Data Security and Protection
Data Protection by Design and by Default policy
Burley Park Medical Centre
Introduction, scope and purpose
This policy is to outline the commitment the practice has to the concept of “Data Protection by Design and by Default” and it’s role in ensuring that the practice upholds it’s requirement to ensure that all data processing it is responsible for is in compliance with the Principles of GDPR, as articulated in Article 5 of GDPR (paraphrased below):
- . Personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- accurate and kept up to date to ensure that any inaccurate personal data is erased or rectified without delay (‘accuracy’);
- kept for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’);
- processed in a manner that ensures appropriate, including protection against unauthorised or unlawful processing, against accidental loss, destruction or damage (‘integrity and confidentiality’).
- The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
As part of the practice’s compliance as a Data Controller with data protection legislation, we actively pursue a policy of Data Protection by Design and by Default for all data processing activities we undertake, including the core medical services we provide.
Data Protection by Design and by Default is a key element underpinning the principles of GDPR and is articulated under Article 25 of GDPR as follows:
- Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
- The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.
- That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.
- In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.
In practice, this Article of the GDPR covers a multitude of issues designed to ensure that organisations evaluate Data Protection and Privacy as core considerations for any proposed or existing data processing, and to ensure that any solution used supports these considerations.
As part of our compliance we ensure that (inter alia):
- We take a proactive, not reactive, approach to Data Protection by Design and by Default to ensure that Data Protection and Privacy are primary considerations.
- We consider data protection and privacy as part of the implementation of our medical services and business practices.
- We consider carrying out Data Protection Impact Assessments for any new data processing or data sharing activities we are considering
- We ensure that data protection and privacy are an essential component of the functionality of our processing systems.
- We endeavour to anticipate potential privacy risks before they occur, and take steps to prevent harm to individuals.
- We only process the personal data that we specifically need for our purposes, and do not process or collect data unless it is required for this purpose.
- We will only use personal data for the purpose for which we collect it (unless another purpose is evaluated and deemed compatible).
- If required for non direct care uses, all identifiable data will be de-identified by pseudonymisation or anonymisation techniques to an appropriate standard that is in compliance with all relevant legislation
- We ensure that personal data is automatically protected in any IT system or business practice, so that individuals should not have to take any specific requests to protect their privacy.
- We provide the identity and contact information of those responsible for data protection to individuals.
- We adopt a ‘plain language’ policy for documentation so that individuals can easily understand what we are doing with their personal data and how that data should be managed.
- We provide individuals with information such as privacy notices so they can determine how we are using their personal data, and whether our policies are being properly enforced.
- We offer strong privacy as a default and respect individual preferences, wherever possible, for how data is used.
- We only use data processors that provide robust guarantees of their own technical and organisational measures for securely processing individual’s data.
- When we use other systems or products in our processing activities, we make sure that we only use those whose designers and manufacturers have taken data protection issues into account.
- We use privacy-enhancing technologies whenever applicable to assist us in complying with our data protection by design obligations.
- We have comprehensive polices and procedure in place regarding Data Protection and Privacy, and these polices are adhered to, and adherence is monitored and reviewed
 For the purposes of Article 25, “appropriate technical and organisational measures” are defined under Recital 78 of GDPR as:
- The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met.
- In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default.
- Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features.
- When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations.
- The principles of Data Protection by Design and by Default should also be taken into consideration in the context of public tenders.
Easy read Privacy Notice
What happens with your information?
This is a short easy read to explain what Burley Park Medical Centre does with your information.
- This is called a privacy notice.
- It tells you about the information we have about you.
- It also tells you what we do with it and who we share it with.
If you want to see the full privacy notice please click here
Who and what Burley Park Medical Centre are?
- We are part of the National Health Service (NHS) in England.
- We provide you with medical care when you are ill
Why do we need information about you?
We need this information to make sure we give you the right treatment when you are ill
What information do we have about you?
The information we may hold includes:
- Name and address
- Telephone number.
- Date of birth.
- Records of the times you have visited the doctor, and what happened
- Details of your family and support network.
We may have to share this information with others for your health and care services.
We will only do this if the law says we can.
Do we have any other information about you?
We may also need special types of information about you including:
- Any health and safety concerns
Are there any laws to protect your information?
- Yes, there’s the General Data Protection Regulation, or GDPR for short.
- And there’s the Data Protection Act 2018.
- There are other laws too. Please see the full privacy notice for these.
We follow these laws to make sure your information is protected.
What do these Laws say?
The law says that we must:
- Not keep information about you for longer than needed.
- Destroy your information securely when we have finished using your information.
- Make sure the information is correct.
- Let you know what information we hold, and why we need it.
How do we look after your information?
- We make a computer record about you and your health.
- We use appropriate safety measures to help stop your information from being lost or used in the wrong way.
Who can see your information?
We take protecting your privacy very seriously.
- Only our staff who need to see your information are able to do so- these are people who need to access your information to help you.
- They use your information in strict confidence and it is not shared with anyone who doesn’t need to know.
What are your rights?
- You have the right to ask for a copy of the information we hold about you.
- You have the right to let us know if we have made a mistake and ask us to correct it.
- You also have the right to complain to the Information Commissioner.
You have some other rights as well.
Please click here if you want to find out about your other rights.
Who can you ask for help, or complain to?
Please contact us if you:
Are not happy with the way your information has been used
If you wish to use one of your rights
Please write to this address:
Burley Park Medical Centre
237 Burley Road, Leeds
You can also telephone us on 0113 2953850
And you can email us at this email address:
Who else can you complain to?
If you are still unhappy after contacting us, you can complain to the Information Commissioner.
This is the person in the UK who makes sure we look after your information.
Please write to this address:
The Information Commissioner,
Wycliffe House, Water Lane,
Wilmslow, Cheshire SK9 5AF.
You can telephone the Commissioner on:
0303 123 1113 (local rate) or 01625 545 745
Or send an email to this address:
The Information Commissioner’s website is: http://www.ico.org.uk
Enhanced data sharing model
Sharing enables a clinician to get a full picture of all elements that affect your treatment.
Data shared with who and why?
Many GP practices in Leeds, the out of hours on-call Doctor service and many other organisations use the Leeds Care Records service to share information about your care
This means that if we refer you to a service that is already using Leeds Care Record, the person you go and see will have access to your GP record and visa versa. This allows for safer care and means you have to repeat your story less often.
What is shared?
All data unless specific items are marked as private.
How is the data shared?
Access is restricted to NHS Smartcard holders in Hospitals, Out of Hours Services, Community Health and GPs.
How is consent given?
Initial implied consent with explicit consent for a share in and out at each organisation.
How do I get more information?
For further detailed information on how the record sharing works in our system is available from the waiting room
We are in the process of asking your sharing preferences regarding your full detailed electronic record. We are telling you about this, as you have a choice to make. You can choose to share or not to share your full electronic record with other NHS care services where you are treated and whether we can view records held by those other services.
If you choose to make your record shareable, your clinical details will only viewable by clinical teams who are treating you.
Each clinical team which cares for you now or in the future will ask your permission to view your shared record. You can also ask for part of your record to be made private – not shareable. All record accesses are recorded and auditable. If you choose not to make your records shareable, we will respect your wishes and will do our best to make your care safe and efficient. However, denying the clinical teams caring for you the ability to access important clinical details could compromise your care.
You Have Two Choices:
- Sharing Out – This controls whether your full electronic patient record can be shared with other NHS care services where you are treated.
Let us know if your records should be Shareable or Not Shareable.
- Sharing In – This controls whether you agree for this service to view the information you’ve agreed to share at other NHS care services.
Let us know if we can view your shared record from elsewhere or if you do not want it to be viewable to us.
In the event of an emergency: In certain circumstances, such as if you are unconscious or there is a court order, healthcare staff may look at your record without asking you. If they have to do this, a note will be made on your record. If we share information without your permission, we will make sure that we keep to the Data Protection Act 1998, the NHS confidentiality code of practice and other national guidelines on best practice.
GPES data collection transparency notice
Data will be collected on a fortnightly basis using the existing GP Extraction Service (GPES) infrastructure. Please click here to see our transparency notice regarding how your information will be used.
Leeds Care Record
Data shared with who and why?
Leeds Teaching Hospital Trust/Primary Care such as your GP/Leeds Mental Health/Leeds Social Care. It is designed to be a local one stop shop shared record for direct care to enable health professionals to provide better care by seeing all your information together in one place.
What is shared?
Problems, Medication, Allergies, Appointments, Test Results, Communications, Discharges, Demographics.
How is the data shared?
Held on a secure computer system and records remain confidential. All existing data protection laws apply. Only accessed by people directly involved in your care. This is role based access by Leeds Teaching Hospital Trust/Primary Care/Leeds Mental Health/Leeds Social Care.
How is consent given?
GP Practices Opt in to Leeds Care Record. Patients can opt out via Leeds Teaching Hospital Trust (by phone on 0113 206 4102, by email “[email protected]”, or by letter to “Access to Health Records, Leeds Teaching Hospitals NHS Trust, St James University Hospital, Lincoln Wing/Chancellor Wing Link Corridor, Beckett Street, Leeds, LS9 7TF”).
How do I get more information?
Go to Leeds Care Record Website.
National diabetes audit
This GP practice is taking part in an important national project about diabetes care and treatment in the NHS. The project is called the National Diabetes Audit (NDA).
To take part, your GP practice will share information about your diabetes care and treatment with the NDA. The type of information, and how it is shared, is controlled by law and enforced by strict rules of confidentiality and security.
For further information about how your information is used please see the NDA patient information leaflet. Taking part in the NDA shows that this GP practice is committed to improving care for people with diabetes.
If you do not want your information to be used, please inform the receptionist, your GP or nurse. This will not affect your care.
Online patient access
Data shared with who and why?
online access by patients to your own GP record.
What is shared?
How is the data shared?
Via the internet and mobile phone and tablet apps using username and password provided by the practice.
How is consent given?
You apply for access via the reception desk. The Dr has the option to accept or deny patients request to access record. We only deny access in exceptional circumstances.
This Privacy Notice is also available in an easy read copy. Please click here
Who we are and what we do
Burley Park Medical Centre was opened in June 1988 and is owned and run by the doctors of the practice. The practice consists of doctors, nurses, reception and administration staff and allied health care workers and looks after over 13 000 patients. We offer a wide range of health care services to the local community in purpose built premises. We aim to provide a friendly, patient focused, high quality level of care to our diverse group of patientsThe name and contact details of our organisation.
Name: Burley Park Medical Centre
Address: 273 Burley Road, Leeds, LS4 2EL
Our Data Protection Officer is Louise Whitworth, Leeds CCG and they can be contacted on: 0113 8435470
As a GP practice we are responsible for your day to day medical care and the purpose of this notice is to inform you of the type of information that we hold about you, how that information is used for your care, our legal basis for using the information, who we share this information with and how we keep it secure and confidential.
It covers information we collect directly from you (that you have either provided to us, or from consultations with staff members), or we collect from other organisations who manage your care (such as hospitals or community services).
We are required by law to maintain records about your health and treatment, or the care you have received within any NHS service.
As a Practice, we are committed to protecting your privacy and will only process data in accordance with the General Data Protection Regulation (GDPR), the Data Protection Act 2018, the Common Law Duty of Confidentiality, professional codes of practice, the Human Rights Act 1998 and other appropriate legislation.
Everyone working for the Practice has a legal and contractual duty to keep information about you confidential. All our staff receive appropriate and ongoing training to ensure that they are aware of their personal responsibilities and their obligations to uphold confidentiality.
Staff are trained to ensure how to recognise and report any incident and the organisation has procedures for investigating, managing and learning lessons from any incidents that occur.
All identifiable information that we hold about you in an electronic format will be held securely and confidentially in secure hosted servers that pass stringent security standards.
Any companies or organisations we use we may use to process your data are also legally and contractually bound to operate under the same security and confidentiality requirements.
All identifiable information we hold about you within paper records is kept securely and confidentially in lockable cabinets with access restricted to appropriately authorised staff.
As an organisation we are required to provide annual evidence of our compliance with all applicable laws, regulations and standards through the Data Security and Protection toolkit.
Your information will not be sent outside of the United Kingdom where the laws do not protect your privacy to the same extent as the law in the UK. We will never sell any information about you.
In addition to our Data Protection Officer, we also have a senior person within the practice who is responsible for protecting the confidentiality of our records and ensuring that any use of your data is fair and appropriate- this person is the Caldicott Guardian. The Caldicott Guardian for the practice is: Dr. Neil Lawton
The practice is registered with the Information Commissioners Office as a Data Controller- our registration number is: Z5355613 and you can view our registration here
We will endeavour to maintain our duty of confidentiality to you at all times and will only share data about you if we genuinely believe that it would improve the care we provide for you.
Other than for the purposes of direct care or indirect care (such as healthcare planning), we will only share your information without your permission when we are required to do so under exceptional circumstances (such as a serious risk to yourself and others) or if it is required by law.
- Details about you, such as your name, address, carers, biological gender, gender identity, ethnic origin, date of birth, legal representatives and emergency contact details are collected from you when you register with the practice via the GMS1 form and new patient questionnaire you fill in when your register.
- Information that you provide about your health when you consult with healthcare professionals at the practice, which will be recorded in your notes
- Any contact the surgery has with you, such as appointments, clinic visits, emergency appointments, etc. are recorded on our clinical system
- Notes and reports about your health- your historic notes are transferred to us from your old practice- this can happen electronically and your paper notes are transferred via an organisation called Primary Care Support England
- Results of investigations such as laboratory tests, x-rays, etc. which are sent to the practice electronically from hospitals
- Any consultations you may have had with “extended access” hubs, which the practice is part of.
- We are routinely informed of any A&E visits or outpatient appointments at local hospitals
- We are routinely advised of any contact with out of hours providers or NHS111
- We are hold details of any other relevant information from other health professionals, relatives or those who care for you. All information flows within the practice are routinely mapped as part of our GDPR compliance and compliance with the Data Security and Protection toolkit.
As health professionals, we maintain records about you in order to support your care. By registering with the practice, your existing records will be transferred to us from your previous practice so that we can keep them up to date while you are our patient and if you do not have a previous medical record (a new-born child or coming from overseas, for example), we will create a medical record for you.
We take great care to ensure that your information is kept securely, that it is up to date, accurate and used appropriately. All of our staff are trained to understand their legal and professional obligations to protect your information and will only look at your information if they need to.
In the practice, individual staff will only look at what they need in order to carry out such tasks as booking appointments, making referrals, giving health advice or provide you with care.
All practices in the UK are members of a Primary Care Network (PCN), which is a group of practices who have chosen to work together and with local community, mental health, social care, pharmacy, hospital and voluntary services to provide care to their patients.
PCNs are built on the core of current primary care services and enable greater provision of proactive, personalised, coordinated and more integrated health and social care.
We are members of The Woodsley PCN along with Hyde Park Surgery, Craven Road Medical Practice, Laurel Bank Surgery, Burton Croft Surgery, Kirkstall Lane Medical Centre and Vesper Road Surgery.
This arrangement means that practices within the same PCN may share data with other practices within the PCN, for the purpose of patient care (such as extended hours appointments and other services), Each practice within the PCN is part of a stringent data sharing agreement that means that all patient data shared is treated with the same obligations of confidentiality and data security.
Care Quality Commission (CQC)
All practices have regular visits from CQC where they monitor, inspect and regulate services to make sure they meet fundamental standards of quality and safety and they publish what they find, including performance rating to help people choose care. They may need to access patients medical record or personal data as part of their regulatory process. You can read their privacy notice for more information https://www.cqc.org.uk/about-us/our-policies/privacy-statement
In some cases, for example when looking at population healthcare needs, some of your data may be shared (usually in such a way that you cannot be identified from it). The following organisations may use data in this way to inform policy or make decisions about general provision of healthcare, either locally or nationally.
- Leeds City Council: Public Health, Adult or Child Social Care Services
- Leeds Clinical Commissioning Group (or their approved data processors)
- NHS Digital (Formerly known as (HSCIC)
- The “Clinical Practice Research Datalink” (EMISWeb practices)
- Other data processors which you will be informed of as appropriate.
In order to comply with its legal obligations we may send data to NHS Digital when directed by the Secretary of State for Health under the Health and Social Care Act 2012.
This practice contributes to national clinical audits and will send the data which are required by NHS Digital when the law allows. This may include demographic data, such as date of birth, and information about your health which is recorded in coded form, for example, the clinical code for diabetes or high blood pressure.
Research data is usually shared in a way that individual patients are non-identifiable. Occasionally where research requires identifiable information you may be asked for your explicit consent to participate in specific research projects. The surgery will always gain your consent before releasing any information for this purpose, unless the research has been granted a specific exemption from the Confidentiality Advisory Group of the Health Research Authority
Where specific information is asked for, such as under the National Diabetes audit, you will be given the choice to opt of the audit.
We may also disclose your information to others in exceptional circumstances (i.e. life or death situations) or in accordance with Dame Fiona Caldicott’s information sharing review (Information to share or not to share).
For example, your information may be shared in the following circumstances:
- When we have a duty to others e.g. in child protection cases
- Where we are required by law to share certain information such as the birth of a new baby, infectious diseases that may put you or others at risk or where a Court has decided we must.
If you ask us to share your data, often with an insurance company, solicitor, employer or similar third party, we will only do so with your explicit consent. Usually the requesting organisation will ask you to confirm your consent, often in writing or electronically. We check that consent before releasing any data and you can choose to see the information before we send it.
We are required to tell you the legal basis that is used for the various ways we process and use your data. In order to process your personal data we must specify a lawful basis and if we process any personal data that is deemed to be “special category” data we must also specify a separate condition for processing special category data.
The following table sets the main ways your personal data may be used and the corresponding legal basis and category of data. Each purpose is covered in more detail within this notice to explain what these mean in more practical terms.
We share information about you with other health professionals where they have a genuine need for it to support your care, as follows.
|Recipient of data||Reason or purpose|
|Leeds Care Record||Primary, secondary or emergency care|
|Summary Care Record (SCR)||Secondary or emergency care|
|Leeds Teaching Hospitals Trust||Secondary or emergency care|
|· Other national providers of health care who you choose to be referred to, in consultation with your healthcare professional||Secondary or specialist care|
|Leeds & York Partnership Foundation Trust||Mental health & learning disability services|
|Mid-Yorkshire Hospitals Trust||Diabetic eye-screening services|
|Leeds Community Healthcare Trust||District Nursing and other community services|
|NHS National Diabetes Prevention Programme||Information and lifestyle education|
|Local Care Direct||Out of Hours primary care provider|
|Leeds City Council||Social Care services|
|Connect Well/PEP or other similar service||Social prescribing|
|“One You”||Provider of heathy lifestyle services|
|Forward Leeds||Provider of drug & alcohol services|
|Federated GP services and Primary Care Networks||Providers of extended access appointments over the telephone and at local hubs and other services|
From time to time we may offer you referrals to other providers, specific to your own health needs- in these cases we will discuss the referral with you and advise you that we will be sharing your information (generally by referral) with those organisations.
The details of transfers of the personal data to any third countries or international organisations.
As a GP surgery, the only occasions when this would occur would be if you specifically requested this to occur- the practice will never routinely send patient data outside of the UK where the laws do not protect your privacy to the same extent as the law in the UK.
As long as you are registered as a patient with the surgery, your paper records are held at the practice along with your GP electronic record. If you register with a new practice, they will initiate the process to transfer your records. The electronic record is transferred to the new practice across a secure NHS data-sharing network and all practices aim to process such transfers within a maximum of 8 working days. The paper records are then transferred which can take longer. Primary Care Services England also look after the records of any patient not currently registered with a practice and the records of anyone who has died.
Once your records have been forwarded to your new practice (or after your death forwarded to Primary Care Services England), a cached version of your electronic record is retained in the practice and classified as “inactive”. If anyone has a reason to access an inactive record, they are required to formally record that reason and this action is audited regularly to ensure that all access to inactive records is valid and appropriate. We may access this for clinical audit (measuring performance), serious incident reviews, or statutory report completion (e.g., for HM Coroner).
A summary of retention periods for medical records can be found on the BMA website
Under the GDPR all patients have certain rights in relation to the information which the practice holds about them. Not all of these will rights apply equally, as certain rights are not available depending on situation and the lawful basis used for the processing- for reference these rights may not apply are where the lawful basis we use (as shown in the above table in the section on “lawful bases”) is:
- Processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller – in these cases the rights of erasure and portability will not apply.
- Legal Obligation – in these cases the rights of erasure, portability, objection, automated decision making and profiling will not apply.
You have the right to be informed of how your data is being used. The propose of this document is to advise you of this right and how your data is being used by the practice
You have the right of access You have the right to ask us for copies of your personal information- this right always applies. There are some exemptions, which means you may not always receive all the information we process.
You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.
You have the right to ask us to erase your personal information in certain circumstances- This will not generally apply in the matter of health care data
You have the right to ask us to restrict the processing of your information in certain circumstances– You have to right to limit the way in which your data is processed if you are not happy with the way the data has been managed.
You have the right to object to processing if you disagree with the way in which part of your data is processed you can object to this- please bear in mind that this may affect the medical services we are able to offer you
Your rights in relation to automated processing– Sometimes your information may be used to run automated calculations. These can be as simple as calculating your Body Mass Index or ideal weight but they can be more complex and used to calculate your probability of developing certain clinical conditions, and we will discuss these with you if they are a matter of concern.
Typically, the ones used in the practice may include:
Qrisk– a cardiovascular risk assessment tool which uses data from your record such as your age, blood pressure, cholesterol levels etc to calculate the probability of you experiencing a cardiovascular event over the next ten years.
Qdiabetes– a diabetes risk assessment tool which uses your age, blood pressure, ethnicity data etc to calculate the probability of you developing diabetes.
CHADS – an assessment tool which calculates the risk of a stroke occurring for patients with atrial Fibrillation
This is not an exhaustive list- other tools may be used depending on your personal circumstances and health needs, however whenever we use these profiling tools, we assess the outcome on a case-by-case basis. No decisions about individual care are made solely on the outcomes of these tools, they are only used to help us us assess your possible future health and care needs with you and we will discuss these with you.
Your right to data portability This only applies to information you have given us- you have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under a contract, and the processing is automated, so will only apply in very limited circumstances
Because under the provisions of Data Protection Law most of the data processing activities carried out by the practice are not done under the “lawful basis” of consent you cannot withdraw consent as such, however if you are not happy with the way your data is being processed you do have the right to object and the right to ask us to restrict processing.
There is a new national opt-out that allows people to opt out of their confidential patient information being used for certain reasons other than their individual care and treatment. The system offers patients and the public the opportunity to make an informed choice about whether they wish their personally identifiable data to be used just for their individual care and treatment or also used for research and planning purposes. Details of the national patient opt out can be found online.
In the past, you may have already chosen to prevent your identifiable data leaving NHS Digital, known as a Type 2 opt-out. All existing Type 2 opt-outs will be converted to the new national data opt-out and this will be confirmed by a letter to all individuals aged 13 or over with an existing Type 2 objection in place. Once the national data opt-out is launched, it will no longer be possible to change preferences via local GP practices.
If you are happy for your information to be used, and where necessary shared, for the purposes described in this notice then you do not need to do anything.
Should you have any concerns about how your information is managed at the practice, please contact us.
If you are still unhappy following a review by the GP practice, you can then complain to the Information Commissioners Office (ICO) via:
Summary Care Record
Having this information stored in one place makes it easier for healthcare staff to treat you in an emergency.
Who is my data shared with and why?
The National Care Record Service (NCRS) for sharing important summary clinical data nationwide for emergency direct care purposes. For example, if you were admitted to hospital in a different part of the country this record would enable the doctors to see vital information about your care.
What is shared?
Medication, Allergies, Drug reactions, optionally specific SNOMED coded entries (called rich SCR).
How is the data shared?
Access is restricted to NHS Smartcard holders in Hospitals, Out of Hours Services and GPs.
How is consent given?
Implied consent with patient opt out via SNOMED codes and requirement to explicitly opt in for Rich SCR.
How do I get more information?
Summary Care Records Coronavirus (COVID-19) supplementary privacy notice
Your Data Matters
The national data opt-out was introduced on 25 May 2018, enabling individuals to opt-out from the use of their data for research or planning purposes, in line with the recommendations of the National Data Guardian in her Review of Data Security, Consent and Opt-Outs.
The NHS has launched the national data opt-out as part of the ‘Your Data Matters to the NHS’ campaign. This campaign informs the public that the strict rules about how health and care data can and cannot be used have been strengthened. The NHS is committed to keeping patient information safe and always being clear about how it is used. The campaign will also let the public know that they can choose whether their confidential patient information is used for research and planning. A new website nhs.uk/your-nhs-data-matters has been launched which allows the public to find out more about how their data is used across health and care and to opt out if you wish to do so.
Your information, what you need to know
This privacy notice explains why we collect information about you, how that information will be used, how we keep it safe and confidential and what your rights are in relation to this.
For more information, or if you wish to opt out, please visit: Your NHS data matters or alternatively you can call 0300 303 5678
Your medical record
How we collect information about you and how that information may be used.
All the health care professionals that look after you maintain records about your health and any treatment or care that you have previously received. This includes hospitals, GP surgeries, walk-in clinics etc.
NHS health records may be electronic, paper-base or a mixture of both and we will ensure that all your information is kept confidential and secure.
Information which this GP Practice holds about you may include:
- Details about you, such as your address, carer, legal representative, emergency contacts
- Any contact the surgery has had with you in the past, such as appointments, clinic visits, emergency appointments, etc.
- Notes and reports about your health
- Details about your treatment and care
- Results of investigations such as laboratory tests, x-rays etc
- Relevant information from other health professionals, relatives or those who care for you
Your records are used to ensure you receive the best possible care. Information held about you may also be used to help protect the health of the public and for a clinical audit to monitor the quality of the service provided.
Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to make sure that individual patients cannot be identified. Occasionally your information may also be requested for research purposes. The practice will always ask for your consent before agreeing to do this.
Identifying patients’ health risks
Risk identification tools are increasingly being used in the NHS to help understand a patient’s risk of suffering from a particular condition in the future. As once we know this we can offer preventative intervention.
Information about you is collected from a number of sources including NHS Trusts and from this GP Practice. A risk score is then arrived at through an analysis of your de-identified information using software managed by NHS England. Risk stratification enables your GP to focus on preventing ill health and offer you additional services to help you not to become ill in the future. Please note that you have the right to opt-out of your data being used in this way.
The Practice may carry out reviews of the medications prescribed to its patients to ensure that all patients are receiving the most appropriate, up to date and cost-effective treatments.
How Do We Maintain The Confidentiality Of Your Records?
We are committed to protecting your privacy and will only use information collected lawfully in accordance with:
- Data Protection Act 2018
- GDPR 2018
- Human Rights Act 1998
- Common Law Duty of Confidentiality
- Health and Social Care Act 2012
- NHS Codes of Confidentiality, Information Security and Records Management
- Information: To Share or Not to Share Review
Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential.
We will only ever use or pass on information about you if others, involved in your care, have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), where the law requires information to be passed on and/or in accordance with the new information sharing principle following Dame Fiona Caldicott’s information sharing review where “The duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles. They should be supported by the policies of their employers, regulators and professional bodies.
Who Are Our Partner Organisations?
We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations:
- NHS Trusts/Foundation Trusts
- NHS Commissioning Support Units
- Independent contractors such as dentists, opticians, pharmacists
- Private sector providers
- Voluntary sector providers
- Ambulance Trusts
- Clinical Commissioning Groups
- Social Care Services
- Health and Social Care Information Centre (HSCIC)
- Local Authorities
- Education Services
- Fire and Rescue Services
- Police & Judicial Services
- Other ‘data processors’ which you will be informed of
You will be informed who your data will be shared with and in some cases asked for explicit consent for this to happen.
We may also use external companies to process personal information, such as for archiving purposes. These companies are bound by contractual agreements to ensure information is kept confidential and secure.
Primary Care Services at Emergency Departments
Your GP surgery is working together with hospitals in Leeds to make sure you receive the care you need, when you need it. This means that if you ever need to go to the Accident and Emergency Department in a Leeds hospital, the doctor who sees you will be able to see your GP health record to determine the best way to help you.
This access is currently made via the Summary Care Record , although this will soon be changed to access via another data sharing model called Leeds Care Record. If you have previously indicated that you do NOT want your data to be shared using either or both of these mechanisms, this dissent will still stand and your records will be inaccessible without your explicit consent.
Access To Personal Information
You have a right, under the Data Protection Act 1998, to request access to view or to obtain copies of what information the surgery holds about you and to have it amended should it be inaccurate. In order to request this, you need to do the following:
- Your request must be made in writing to the GP – for information from the hospital you should write direct to them
- There may be a charge to receive a printed copy of the information
- We are required to respond to you within 40 days
- You will need to give adequate information (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified and your records located
Should you have any concerns about how your information is managed, please contact our Practice Manager at Burley Park Medical Centre. If you are still unhappy, following a review by the Practice you can complain to the Information Commissioners Office (ICO) via their website, email: [email protected], Tel: 0303 123 1113 (local rate) or 01625 545 745.
Change of Details
It is important that you tell the person treating you if any of your details, such as your name or address, have changed or if any of your details such as date of birth is incorrect so that we can amend this. You have a responsibility to inform us of any changes so our records are accurate and up to date for you.
The Data Protection Act 1998 requires organisations to register the purposes for which they process personal and sensitive information. This information is publicly available on the Information Commissioner’s website. The practice is registered with the Information Commissioners Office (ICO).
Who is the Data Controller?
The Data Controller, responsible for keeping your information secure and confidential is Dr Neil Lawton (on behalf of Burley Park Medical Centre)