In order to support your care, health professionals maintain records about you. We take great care to ensure your information is kept securely, that it is up to date, it is accurate and used appropriately.
All of our Practice staff are fully trained to understand their legal and professional obligations to protect your information and will only look at your information if they need to. They will only look at what they need to in order to do things like book you an appointment, give general health advice, provide you with care and if necessary refer you to other services.
This Privacy Notice explains who we are, why information is collected about you, the ways in which this information may be used, who it is shared with and how we keep it safe. It also explains how the Practice uses the information we hold about you, how you go about accessing this information if you wish to see it and to have any inaccuracies corrected or erased.
Emsworth Surgery is a well-established GP surgery based in Emsworth, Hampshire. Our staff of General Practitioners, Nurses, Nurse & Paramedic Practitioners, Healthcare Assistant and Phlebotomist provide primary medical care services to our Practice population of 13,000 patients and our administrative and managerial staff support the team in providing care for patients.
What information do we collect from you?
GP Records are stored electronically and on paper and include:
- Your name, address, your date of birth, your NHS number and contact details
- Next of kin details
- Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments and telephone calls
- Referrals, communications regarding your care in other organisations
- Notes and reports about your health
- Details about your treatment and care
- Details about any medication you are taking
- Results of investigations such as laboratory tests, x-rays etc.
- Relevant information from other health professionals, relatives or those who care for you
Why do we collect this information?
Your records are used to ensure you receive the best possible care from our doctors, nurses, Nurse & Paramedic Practitioners, Healthcare Assistant and Phlebotomist. It enables the staff to see previous treatments, medications and enables them to make informed decisions about future decisions about your care. It helps the doctors to see lists of previous treatments and any special considerations which need to be taken into account when care is provided.
Important information is also collected to help us to remind you about specific treatment which you might need, such as health checks, reviews or reminders for screening appointments such as cytology reminders.
Information held about you may be used to help protect the health of the public and to help us to improve NHS services. Information may be used within the GP Practice for clinical audit to monitor the quality of the service provided.
Staff at the Practice use your information to help deliver more effective treatment to you and to help us to provide you with proactive advice and guidance.
What do we do with your information?
The healthcare professionals who provide your care maintain records about your health.
This is a record of your care history and allows health care professionals to review your care to help inform future decisions about your treatment.
Sharing this information helps to improve the treatment you receive, such as a hospital consultant writing to your GP.
We follow strict data sharing guidelines to keep your information safe and secure.
Who might we share your information with?
With your agreement, your GP or Nurse may refer you to other services and healthcare providers not provided by the practice, or they may work with other services to provide your care in the practice.
Once you have been seen for your referral, the other health care provider will normally tell us about the treatment they have provided for you and any follow up which the GPs need to provide.
This information is then included in your GP record.
Sometimes the clinicians caring for you need to share some of your information with others who are also supporting you.
This could include hospital or community based specialists, nurses, health visitors, therapists or social care services.
A Summary Care Record is an electronic record of important patient information, created from the GP medical records.
It contains information about medication you are taking, any allergies you suffer from and any bad reactions to medications you have previously had.
It can be seen and used by authorised staff in other areas of the health and care system involved in your direct care. Giving healthcare staff access to this information can prevent mistakes being made when caring for you in an emergency or when your GP practice is closed.
Your Summary Care Record also includes your name, address, date of birth and your unique NHS Number to help identify you correctly.
If you and your GP decide to include more information it can be added to the Summary Care Record, but only with your express permission.
For more information visit https://digital.nhs.uk/summary-care-records/patients
The CHIE is an electronic summary record for people living in Hampshire, Portsmouth and Southampton, previously known as the Hampshire Health Record (HHR).
GP Surgeries, hospitals, social care and community care teams collect information about you and store it electronically on separate computer systems.
The Care and Health Information Exchange stores summary information from these organisations in one place so that – with your consent – professionals can view it to deliver better care to you.
This record contains more information than the SCR, but is only available to organisations in Hampshire.
For more information Visit http://chie.org.uk/
There are some national services like the National Cancer Screening Programme that collect and keep information from across the NHS.
This is how the NHS knows when to contact you about services like cervical, breast or bowel cancer screening.
Often you have the right to not allow these organisations to have your information.
You can find out more about how the NHS holds and shares your information for national programmes on the NHS Choices website.
Data Extraction by the Clinical Commissioning Group – the Clinical Commissioning Group at times extracts information about your care but the information they extract via our computer systems cannot identify you to them. This information only refers to you by way of a code that only your Practice can identify (it is pseudonymised*). We will never give the CCG access to any system or information that would enable them to identify you.
The Clinical Commissioning Group requires this pseudonymised information for the following purposes:
- For management and monitoring of the GP Practice core contract
- For management and monitoring of the GP Practice enhanced services
- For assurance of compliance with these contracts
- For assurance of the effective spending of public funding
- To conform with delegated responsibilities from NHS England
- To fulfil the CCGs role in ensuring services commissioned meet patient population need and are being delivered in accordance with commissioning intentions
As well as the Clinical Commissioning Groups, sometimes the Practice shares information with other NHS organisations that do not directly treat you.
Normally, it will not be possible to identify you from this information. This information is used to plan and improve services.
The information collected includes data such as the area patients live, age, gender, ethnicity, language preference, country of birth and religion.
The CCG also collects information about whether patients have long term conditions such as diabetes; blood pressure, cholesterol levels and medication.
However, this information is anonymous and does not include anything written as notes by the GP and cannot be linked to you.
The Practice currently has two data sharing agreements, both of which are in place with Southern Health NHS Foundation Trust, our community services provider. The agreements cover:
- Integrated Care Teams (community nurses, physiotherapists and occupational therapists) being able to access GP information about people on their caseload who have recently been discharged from hospital, or who are housebound, or who require longer term rehabilitation from the GP record. This information can be read by the healthcare professional to improve the patients care, but they are not able to amend the GP medical record;
- Other GP Practices within Fareham & Gosport and South Eastern Hants CCG in relation to the new GP Extended Access Service (GPEAS).
We will enable other GP’s and staff in other GP Practices to have access to your medical record to allow you to receive acute medical care within that service.
This service is for your direct care and is fully consented, permission to share your medical record will be gained prior to an appointment being made in the service and again once you are in the consultation.
Your registered surgery will continue to be responsible for your full medical record.
Risk stratification is a process for identifying and managing patients who are at high risk of emergency hospital admission.
Risk stratification data tools use various combinations of historic information about patients, for example, age, gender, diagnoses and patterns of hospital attendance and admission and primary care data collected from GP Practice record systems.
GPs will be able to identify which of their patients are at risk in order to offer a preventative service to them.
Risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority.
NHS England encourages GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help and prevent avoidable hospital admissions and to promote quality improvement in GP Practices.
Please note that you have the right to opt out of your data being used in this way.
Provides our Medical notes software and act as data processors.
Docmail is an external printing and mailing agency which we use to send larges batches of letters.
SMS and smart messaging system between the practice and patients.
The practice’s primary general IT support provider.
Healthcare Computing support staff are able to remotely dial in with the consent of our staff for problem solving.
Provides the platform for online consultations requests
Patient data is encrypted, consultation information is stored in pseudonymised form on eConsult servers.
We will sometimes send by email or discuss by phone identifiable information when the organisation is supporting a GP in a patient complaint or litigation. Information will be redacted where possible.
MDU / MPS
How long do we keep your information?
Health and social care records are subject to a nationally agreed code of practice which regulates the minimum period for which records must be kept.
This specifies that GP record should be retained until 10 years after the patient’s death or after the patient has permanently left the country, unless they remain in the European Union.
Electronic patient records must not be destroyed or deleted for the foreseeable future.
For more information, see the records management code of practice: https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016
How do we keep your information safe?
Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential. We are committed to protecting your privacy and will only use information collected lawfully in accordance with:
- General Data Protection Regulation 2017
- Data Protection Act 1998
- Human Rights Act 1998
- Common Law Duty of Confidentiality
- Health and Social Care Act 2012
- NHS Codes of Confidentiality, Information Security and Records Management
- Information: To Share or Not to Share Review
We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances such as a life or death situation, or where the law requires information to be passed, or where it is in the best interest of the patient to share the information.
In May 2018, a new national regulation called the General Data Protection Regulation will come into force and the Practice has a legal responsibility to ensure that we will also comply with these regulations.
Your individual rights
You have a right under the Data Protection legislation to request access to obtain copies of all the information the surgery holds about you. You are also allowed to have information amended should it be inaccurate.
In order to access your medical record, you need to let the Practice know by making a Subject Access Request (SAR).
The Practice will respond to your request within one month of receipt of your request. You will need to give adequate information (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified and your records located.
Usually there is no charge to see the information that the Practice holds about you unless the request is excessive or complicated.
For information about your hospital medical records, you should write direct to them.
If you feel that the personal data that the Practice holds about you is inaccurate or incomplete then please let us know and we will update your records within one month of notification.
If this incorrect information has been sent onwards, we will also inform any other organisations of this.
If it is not possible to correct the information then we will write to you to let you know the reason behind the decision and inform you how you can complain about this.
You have the right to access your data in a format which allows you to re-use and share it with other organisations should you wish.
As such, we will provide your data in a structured, commonly used and machine readable form.
As a patient, you have the right to object to personal data about you being used or shared.
You also have the right to restrict the use of data the Practice holds about you. If you do wish to opt-out please contact the Practice. This will prevent your confidential information being used other than where necessary by law.
If you are a carer and have a Lasting Power of Attorney for health and welfare then you can also object to personal data being used or shared on behalf of the patient who lacks capacity.
If you do not hold a Lasting Power of Attorney then you can raise your specific concerns with the patient’s GP. If you have parental responsibility and your child is not able to make an informed decision for themselves, then you can make a decision about information sharing on behalf of your child. If your child is competent then this must be their decision.
Note your decisions on the enclosed form and return to Reception. You can change your mind at any time, just complete another form.
Objections / Complaints
We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate.
Should you have any concerns about how your information is managed at the Practice, please contact Kate Hope, Practice Manager. The Practice will listen to your concerns and try and act upon the concerns raised as best we are able.
If you are still unhappy following a review by the GP Practice you can then complain to the Information Commissioners Office (ICO). ICO can also provide further independent advice about data protection, privacy, data sharing issues and your rights www.ico.gov.uk postal address:
Information Commissioner’s Office
Telephone: 0303 123 1113
Definitions of information/data:
- Data Processor – An organisation or body that processors, reviews, updates or amends, or stores information about individuals
- Personal Confidential Information – this term describes personal information or data about identified or identifiable individuals, which should be kept private or secret. For the purposes of this notice ‘personal’ includes the Data Protection Act definition of personal data, but it is adapted to include deceased as well as living people. ‘Confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’ and is adapted to include ‘sensitive’ as defined in the Data Protection Act.
- Pseudonymised* – this is data that has undergone a technical process that replaces your identifiable information such as NHS number, postcode, date of birth with a unique identifier, which obscures the ‘real world’ identity of the individual patient to those working with the data
- Anonymised – this is data about individuals but with identifying details removed so that there is little or no risk of the individual being re-identified
- Aggregated – anonymised information that is grouped together so that it doesn’t identify individuals