GDPR Privacy Notice

Contents

  • Who has information about me?
  • What information does Fernville Surgery hold about you?
  • Information we collect
  • How will Fernville Surgery use the information it holds about me?
  • Staff access to your personal and sensitive data
  • How we keep your information safe and secure
  • Will Fernville Surgery share information about me with others?
  • Sharing information with third parties who are not involved in your health assessment, care or treatment
  • Sharing with regulators or because of a legal obligation
  • Audits, surveys and initiatives
  • What legal basis does Fernville Surgery have for using information about me?
  • Where and for how long does Fernville Surgery store information about me?
  • What rights do I have?
  • Details of your rights are set out below
  • General Practice Data for Research
  • My Care Record
  • Health Information Exchange Gateway
  • Recordings
  • Primary Care Network (PCN)
  • Integrated Care Systems (ICS)
  • COVID
  • The right to complain to the Information Commissioner’s Office

About Fernville Surgery

ICO Registration number: Z5680864

Fernville Surgery is committed to protecting and respecting your privacy.

This Privacy Policy sets out important details about information that Fernville Surgery and staff responsible for your care and treatment may collect and hold about you, how that information may be used and your legal rights.

We will review this Privacy Policy on a regular basis and we advise you to check back on our website for the latest version.

1. Who has information about me?

For your healthcare a number of care providers hold and share information about you, in order to provide safe and effective care. In our locality for example:

  • Hospital professionals (such as doctors, consultants, nurses, etc)
  • Other GPs/Doctors
  • Pharmacists
  • Nurses and other healthcare professionals
  • Dentists
  • Community Services
  • Out of Hours Services
  • Ambulance Services
  • Any other person that is involved in providing services related to your general healthcare, including mental health professionals

Information is shared for your direct care purposes. There may be instances where we are required under legislation to share information, but we will only do so if we have a legal basis.

2. What information does Fernville Surgery hold about you?

We hold 2 types of data about you.

Personal data (data which Identifies you)

  • Personal data only includes information relating to natural persons
  • Personal data may also include special categories of personal data or criminal conviction and offences data. These are considered to be more sensitive and Fernville Surgery may only process them in more limited circumstances.
  • Pseudonymised data can help reduce privacy risks by making it more difficult to
    identify individuals, but it is still personal data.

Special Category (sensitive data)

This sort of data could include:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic data
  • biometric data (where used for identification purposes)
  • health
  • sex life
  • sexual orientation

3. Information we collect

We collect information about you which you have supplied or from others involved in your care and treatment (i.e. hospital, community, employers).

This is likely to include your personal data see Personal Data (see definition in section 2)

We may also hold more sensitive information about you, see Sensitive Data (see definition in section 2)

We may collect information from you when:

  • If you call contact us via telephone calls which may be recorded and retained
    for a limited period for training and monitoring purposes and to help improve
    our services.
  • If you communicate with us via email or social media
  • You visit the practice for an appointment.

Sometimes we obtain information about you from:

  • other health care providers,
  • credit reference agencies,
  • debt collection agencies, and
  • government agencies such as HMRC or the Home Office.

4. How will Fernville Surgery use the information it holds about me?

We use information about you in connection with:

  • treatment and/or care
  • tests or assessments
  • medical examinations

We may use your phone number (or email address where you have provided it to us) to contact you in advance of appointment for reasons connected with your care or treatment. Where you have provided us with your mobile number or email address, we may send you confirmations/reminders of your appointments via text message or email and we may respond to your email enquiries via email.

We may also use information about you for:

  • quality assurance
  • maintaining our business records
  • developing and improving our products and services
  • monitoring outcomes where we believe there is a business need to do so and our use of information about you does not cause harm to you

This may include our staff planning and workload management systems to help support our staff and clinicians to develop and plan the most appropriate levels of care to our patients and to ensure we have got the right levels of productivity and efficiency and good outcomes for patients.

We may also use information about you where there is a legal or regulatory obligation on us to do so (such as the prevention of fraud or safeguarding) or in connection with legal proceedings.

We may also use information about you where you have provided your consent to us doing so.

We do not carry out automated decision making or profiling.

5. Staff access to your personal and sensitive data.

We carefully control who has access to your information. Staff only have access where they are required to do so to provide direct care or support (i.e. receptionist and secretary). Where possible we limit the access that staff have on our clinical systems. We also carry out spot checks and audits to see if there has been any inappropriate access.

Where that occurs, disciplinary action may be taken against the staff, and in serious cases court action. If the data breach includes access to your information, we will contact you.

We also have an obligation if it is a serious data breach to inform the Information Commissioners Office.

In order to reduce risk of a data breach Fernville Surgery have in place robust policies and procedures and we carry out training for all staff on an annual basis.

All clinical staff providing direct care are registered with the appropriate professional and regulatory bodies, i.e. GMC, NMC, CSP and have a responsibility to uphold the highest standards when handling patient/client information.

6. How we keep your information safe and secure

  • Fernville Surgery is required to complete the NHS Digital Data Security & Protection Toolkit. This is a tool that provides assurance that we are meeting standards on handling patient/client information.
  • We have Data Protection Policies in place to ensure staff understand the ‘must’ or ‘must not do’ with patient/client data.
  • Staff are required to complete induction training in Information Governance and to complete annual update training.
  • Spot checks are carried out across the practice.
  • Our IT is managed by Egton. IT Team who ensure that all safeguards are in place to protect data held on IT systems are protected and secure from unauthorised access, loss or damage and hold a Cyber Security Plus certification.
  • Passwords are changed on a regular basis.
  • Where incidents do happen, our investigations will include actions we take and
    lessons learnt.

7. Will Fernville Surgery share information about me with others?

Yes; we set out these reasons below and assure you that in each case, we share only such information as is appropriate, necessary and proportionate.

Sharing information with those involved in your health assessment, care or treatment.

  • We will share your medical information with those involved in your health assessment, care or treatment (such as doctors, nurses and physiotherapists) for direct care purposes. Some of our nursing staff and the resident doctors in our practice are provided by specialist staffing agencies. We ensure there is a single patient record for each patient who is seen at Fernville Surgery.
  • We will also share information about you with other members of staff involved in the delivery of your direct care for administration purposes (such as our, medical secretaries, receptionists). This will be limited to what is required for them to fulfil their role
  • Local NHS hospitals and independent pathology/clinical laboratory services provide Fernville Surgery with support services (such as blood tests) and we may share information about you with these hospitals where required in connection with your care
  • We may also share relevant parts of your medical information with your dentist, other private organisations and the organisation paying for your treatment (for example your insurance company). For our health assessment clients who come to us through their employer’s health assessment benefit scheme, please be assured that we will not share your medical information with your employer without your consent.
  • We may share information about you with anyone you have asked us to communicate with or whose details you have provided as an emergency contact (such as your next of kin).

8. Sharing information with third parties who are not involved in your health assessment, care or treatment

We may share information about you with external organisations such as:

  • Our lawyers
  • Auditors
  • Insurance companies
  • NHS organisations
  • Regulatory bodies such as the CQC and ICO.

We will only do this where we have a legal basis to do so or with your consent.

We may also share information about you with third party suppliers, which provide us with:

  • electronic patient record systems
  • radiology imaging archiving and reporting systems.

We may also share information about you with those providing us with information
technology systems, this includes:

  • an incident management and recording system, and
  • a system for electronic prescribing as well as
  • other clinical and non-clinical software applications (and related services)

In each case, we would share only such information as was relevant, necessary and proportionate

9. Sharing with regulators or because of a legal obligation

We may share information about you with our regulators, including the:

  • Care Quality Commission.
  • Medicines and Healthcare products Regulatory Agency (which ensures medicines and medical devices used in the UK work and are acceptably safe).
  • NHS England (which leads the NHS in England) and the Department of Health (the government department responsible for health and adult social care policy).
  • Health & Safety Executive.
  • Public Health England.

Sometimes, we are required to disclose information about you because we are legally required to do so. This may be because of a:

  • court order
  • regulatory body has statutory powers to access patients’ or health assessment clients’ records as part of their duties to investigate complaints, accidents or health professionals’ fitness to practise.

Before any disclosure will be made, we will satisfy ourselves that any disclosure sought is required by law or can be justified in the public interest.

Information about you may also be shared with the police and other third parties where reasonably necessary for the prevention or detection of crime. On occasion, this may include the Home Office and HMRC.

10. Audits, surveys and initiatives

In common with all healthcare providers (both NHS and private), we also look at the quality of the care we provide:

  • to patients and health assessment clients and participate in national audits and
    initiatives
  • to ensure that patients are getting the best possible outcomes from their treatment
    and care
  • to help patients make informed choices about the care they receive.

We can assure you that your personal information remains under our control at all times. Any information we provide for national audits and initiatives outside of Fernville Surgery will not contain any information in which any patient can be identified, unless it is required by law. Any publishing of this data will be in anonymised statistical form. The Practice may partake in local audits where there has been a Serious Incident in order for to identify any potential clinical risks to yourself or other patients

11. What legal basis does Fernville Surgery have for using information about me

Data protection law requires that we set out the legal basis for holding and using information about you. We have set out the various reasons we use information about you and alongside each, the legal basis for doing so. Given that some information we hold about you is particularly sensitive (as described above), we need an additional legal basis which we have set out in the third column (entitled ‘legal basis for more sensitive information’) explaining our reason for this.

Processing shall be lawful only if and to the extent that at least one of the following applies:

  • The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • Processing is necessary for compliance with a legal obligation to which the controller is subject;
  • Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • Processing is necessary for the performance of a task carried out in the public
    interest or in the exercise of official authority vested in the controller;
  • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

For the purpose of delivering your direct health care within the practice and sharing your information we use Article 6(e) above.

Where we have to share your information because we are required to do so under law, we use Article 6(c) above.

12. Where and for how long does Fernville Surgery store information about me?

The information about you that we hold and use is held securely in the United Kingdom and stored electronically and in paper format and on secure servers.

No records are stored outside the EU.

We retain your records for certain periods (depending on the particular type of record) under our retention of records policy. Fernville Surgery follows the recommend best practice contained in the NHS Records Management Code of Practice. This is to ensure that information is properly managed and is available whenever and wherever there is a justified need for that information, including:

  • to support patient care and continuity of care
  • to support evidence-based clinical practice
  • to assist clinical and other audits
  • to support our public task
  • to meet legal requirements.

Your records may not be retained in hard copy form where a digital copy exists.

If you would like more detailed information on this, please contact our Practice Manager (contact details below).

13. What rights do I have?

Under certain circumstances, you have rights under data protection laws in relation to any personal information that we hold about you.

If you wish to exercise any of the rights set out below, please contact the Practice Manager using the contact details set out below.

14. Details of your rights are set out below.

The right to be informed.

This privacy notice forms part of that, but we also aim to keep you fully informed during your consultations, via posters in the practice and leaflets when appropriate

The right to access your personal information

You are usually entitled to a copy of the personal information we hold about you and
details about how we use it.

Your information will usually be provided to you in the form you request, if we are unable to do that we will inform you. If you have made the request electronically (e.g. by email) the information will be provided to you by electronic means where possible.

You are entitled to the following under data protection law.

Under data protection law we must usually confirm whether we have personal information about you. If we do hold personal information about you we usually need to explain to you:

  • The purposes for which we use your personal information.
  • The types of personal information we hold about you.
  • Who your personal information has been or will be shared with.
  • Where possible, the length of time we expect to hold your personal information. If that is not possible, the criteria we use to determine how long we hold your information for.
  • If the personal data we hold about you was not provided by you, where we obtained
    the information from.
  • Your right to ask us to amend or delete your personal information (if appropriate).
  • Your right to ask us to restrict how your personal information is used or to object to
    our use of your personal information (if appropriate).
  • Your right to complain to the Information Commissioner’s Office.
  • We also need to provide you with a copy of your personal information.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity (this will be proportionate) and ensure your right to access your personal information (or to exercise any of your other rights). We may also contact you to ask you for further information in relation to your request to speed up our response.

We respond to all requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

The right to request correction of your personal information

We take reasonable steps to ensure that the personal information we hold about you is accurate and complete and up to date. However, if you do not believe this is the case, you can ask us to update or amend it.

The right to request erasure of your personal information

In some circumstances, you have the right to request the erasure of the personal information that we hold about you. This is also known as the ‘right to be forgotten’. However, there are exceptions to this right and in certain circumstances we can refuse to delete the information in question.

The right to object to the processing of your personal information

In some circumstances, you have the right to object to the processing of your personal information. This would usually apply to processing for other purposes other than your direct health care i.e. research

The right to request a transfer of your personal information

In some circumstances, we must transfer personal information that you have provided to us to you or (if this is technically feasible) another individual/ organisation of your choice. The information must be transferred in an electronic format.

The right to object.

You can ask us to stop sending processing your information for any other purposes other than your health care.

The right not to be subject to automatic decisions (i.e. decisions that are made about you by computer alone)

You have a right to not be subject to automatic decisions (i.e. decisions that are made about you by computer alone) that have a legal or other significant effect on you.

The right to withdraw your consent

You have the right to withdraw your consent where we rely upon this as a legal ground for processing your information.

To apply any of the Individual Rights above please contact the Practice Manager

15. General Practice Data for Research

The data held in the GP medical records of patients is used to support health research in England, helping to find better treatments and improve patient outcomes for everyone. Any data that could directly identify you (such as NHS Number, date of birth, full postcode) is replaced with unique codes which are produced by de identification software before the data is shared with NHS Digital.

This process is called pseudonymisation and means that patients will not be identified directly in the data.

If you do not want your patient data to be shared for purposes except your own care, you can opt-out of this process.

For further information please access the website National data opt-out – NHS Digital Or contact the practice.

16. My Care Record

My Care Record enables health and care professionals to access the information they need to look after you, even if they work for different organisations or in different locations.

Fernville Surgery is part of My Care Record, an approach to improving care by joining up health and care information. Health and care professionals from other services will be able to view information from the records we hold about you when it is needed for your care.

Please see www.mycarerecord.org.uk for more information.

For further information please access the website My Care Record – Home or contact the practice.

17. Health Information Exchange Gateway

Joining up health and care information via the HIE (Health Information Exchange) used across the region to enable heath and care professionals to access up-to-date information held by different organisations or in different locations. This will result in it more effective care and secure information sharing for direct care purposes

Each organisation will determine the content of their own information feed into the Shared Care Record. This will be based on the nature of the records that the organisation holds.

The Cerner HIE (Shared Care Record) system displays the feeds from partner organisations in a single user accessible dashboard, in real time.

18. Recordings

  • Telephone calls are being recorded for training and monitoring purposes only.
  • When the Surgery carries out video consultations. The consultation is not stored or recorded within the system; the clinical staff member is required to record observations and outcomes of the consultation directly into your patient’s record in the same way as during a face-to-face consultation

19. Primary Care Network (PCN)

We are a member of Dacorum Beta Primary Care Network (PCN). This means we will be working closely with a number of other GP Practices and health and care organisations to provide healthcare services to you. No health data is automatically shared.

Patient records remain with the practice that the patient is registered with, the record would only be accessed by another practice if the patient has booked and agreed an extended access appointment or clinical services delivered in a GP Practice, the patient is advised of this at the time of accepting the appointment

Other Practices in our PCN are:

  • Parkwood Drive Surgery
  • Highfield surgery

20. Integrated Care Systems (ICS)

As the country moves to an integrated care system based on geographical areas (East & North Herts, Herts Valleys and West Essex) Information may be available to other care providers in order to provide safe, effective and cost efficient care. Robust training, policies, procedures, controls, audits and technical measures will be in place to safeguard against inappropriate access and disclosure.

21. COVID

The Secretary of State for Health and Social Care issued a Notice under Regulation 3(4) of The Health Service (Control of Patient Information) Regulations 2002 requiring organisations such as GP Practices to use your information to help GP Practices and other healthcare organisations to respond to and deal with the COVID-19 pandemic. These measures are temporary and will expire on 30th September 2021 unless a further extension is required

22. The right to complain to the Information Commissioner’s Office

You have the right to complain to the Information Commissioner’s Office if you are unhappy with the way that we have dealt with a request from you to exercise any of these rights, or if you think we have not complied with our legal obligations under data protection law.

Making a complaint will not affect any other legal rights or remedies that you have. More information can be found on the Information Commissioner’s Office website: https://ico.org.uk/ and the Information Commissioner’s Office can be contacted by post, phone, or email as follows:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 0303 123 1113 (local rate) or 01625 545 745 (if you prefer to use a national rate
number)
Fax: 01625 524 510
Email: casework@ico.org.uk
For further questions or to exercise any rights set out in this Privacy Policy, please contact Fernville Surgery Data Protection Officer (DPO):

DPO contact details:

Kaushal Dave
Operations Manager
Fernville Surgery
Midland Road
Hemel Hempstead
HP2 5BL

Email address: contact.fernville@nhs.net
Fernville Surgery: 01442 213919