Privacy – Kenton Clinic

Privacy notice

As data controllers, GPs have fair processing responsibilities under the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). This means ensuring that your personal confidential data (PCD) is handled in ways that are safe, transparent and what you would reasonably expect. Please find documents and links below.

Our data protection officer is Dr Peter J David.

Fair Processing

How we use your information

This privacy notice explains why the GP Practice collects information about you, and how that information may be used.

The health care professionals who provide you with care maintain records about your health and any treatment or care you have received previously (e.g. NHS Trust, GP Surgery, Walk-in clinic, etc.). These records help to provide you with the best possible healthcare.

NHS health records may be electronic, on paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. Records which this GP Practice may hold about you may include the following information;

Details about you, such as address and next of kin
Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments, etc.
Notes and reports about your health
Details about your treatment and care
Results of investigations, such as laboratory tests, x-rays, etc.
Relevant information from other health professionals, relatives or those who care for you

To ensure you receive the best possible care, your records are used to facilitate the care you receive. Information held about you may be used to help protect the health of the public and to help us manage the NHS. Information may be used for clinical audit to monitor the quality of the service provided.

Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified.

Sometimes your information may be requested to be used for research purposes – the surgery will always endeavour to gain your consent before releasing the information.

Risk Stratification

Risk stratification tools are increasingly being used in the NHS to help determine a person’s risk of suffering a particular condition, preventing an unplanned or (re)admission and identifying a need for preventive intervention. Information about you is collected from a number of sources including NHS Trusts and from this GP Practice. A risk score is then arrived at through an analysis of your de-identified information using software managed by the North West London Commissioning Support Unit as the data processor and is only provided back to your GP or member of your care team as data controller in an identifiable form. Risk stratification enables your GP to focus on the preventing ill health and not just the treatment of sickness. If necessary your GP may be able to offer you additional services.

Please note that you have the right to opt out.

Should you have any concerns about how your information is managed at the surgery please contact the Practice Manager to discuss how the disclosure of your personal information can be limited.

Invoice Validation

If you have received treatment within the NHS, North West London Commissioning Support Unit may require access to your personal information in order to determine which Clinical Commissioning Group should pay for the treatment or procedure you have received.

Information such as your name, address and date of treatment may be passed on to enable the billing process. These details are held in a secure environment and kept confidential. This information will only be used to validate invoices, and will not be shared for any further commissioning purposes.

How do we maintain the confidentiality of your records?

We are committed to protecting your privacy and will only use information collected lawfully in accordance with the Data Protection Act 1998 (which is overseen by the Information Commissioner’s Office), Human Rights Act, the Common Law Duty of Confidentiality, and the NHS Codes of Confidentiality and Security.

Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential. Anyone who receives information from an NHS organisation has a legal duty to keep it confidential.

We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), or where the law requires information to be passed on.

Who are our partner organisations?

We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations;

NHS Trusts
Specialist Trusts
Independent Contractors such as dentists, opticians, pharmacists
Private Sector Providers
Voluntary Sector Providers
Ambulance Trusts
Clinical Commissioning Groups
Social Care Services
Local Authorities
Education Services
Fire and Rescue Services
Police
Other ‘data processors’
Access to personal information

You have a right under the Data Protection Act 1998 to access/view what information the surgery holds about you, and to have it amended or removed should it be inaccurate. This is known as ‘the right of subject access’. If we do hold information about you we will:

give you a description of it;
tell you why we are holding it;
tell you who it could be disclosed to; and
let you have a copy of the information in an intelligible form.
If you would like to make a ‘subject access request’. please contact the practice manager in writing.

If you would like further information about how we use your information, or if you do not want us to use your information in this way, please contact the Kenton Clinic.

Freedom of information

The Freedom of Information Act creates a right of access to recorded information and obliges a public authority to:

Have a publication scheme in place
Allow public access to information held by public authorities.

The Act covers any recorded organisational information such as reports, policies or strategies, that is held by a public authority in England, Wales and Northern Ireland, and by UK-wide public authorities based in Scotland, however it does not cover personal information such as patient records which are covered by the Data Protection Act.

Public authorities include government departments, local authorities, the NHS, state schools and police forces.

The Act is enforced by the Information Commissioner who regulates both the Freedom of Information Act and the Data Protection Act.

The Surgery publication scheme

A publication scheme requires an authority to make information available to the public as part of its normal business activities. The scheme lists information under seven broad classes, which are:

who we are and what we do
what we spend and how we spend it
what our priorities are and how we are doing it
how we make decisions
our policies and procedures
lists and registers
the services we offer

You can request our publication scheme leaflet at the surgery.

Who can request information?

Under the Act, any individual, anywhere in the world, is able to make a request to a practice for information. An applicant is entitled to be informed in writing, by the practice, whether the practice holds information of the description specified in the request and if that is the case, have the information communicated to him. An individual can request information, regardless of whether he/she is the subject of the information or affected by its use.

How should requests be made?

Requests must:

be made in writing (this can be electronically e.g. email/fax)
state the name of the applicant and an address for correspondence
describe the information requested.

What cannot be requested?

Personal data about staff and patients covered under Data Protection Act.

For more information see these websites:

National Data Opt-Out

How the NHS and care services use your information

Kenton Clinic is one of many organisations working in the health and care system to improve care for patients and the public

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

improving the quality and standards of care provided
research into the development of new treatments
preventing illness and diseases
monitoring safety
planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care. To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters. On this web page you will:

See what is meant by confidential patient information
Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
Find out more about the benefits of sharing data
Understand more about who uses the data
Find out how your data is protected
Be able to access the system to view, set or change your opt-out setting
Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
See the situations where the opt-out will not apply

You can also find out more about how patient information is used at: https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. Our organisation ‘is currently’ compliant with the national data opt-out policy.

Statement of Intent

New contractual requirements came into force from 1 April 2014 requiring that GP Practices should make available a statement of intent in relation to the following IT developments:

Summary Care Record (SCR)
GP to GP Record Transfers
Patient Online Access to Their GP Record
Data for commissioning and other secondary care purposes

The same contractual obligations require that we have a statement of intent regarding these developments in place and publicised by 30 September 2014.

Please find below details of the practices stance with regards to these points.

Summary Care Record (SCR)

NHS England require practices to enable successful automated uploads of any changes to patient’s summary information, at least on a daily basis, to the summary care record (SCR) or have published plans in place to achieve this by 31st of March 2015.

Having your Summary Care Record (SCR) available will help anyone treating you without your full medical record. They will have access to information about any medication you may be taking and any drugs that you have a recorded allergy or sensitivity to.

Of course, if you do not want your medical records to be available in this way then you will need to let us know so that we can update your record. You can do this via the opt out form.

The practice confirms that your SCR is automatically updated on at least a daily basis to ensure that your information is as up to date as it can possibly be.

GP to GP Record Transfers

NHS England require practices to utilise the GP2GP facility for the transfer of patient records between practices, when a patient registers or de-registers (not for temporary registration).

It is very important that you are registered with a doctor at all times. If you leave your GP and register with a new GP, your medical records will be removed from your previous doctor and forwarded on to your new GP via NHS England. It can take your paper records up to two weeks to reach your new surgery.

With GP to GP record transfers your electronic record is transferred to your new practice much sooner.

The practice confirms that GP to GP transfers are already active and we send and receive patient records via this system.

Patient Online Access to Their GP Record

NHS England require practices to promote and offer the facility to enable patients online access to appointments, prescriptions, allergies and adverse reactions or have published plans in place to achieve this by 31st of March 2015.

We currently offer the facility for booking and cancelling appointments and also for ordering your repeat prescriptions and viewing a summary of your medical records on-line. If you do not already have a user name and password for this system – please register your interest with our reception staff.

Data for commissioning and other secondary care purposes

It is already a requirement of the Health and Social Care Act that practices must meet the reasonable data requirements of commissioners and other health and social care organisations through appropriate and safe data sharing for secondary uses, as specified in the technical specification for care data.

At our practice we have specific arrangements in place to allow patients to “opt out” of care.data which allows for the removal of data from the practice. Please see the page about care data on our website

The Practice confirm these arrangements are in place and that we undertake annual training and audits to ensure that all our data is handled correctly and safely via the Information Governance Toolkit.

Website privacy policy

This GP Practice, as the data controller may collect personal information from visitors to this site. This information is used only to respond to enquiries, monitor site usage and to enhance the use of certain technologies – such as activity based information. The GP Practice will at all times comply with the requirements of the Data Protection Act 1998.

Use of Personal Information Provided by the User

Where personal information (e.g. name, address, telephone number etc) is provided to the GP Practice via its website for whatever purpose (e.g. registration, survey, feedback), it is made clear to the individual what the information collected will be used for and who it will be provided to. The GP Practice will only use the information collected for the stated purpose.

At this current time, any personal information provided, is only used by the GP Practice. It will not sell, trade, provide or rent personal information to third parties. Specific personal information will be released where the NHS is required to do so by law, e.g. court order. Transfer of data will be done so on the express permission of the supplying individual.

When you submit personal information, you consent to our use of the information as set out in this privacy policy.

Scope of this Privacy Policy

This privacy policy only covers sites belonging to and operated by the GP Practice. Links within this site to other websites are not covered by this policy.

Changes to this Privacy Policy

The GP Practice may amend this policy from time to time. If substantial changes are made to the way in which the Practice obtains and uses your personal information the website will show prominently any announcement to this effect.

Access to medical records

The practice is registered with the Data Protection Act 2018 (DPA 2018). Any request for access to notes by a patient, patient’s representative or outside body will be dealt with in accordance with the Act. Please contact the Practice Manager for further information.

Summary Care Record

If you’re registered with a GP surgery, you’ll have a Summary Care Record unless you’ve chosen not to have one. It contains basic information including your allergies, medicines and any reactions you’ve had to medicine in the past. By storing all this information in one place, it makes it easier for healthcare staff to treat you in an emergency, or when your GP practice is closed.

Follow this link to the NHS website for more information on how to access your health records

GP2GP

GP2GP allows patients’ electronic health records to be transferred directly, securely, and quickly between their old and new practices, when they change GPs.

Find out more about GP2GP on the NHS website

Your data matters to the NHS

Your health records contain a type of data called confidential patient information. This data can be used to help with research and planning.

You can choose to stop your confidential patient information being used for research and planning. You can also make a choice for someone else like your children under the age of 13.

Your choice will only apply to the health and care system in England. This does not apply to health or care services accessed in Scotland, Wales or Northern Ireland.

Follow this link to find out how this data is used and how to opt out

Patient confidentiality

The practice complies with the Data Protection Act. All information about patients is confidential: from the most sensitive diagnosis, to the fact of having visited the surgery or being registered at the Practice. All patients can expect that their personal information will not be disclosed without their permission except in the most exceptional of circumstances, when somebody is at grave risk of serious harm.

All members of the primary health care team (from reception to doctors) in the course of their duties will have access to your medical records. They all adhere to the highest standards of maintaining confidentiality.

As our reception area is a little public, if you wish to discuss something of a confidential nature please mention it to one of the receptionists who will make arrangements for you to have the necessary privacy.

Under 16s

The duty of confidentiality owed to a person under 16 is as great as the duty owed to any other person. Young people aged under 16 years can choose to see health professionals, without informing their parents or carers. If a GP considers that the young person is competent to make decisions about their health, then the GP can give advice, prescribe and treat the young person without seeking further consent.

However, in terms of good practice, health professionals will encourage young people to discuss issues with a parent or carer. As with older people, sometimes the law requires us to report information to appropriate authorities in order to protect young people or members of the public.

Useful Websites: