says we are the data processor.

WHAT INFORMATION DO WE HOLD ABOUT YOU?

Personal information is anything that identifies you as a person and we all have personal information. Personal information that tells us something about you includes:

  • Your name
  • Address
  • Mobile number
  • Information about your parent(s) or person with parental responsibility
  • All your health records
  • Appointment records
  • Treatments you have had
  • Medicines prescribed for you and any other information to help us look after you

HOW DO WE KEEP IT SAFE?

  • The law says that we must do all we can to keep your information private, safe and secure.
  • We use secure computer systems and we make sure that any written information held about you is under lock and key and kept in a safe place. This includes taking great care with any passwords we use which we change on a regular basis. We also train our staff to respect your privacy and deal with your information in a manner that makes sure it is always kept and dealt with in a safe way.

WHAT DO WE DO WITH YOUR INFORMATION?

  • We only usually use your information to help us care for you. That means we might need to share your information with other people who are concerned and involved with looking after your health.
  • We might need to share your information with the police, courts, social services, solicitors and other people who have a right to your information, but we always make sure that they have a legal right to see it (or have a copy of it) before we provide it to them.

WHO ELSE WILL SEE MY INFORMATION?

Usually only doctors, nurses and other people who work with us are allowed to see your information.

Sometimes though, if you need to go to the hospital or be seen by a special doctor, we will share your information with them but this is only so that we can take care of you.

  • Sometimes we might be asked to take part in medical research that might help you in the future. We will always ask you or your parent(s) or adult with parental responsibility if we can share your information if this happens.
  • Possibly the police, social services, the courts and other organisations and people who may have a legal right to see your information.

WHAT IF I WANT TO SEE MY INFORMATION YOU HOLD ABOUT ME?

  • If you want to see what information we hold about you then you have a right to see it and you can ask for it.
  • To ask for your information you will usually need to put your request in writing and tell us what information you want us to give you.
  • We usually need to answer you within one month. Your parent(s) or adult with parental responsibility can help you with this if you need help.
  • We will give this to you free of charge.
  • If you think there are any errors in the information we hold about you then you can ask us to correct it but the law says we cannot remove any of the information we hold about you even if you ask us to. This is because we need this information to take care of you.
  • You have a right to ask us not to share your information.
  • If you would like to talk to us about not sharing your information, even if this means you do not want us to share your information with your parent(s) or adult with parental responsibility, please let us know. We will be happy to help.

WHAT IF I WANT TO OPT OUT OF SHARING MY DATA?

National opt-out facility

You can choose to opt out of sharing your confidential patient information for research and planning. There may still be times when your confidential patient information is used; for example, during an epidemic where there might be a risk to you or to other people’s health. You can also still consent to take part in a specific research project.

Your confidential patient information will still be used for your individual care. Choosing to opt out will not affect your care and treatment.

You do not need to do anything if you are happy about how your confidential patient information is used.

If you do not want your confidential patient information to be used for research and planning, you can choose to opt out by using one of the following methods:

Photocopies of proof of applicant’s name (e.g., passport, UK driving licence etc.) and address (e.g., utility bill, payslip etc.) need to be sent with the application.  It can take up to 14 days to process the form once it arrives at NHS, PO Box 884, Leeds, LS1 9TZ.

Note: Unfortunately, the national data opt-out cannot be applied by this organisation

General practice data for planning and research opt out (GPDPR)

The NHS needs data about the patients it treats to plan and deliver its services and to ensure that the care and treatment provided is safe and effective. The General Practice Data for Planning and Research data collection will help the NHS to improve health and care services for everyone by collecting patient data that can be used to do this. For example, your data can help the NHS to:

  • Monitor the long-term safety and effectiveness of care
  • Plan how to deliver better health and care services
  • Prevent the spread of infectious diseases
  • Identify new treatments and medicines through health research

GP practices already share patient data for these purposes but this new data collection will be more efficient and effective. Contributing to research projects will benefit us all as better and safer treatments are introduced more quickly and effectively without compromising your privacy and confidentiality.

What patient data is shared about you with NHS Digital

Patient data will be collected from GP medical records about:

  • Any living patient registered at a GP practice in England when the collection started –  this includes children and adults
  • Any patient who died after the data collection started, and was previously registered at a GP practice in England when the data collection started

They will not collect your name or where you live. Any other data that could directly identify you, for example NHS number, General Practice Local Patient Number, postcode and date of birth, is replaced with unique codes which are produced by de-identification software before the data is shared with NHS Digital.

Opting out of NHS Digital collecting patient data (Type 1 opt-out)

If you do not want your identifiable patient data to be shared outside of your GP practice for purposes except for your own care, you can register an opt-out with your own GP practice. This is known as a Type 1 Opt-out.

You can register a Type 1 Opt-out at any time and you can also change your mind at any time and withdraw a Type 1 Opt-out.

WHAT IF I HAVE A QUESTION?

Should you have any questions about our privacy policy or the information we hold about you, you can:

  • Contact the organisation via telephone at 01253 955561GP practices are data controllers for the data they hold about their patients    
  • Write to the data protection officer at Hayley Godman, [email protected]
  • Ask to speak to the Practice Business Manager or their deputy Patient Services Manager

The data protection officer (DPO) for The Village Practice is Hayley Gidman.

WHAT IF I HAVE A SERIOUS COMPLAINT ABOUT HOW YOU LOOK AFTER MY INFORMATION?

In the unlikely event that you are unhappy with any element of our data processing methods, do please contact the Practice Business Manager at The Village Practice, Thornton Medical Centre, Church Road, Thornton Cleveleys FY5 2TZ in the first instance. If you feel that we have not addressed your concern appropriately, you have the right to lodge a complaint with the ICO. For further details, visit ico.gov.uk and select “Raising a concern” or telephone: 0303 123 1113.

The Information Commissioner’s Office is the regulator for the General Data Processing Regulations and offers independent advice and guidance on the law and personal data including your rights and how to access your personal information.

UPDATES TO THIS PRIVACY NOTICE

  • The law says we must keep all information we provide in this PRIVACY NOTICE up to date.
  • This privacy notice was last updated on 3 May 2023 and will be reviewed on 3 May 2024.

Transparency Notice

Transparency Notice – GP Connect

GP Connect is a platform which allows different systems to communicate so that clinicians in

different care setting can view a patient’s GP record.

The PCN (Primary Care Network) accesses and keeps data on you relating to who you are, where you live, what you do, your family, possibly your friends, your employers, your habits, your problems and diagnoses, the reasons you seek help, your appointments, where you are seen and when you are seen, who by, referrals to specialists and other healthcare providers, tests carried out here and in other places, investigations and scans, treatments and outcomes of treatments, your treatment history, the observations and opinions of other healthcare workers, within and outside the NHS as well as comments and aide memoires reasonably made by healthcare professionals within the PCN who are appropriately involved in your health care.

If your health needs require care from others elsewhere within the PCN we will exchange

with them whatever information about you that is necessary for them to provide that care. People who have access to your information will only normally have access to that which they need to fulfil their roles.

Your consent to this sharing of data for the purpose of direct care with those outside the practice is assumed and allowed by the Law.

Users accessing the information must have the right level of security clearance and have a

special account set up or a special access card. Each time anyone accesses your medical record, this information is logged.

When you contact healthcare providers outside the practice but within the NHS it is usual for them to send us information relating to that encounter. We will retain part or all those reports. Normally we will receive equivalent reports of contacts you have with non-NHS services, but this is not always the case.

You have the right to object to our sharing your data in these circumstances, but we have an

overriding responsibility to do what is in your best interests. Individuals have the right to make pre-determined decisions about the type and extent of care they will receive should they fall ill in the future; these are known as “Advance Directives”. If lodged in your records these will normally be honoured despite the observations in the paragraph above.

GP Connect also provides the ability of your medical records being transferred to your new

registered practice electronically without the delay. This enables continuity of your care by

different providers. 

We are required by Articles in the UK GDPR to provide you with the

information in the following subsections:

Data Controller contact detailsWyre Integrated Network
Data Protection Officercontact detailsHayley Digman  [email protected]
Purpose of the processingThe information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and/or care.
Lawful Basis for processingThe processing of personal data in support of direct careelsewhere is supported under the following Article 6 and 9 conditions of the UK GDPR: Article 6(1)(d) ‘processing is necessary to protect the vital interests of the data subject or of another natural person’. Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’. Article 9(2)(c) ‘processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent’. Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or themanagement of health or social care systems and services…’. We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”*.
Recipient or categories of recipients of shared dataThe data will be shared with the Care Quality Commission, its officers and staff and members of the inspection teams that visit us from time to time.
Rights to objectYou have the right to object to some or all the information being shared. Please contact our Data Protection Offices
Right to access and correctYou have the right to access the data that is being shared and have any inaccuracies corrected, there is no right to have accurate medical records deleted except when ordered by a court of law.
Retention PeriodThe data will be retained for active use during the processing and thereafter according to NHS Policies and the law.
Right to complainYou have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/Or call their helpline on 0303 1231113 or 01625 545745

Please note the National Data Opt Out does not apply to this sharing of information. For further

information please see: https://www.nhs.uk/your-nhs-data-matters/