Privacy Notices

General Privacy Notice

Who we are, what we do

AT Medics is a multi-award winning, largest provider of Primary Care services to the NHS in England. We focus on delivering world-class primary care, supported by prodigious education and innovative technology, made bespoke for primary care. We are a GP-led organisation, with quality improvement, multi-professional working and innovation at the heart of what we do.

Our proven track record in clinical turnaround, stabilisation and sustained general management of General Practice has enabled us to continue to grow our footprint as a trusted NHS provider across London. Since 2004, we have maintained a reputation for clinical quality improvement, operational and digital innovation, and high-quality medical education.

Introduction

This privacy notice lets you know what happens to any personal data that you give to us, or any information that we may collect from you or about you from other organisations.As an organisation, we are committed to be transparent about how we use your data and keep it safe, and will continue to provide accessible information to individuals in line with the UK Data Protection Regulations outlined in the General Data Protection Regulation ‘GDPR’ (EU) 2016/679.

Our Privacy Notice explains:

  • Who we are and how we use your information
  • Information about Data Controller and our Data Protection Officer
  • What kinds of personal information about you we hold and use (process)
  • The legal grounds for our processing of your personal information (including when we share it with others)
  • What should you do if your personal information changes?
  • For how long your personal information is retained / stored by us?
  • What are your rights under Data Protection laws

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018) became law on 25th May 2018. The GDPR is a single EU-wide regulation on the protection of confidential and sensitive (special) information, the DPA 2018 deals with elements of UK law that differ from the European Regulation, both came into force in the UK on the 25th May 2018, repealing the previous Data Protection Act (1998).

This Notice describes how we collect, use and process your personal data, and how in doing so, we comply with our legal obligations to you. Your privacy is important to us, and we are committed to protecting and safeguarding your data privacy rights.

Data Protection Regulation & Data Controller

The General Data Protection Regulation requires organisations to register a notification with the Information Commissioner to describe the purposes for which they process personal and sensitive information. Our registration can be viewed online in the public register at: http://ico.org.uk/what_we_cover/register_of_data_controllers.

Any changes to this notice will be published on our website and in a prominent area at the Practice/GP Hub. Our ICO registration number is Z9497012.

For the purpose of applicable data protection legislation (including but not limited to the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”), and the Data Protection Act 2018 the organisation responsible for your personal data is AT Medics Limited.

AT Medics Limited (Head Office, 26-28 Streatham Place, London, SW2 4QY) is the data controller for any personal data that we hold about you.

How we use your information
We primarily use information to enable our clinicians to better treat you and provide your healthcare. However, we also use your information to improve our services by:

  • Reviewing the care, we provide through clinical audit
  • Investigating patient queries, complaints and legal claims
  • Ensuring we receive payment for the care you receive
  • Preparing statistics on NHS performance
  • Auditing NHS accounts and services
  • Undertaking health research and development (with your consent – you may choose whether or not to be involved)
  • Training and educating healthcare professionals.

Why do we need your information?

The health care professionals who provide you with care maintain records about your health and any treatment or care you have received previously. These records help to provide you with the best possible healthcare and treatment.

NHS health records may be electronic, paper-based or a mixture of both. We use a combination of working practices and technology to ensure that your information is kept confidential and secure.

Records about you may include the following information;

  • Details about you, such as your address, your Carer or legal representative and emergency contact details.
  • Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments.
  • Notes and reports about your health.
  • Details about your treatment and care.
  • Results of investigations such as laboratory tests, x-rays etc.
  • Relevant information from other health professionals, relatives or those who care for you.
  • Contact details (including email address, mobile telephone number and home telephone number)

To ensure you receive the best possible care, your records are used to facilitate the care you receive, including contacting you. Information held about you may be used to help protect the health of the public and to help us manage the NHS and the services we provide. Limited information may be used for clinical Audit to monitor the quality of the service we provided.

Sharing your information

We share your personal information with other NHS organisations. For example, we may share your information for healthcare purposes with NHS trusts, General Practitioners and Ambulance Services where they are directly involved in your care. We may need to share information from your health records with other non-NHS organisations, including Social Services. However, we will not disclose any health information to third parties without your explicit consent to do so, unless there are exceptional circumstances, such as when the health and safety of others is at risk or where the law requires it.

We may also be asked by other statutory bodies to share basic information about you, such as your name and address, but not sensitive information from your health records. This would normally be to assist them to carry out their statutory duties. In these circumstances, where it is not practical to obtain your explicit consent, we are informing you through this notice, which is referred to as a Fair Processing Notice, under the Data Protection Act that we may share that data.

These non-NHS organisations may include, but are not restricted to:

  • Social Services
  • Education services
  • Local authorities
  • Police
  • Voluntary sector providers
  • Private sector providers

Other Data Sharing / Access Projects and special cases

Direct Patient Care – Often we have to share information for your medical care, such
as with hospital when we refer you or if you attended an urgent care centre. Many of our services also have electronic links with another GP service, hospital, out of hours or community service so they can see your record that we hold and vice versa when they are dealing with your medical care directly. Please contact the service if you would like more detail.

Special cases and the Law – The law requires us to share information from your medical records in certain circumstances. Information is shared so that the NHS or Public Health England can, for example:

  • plan and manage services;
  • check that the care being provided is safe;
  • prevent infectious diseases from spreading.

We will share information with NHS Digital, the Care Quality Commission and local
health protection team (or Public Health England) when the law requires us to do so.

NHS Digital

  • NHS Digital is a national body which has legal responsibilities to collect information about health and social care services.
  • It collects information from across the NHS in England and provides reports on how the NHS is performing. These reports help to plan and improve services to patients.
  • This service must comply with the law and will send data to NHS Digital, for example, when it is told to do so by the Secretary of State for Health or NHS England under the Health and Social Care Act 2012.
  • More information about NHS Digital and how it uses information can be found at: https://digital.nhs.uk/home
  • NHS Digital sometimes shares names and addresses of patients suspected of committing immigration offences with the Home Office. More information on this can be found here: https://www.gov.uk/government/publications/information-requests-from-the-home-office-to-nhs-digital

Care Quality Commission (CQC)

  • The CQC regulates health and social care services to ensure that safe care is provided.
  • The law says that we must report certain serious events to the CQC, for example, when patient safety has been put at risk.
  • For more information about the CQC see: http://www.cqc.org.uk/

Public Health

  • The law requires us to share data for public health reasons, for example to prevent the spread of infectious diseases or other diseases which threaten the health of the population.
  • We will report the relevant information to local health protection team or Public Health England. For more information about Public Health England and disease reporting see: https://www.gov.uk/guidance/notifiable-diseases-and-causative-organisms-how-to-report

National Screening Programmes

  • The NHS provides national screening programmes so that certain diseases can be detected at an early stage.
  • These screening programmes include bowel cancer, breast cancer, cervical cancer, aortic aneurysms and a diabetic eye screening service.
  • The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme.

More information can be found at: https://www.gov.uk/topic/population-screening-programmes

The Health Service Ombudsman (HSO) – HSO was set up by Parliament to provide an independent complaint handling service for complaints that have not been resolved by the NHS in England and UK government departments. The HSO has the power to request access to a patient’s medical records for the purpose of an investigation.

Medical Research – We shares information from medical records:

  • to support medical research when the law allows us to do so, for example to learn more about why people get ill and what treatments might work best;
  • we will also use your medical records to carry out research within the practice/GP Hub.

This is important because:

  • the use of information from GP medical records is very useful in developing new treatments and medicines;
  • medical researchers use information from medical records to help answer important questions about illnesses and disease so that improvements can be made to the care and treatment patients receive.

We share information with medical research organisations when the law allows. You have the right to opt out from your information being used or shared for medical research purposes. Please speak to the practice/GP Hub if you wish to object.

CCTV – Some of our practices/GP Hubs have CCTV in place for security reasons. These records are kept secure in a similar manner to patient records and follow the ICO code of practice. Information is only shared in the exceptional circumstances set out above.

Risk Stratification – Risk stratification data tools are increasingly being used in the NHS to help determine a person’s risk of suffering a particular condition, preventing an unplanned or (re)admission and identifying a need for preventive intervention.

Information about you is collected from a number of sources including NHS Trusts and from this GP Practice/GP Hub. A risk score is then arrived at through an analysis of your de-identified information and is only provided back to your GP as data controller in an identifiable form. Risk stratification enables your GP to focus on preventing ill health and not just the treatment of sickness. If necessary, your GP may be able to offer you additional services. Please note that you have the right to opt out.

Safeguarding – The service is dedicated to ensuring that the principles and duties of safeguarding adults and children are holistically, consistently and conscientiously applied with the wellbeing of all, at the heart of what we do.

Our legal basis for processing For the General Data Protection Regulation (GDPR) purposes is:
Article 6(1)(e) ‘…exercise of official authority…’.

For the processing of special categories data, the basis is:
Article 9(2)(b) – ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…’

Medicines Management – The service may conduct Medicines Management Reviews of medications prescribed to its patients. This service performs a review of prescribed medications to ensure patients receive the most appropriate, up to date and cost- effective treatments. The reviews are carried out by the CCGs Medicines Management Team under a Data Processing contract with the Practice/GP Hub.

Invoice Validation – Invoice validation is an important process. It involves using your NHS number to check that the CCG is responsible for paying for your treatment. We can also use your NHS number to check whether your care has been funded through specialist commissioning, which NHS England will pay for. The process makes sure that the organisations providing your care are paid correctly. The legal basis to use information for invoice validation is provided under Regulations made under section 251 of the NHS Act 2006 and is based on the advice of the Health

Research Authority’s Confidentiality and Advisory Group (reference CAG 7-07(a) and (b)/2013).

Mobile telephone number and email address – If you provide us with your mobile phone number and email address, we may use this to send you reminders about your appointments or other health screening information. Please let us know if you do not wish to receive reminders /information on your mobile or email. We are obliged to protect any confidential information we hold about you and we take this very seriously; it is imperative that you let us know immediately if you change any of your contact details. This is to ensure we are sure we are actually contacting you and not another person.

Summary Care Record (SCR) – The NHS in England uses a national electronic record called the Summary Care Record (SCR) to support patient care. It contains key information from your GP record. Your SCR provides authorised healthcare staff with faster, secure access to essential information about you in an emergency or when you need unplanned care, where such information would otherwise be unavailable.

Summary Care Records are there to improve the safety and quality of your care. SCR core information comprises your allergies, adverse reactions and medications. An SCR with additional information can also include reason for medication, vaccinations, significant diagnoses / problems, significant procedures, anticipatory care information and end of life care information. Additional information can only be added to your SCR with your agreement.

Please be aware that if you choose to opt-out of SCR, NHS healthcare staff caring for you outside of this surgery may not be aware of your current medications, allergies you suffer from and any bad reactions to medicines you have had, in order to treat you safely in an emergency. Your records will stay as they are now with information being shared by letter, email, fax or phone. If you wish to opt-out of having an SCR please let us know at your registered practice/GP Hub.

Seen in GP Hubs – Unless you decline consent, we will share information from any consultations in our GP Hubs with your registered GP practice as a discharge summary to your registered GP. With your consent, we will pass information on to Secondary Care where we deem it appropriate to refer you for further investigation. Whilst we will not make routine referrals, with your consent, we will make urgent Two Week Wait referrals during consultation if deemed appropriate. We will share the information from any consultations in our GP Hubs with your registered GP practice. Comprehensive Data sharing Agreements in place to have access to care records.

Fraud Prevention – We are required by law to protect the public funds we administer. Primary Care Sheffield may share information provided to it with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

Clinical Audit – Information may be used for clinical audit to monitor the quality of the service provided. Some of this information may be held centrally and used for statistical purposes e.g. the National Diabetes Audit. Where we do this, we take strict measures to ensure that individual patients cannot be identified.

Cabinet Office – The use of data by the Cabinet Office for data matching is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under the Data Protection Act 1998. Data matching by the Cabinet Office is subject to a Code of Practice. You can view further information on the Cabinet Office’s legal powers and the reasons why it matches particular information. https://www.gov.uk/government/publications/code-of-data-matching-practice-for-nationalfraud-initiative

Data linkage with other datasets – Data may be de-identified and linked so that it can be used to improve health care and development and monitor NHS performance. Where data is used for these statistical purposes, stringent measures are taken to ensure individual patients cannot be identified.

When analysing current health services and proposals for developing future services it is sometimes necessary to link separate individual datasets to be able to produce a comprehensive evaluation. This may involve linking primary care GP data with other data such as secondary uses service (SUS) data (inpatient, outpatient and A&E).

In some cases, there may also be a need to link local datasets which could include a range of acute-based services such as radiology, physiotherapy, audiology etc, as well as mental health and community-based services such as Improving Access to Psychological Therapies (IAPT), community nursing, podiatry etc. When carrying out this analysis, the linkage of these datasets is always done using a unique identifier that does not reveal a person’s identity.

The organisation responsible for processing de-identified and linked data under this category, on behalf of the Practice/GP Hub at the local clinical commissioning group. We ensure that the data processor is legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.

Electronic Prescription Service (EPS) -Electronic Prescription Service (EPS) is an NHS service that gives you the chance to change how we send your prescription to the place you nominate to get your medicines or appliances from. The purpose of the processing of your personal health data is to enable the electronic transmission of prescriptions to community pharmacies or a dispensing appliance contractor, depending on who you have nominated appliance contractor. This means that we actively seek and record your agreement to the use or disclosure of your information, before any such processing takes place.

Open Exeter – Open Exeter is a web-enabled viewer which provides the facility for healthcare professionals to share/access patient data held on the National Health Application and Infrastructure Services (NHAIS) systems, including cervical screening, breast screening, organ donor, blood donor and home oxygen. Access to Open Exeter is only possible on the N3 network, and via authorised logons/passwords provided by NHS Digital.

Computer System This service operates a Clinical Computer System on which NHS Staff record information securely. This information can then be shared with other clinicians so that everyone caring for you is fully informed about your medical history, including allergies and medication.

Shared Care Records – To support your care and improve the sharing of relevant information to our partner organisations (as above) when they are involved in looking after you, we will share information to other systems. You can opt out of this sharing of your records with our partners at any time if this sharing is based on your consent.

Websites Our websites allow our patients you to have access to practice related information as well as provide an interactive platform to communicate with the practice via E-Consultations in a safe, secure and an effective manner. safely, securely and effectively. Our website also allows new patients to register online. All patient data provided via our websites complies with NHS compliance and security standards.

Third party data processors

In order to deliver the best possible service, the service will share data (where required) with other NHS bodies such as other GP practices and hospitals. In addition, the service will use carefully selected third party service providers. When we use a third party service provider to process data on our behalf then we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately.

Examples of functions that may be carried out by third parties include:

  • Companies that provide IT services & support, including our core clinical systems; systems which manage patient facing services (such as our website and service accessible through the same); data hosting service providers; systems which facilitate appointment bookings or electronic prescription services; document management services etc.
  • Delivery services (for example if we were to arrange for delivery of any medicines to you).
  • Payment providers (if for example you were paying for a prescription or a service such as travel vaccinations).
  • Human Resource and Finance functions
  • Other service providers for the delivery of clinical care
  • Mailing services – enables primary health care organisations send letters, invoices and documents directly from computers and other portable devices.
  • Document management – provides cloud-based storage software for electronic patient document. This includes letters that we receive, scan and upload to the patient record, as well as letters that we receive in an electronic format. Generally, this software enables primary health care organisations capture, file, workflow, view and manage primary care documents efficiently and electronically.
  • Text messaging service providers – cloud-based text messaging services used by GPs to communicate with their patients. The source of the information shared in this way is your electronic GP record for the purposes of direct administrative patient care.

This is not an exhaustive list but it shows some examples of third party providers.

Further details regarding specific third-party processors can be supplied on request to the Data Protection Officer as below.

How do we maintain the confidentiality of your records?

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

  • Data Protection Act 2018
  • The General Data Protection Regulations 2016
  • Human Rights Act 1998
  • Common Law Duty of Confidentiality
  • Health and Social Care Act 2012
  • NHS Codes of Confidentiality, Information Security and Records Management
  • Information: To Share or Not to Share Review

Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential.

We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), where the law requires information to be passed on and / or in accordance with the information sharing principle following Dame Fiona Caldicott’s information sharing review (Information to share or not to share) where “The duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles.

Our policy is to respect the privacy of our patients, their families and our staff and to maintain compliance with the General Data Protection Regulation (GDPR) and all UK specific Data Protection Requirements. Our policy is to ensure all personal data related to our patients will be protected.

All employees and sub-contractors engaged by our service are asked to sign a confidentiality agreement. The service will, if required, sign a separate confidentiality agreement if the client deems it necessary. If a sub-contractor acts as a data processor for AT Medics, an appropriate contract (art 24-28) will be established for the processing of your information.

In certain circumstances you may have the right to withdraw your consent to the processing of data. Please contact the Data Protection Officer in writing if you wish to withdraw your consent. If some circumstances we may need to store your data after your consent has been withdrawn to comply with a legislative requirement.

Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified. Sometimes your information may be requested to be used for research purposes – the surgery will always gain your consent before releasing the information for this purpose in an identifiable format. In some circumstances you can Opt-out of the surgery sharing any of your information for research purposes.

Where do we store your information electronically?

All the personal data we process is processed by our staff in the UK however for the purposes of IT hosting and maintenance this information may be located on servers within the European Union.

No 3rd parties have access to your personal data unless the law allows them to do so and appropriate safeguards have been put in place such as a Data Processor as above). We have a Data Protection regime in place to oversee the effective and secure processing of your personal and or special category (sensitive, confidential) data.

Who are our partner organisations?

We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations:

  • NHS Trusts / Foundation Trusts
  • GP’s / GP Practices
  • Primary Care Networks
  • NHS Commissioning Support Units
  • Independent Contractors such as dentists, opticians, pharmacists
  • Private Sector Providers
  • Voluntary Sector Providers
  • Ambulance Trusts
  • Clinical Commissioning Groups
  • Social Care Services
  • NHS England (NHSE) and NHS Digital (NHSD)
  • Multi Agency Safeguarding Hub (MASH)
  • Local Authorities
  • Education Services
  • Fire and Rescue Services
  • Police & Judicial Services
  • Voluntary Sector Providers
  • Private Sector Providers
  • Other ‘data processors’ which you will be informed of

You will be informed who your data will be shared with and in some cases asked for consent for this to happen when this is required.

Sharing your information without consent

We will normally ask you for your consent, but there are times when we may be required by law to share your information without your consent, for example:

  • where there is a serious risk of harm or abuse to you or other people;
  • Safeguarding matters and investigations
  • where a serious crime, such as assault, is being investigated or where it could be prevented;
  • notification of new births;
  • where we encounter infectious diseases that may endanger the safety of others, such as Meningitis or measles (but not HIV/AIDS);
  • where a formal court order has been issued;
  • where there is a legal requirement, for example if you had committed a Road Traffic Offence.

With your consent we would also like to use your information

There are times that we may want to use your information to contact you or offer you services, not directly about your healthcare, in these instances we will always gain your consent to contact you. We would however like to use your name, contact details and email address to inform you of other services that may benefit you. We will only do this with your consent. There may be occasions where authorised research facilities would like you to take part on innovations, research, improving services or identifying trends, you will be asked to opt into such programmes if you are happy to do so.

At any stage where we would like to use your data for anything other than the specified purposes and where there is no lawful requirement for us to share or process your data, we will ensure that you have the ability to consent and opt out prior to any data processing taking place.

This information is not shared with third parties or used for any marketing and you can unsubscribe at any time via phone, email or by informing the service DPO as below.

We may also use external companies to process personal information, such as for archiving purposes. These companies are bound by contractual agreements to ensure information is kept confidential and secure. All employees and sub-contractors engaged by our service are asked to sign a confidentiality agreement. If a sub-contractor acts as a data processor for AT Medics, an appropriate contract (art 24-28) will be established for the processing of your information.

 How long will we store your information?

We are required under UK law to keep your information and data for the full retention periods as specified by the NHS Records management code of practice for health and social care and national archives requirements. More information on records retention can be found online at (https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016).

Your rights – How can you access, amend move the personal data that you have given to us?

Even if we already hold your personal data, you still have various rights in relation to it. To get in touch about these, please contact us. We will seek to deal with your request without undue delay, and in any event in accordance with the requirements of any applicable laws. Please note that we may keep a record of your communications to help us resolve any issues which you raise.

The right to be informed via Privacy notices such as this one.

The right to free access to any personal information we hold about you. You are entitled to receive a copy of your personal data – free of charge – and within 30 calendar days of our receipt of your subject access request, provided you have submitted the correct proof of identity details.

The right of rectification. If you believe your details are incorrect, we are required to correct inaccurate or incomplete data within one month.

The right to erasure. Ordinarily under GDPR you have the right to have your personal data erased and to prevent processing, however, this right does not apply to GDPR Art 9 – special category data. The processing we conduct is necessary for the purposes of preventative or occupational medicine for medical diagnosis; and for the provision of health and social care systems. Your data is processed by and under the responsibility of healthcare professionals who are subject to a legal obligation of professional secrecy.

The right to restrict processing. You have the right to suppress processing. We can retain just enough information about you to ensure that the restriction is respected in future.

The right to data portability. We can provide you with your personal data in a structured, commonly used, machine readable form when you request your data.

The right to object. You can object to your personal data being used for profiling, direct marketing or research purposes.

You have rights in relation to automated decision making and profiling, to reduce the risk that a potentially damaging decision is taken without human intervention.

Access to your personal information

You have a right under the Data Protection legislation to request access to view or to obtain copies of what information the surgery holds about you and to have it amended should it be inaccurate.

To request this, you need to do the following:

  • Your request should be made to the Practice/GP Hub. (For information from a hospital or other Trust/ NHS organisation you should write direct to them.
  • There is no charge to have a copy of the information held about you
  • We are required to provide you with information within one month
  • You will need to give adequate information (for example full name, address, date of birth, NHS number and details of your request) so that your identity can be verified, and your records located information we hold about you at any time.

If you wish to have a copy of the information, we hold about you, please contact your registered GP Practice or the relevant GP Hub.

Your right to withdraw consent for us to share your personal information

At any time, you have the right to refuse/withdraw consent to information sharing. The possible consequences will be fully explained to you and could include delays in receiving care. If you wish to discuss this, please contact either the reception at the service you are accessing or by writing to the Practice/GP Hub Manager detailing which services you currently access and the best way for us to contact you to discuss the consent withdrawal.

What should you do if your personal information changes?

You should tell us so that we can update our records please contact the Practice/GP Hub Manager as soon as any of your details change, this is especially important for changes of address or contact details (such as your mobile phone number), the practice will from time to time ask you to confirm that the information we currently hold is accurate and up-to-date.

Objections / Complaints

Should you have any concerns about how your information is managed at the GP, please contact the GP Practice Manager or GP Hub Manager or the Data Protection Officer:
Email: dpo.atm@nhs.net
Postal: AT Medics Limited 26-28 Streatham Place London SW2 4QY

If you are still unhappy following a review by our Caldicott Guardian, you can then complain to the Information Commissioners Office (ICO) via their website (www.ico.gov.uk).

What you need to do next

If you are happy for your data to be used for the purposes described in this privacy notice, then you do not need to do anything. If you have any concerns about how your data is shared, then please contact our Data Protection Officer. If you would like to know more about your rights in respect of the personal data we hold about you, please contact our Data Protection Officer.

Data Protection Officer

Any queries regarding Data Protection issues should be addressed by email and the details are:
Email: dpo.atm@nhs.net
Postal:

Data Protection Officer

AT Medics Limited

26-28 Streatham Place

London

SW2 4QY

Changes

It is important to point out that we may amend this Privacy Notice from time to time. If you are dissatisfied with any aspect of our Privacy Notice, please contact the Practice/GP Hub Data Protection Officer.

Cookies

Our site uses cookies to distinguish you from other users of our site. This helps us to provide you with a good experience when you browse our site and also allows us to improve our site. By continuing to browse the site, you are agreeing to our use of cookies. A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer or your mobile device if you agree. Cookies contain information that is transferred to your computer’s hard drive or your mobile device.

We use the following cookies:

  • Strictly necessary cookies. These are cookies that are required for the operation of our site. They include, for example, cookies that enable you to login to secure areas of our site;
  • Analytical/performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around our site when they are using it. This helps us to improve the way our site works, for example, by ensuring that users are finding what they are looking for easily;
  • Functionality cookies. These are used to recognise you when you return to our site. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region);
  • Targeting cookies. These cookies record your visit to our site, the pages you have visited and the links you have followed. We will use this information to make our site more relevant to your interests. We may also share this information with third parties for this purpose.

You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site.

Except for essential cookies, all cookies will expire after 12 months.

Last updated on 07/10/2020

Care.Data

Information about you and the care you receive is shared, in a secure system, by healthcare staff to support your treatment and care.

It is important that the NHS can use this information to plan and improve services for all patients. We would like to link information from all the different places where you receive care, such as your GP, hospital and community service, to help us provide a full picture. This will allow us to compare the care you received in one area against the care you received in another, so we can see what has worked best.

Information such as your postcode and NHS number, but not your name, will be used to link your records in a secure system, so your identity is protected. Information which does not reveal your identity can then be used by others, such as researchers and those planning health services, to make sure we provide the best care possible for everyone.

How your information is used and shared is controlled by law and strict rules are in place to protect your privacy.

We need to make sure that you know this is happening and the choices you have.

For Further Details please see the documents below:

COVID-19 Privacy Notice

Introduction

This notice describes how we may use your information to protect you and others during the Covid-19 (Coronavirus) outbreak. It supplements our main Privacy Notice which is available on our website.

In the current emergency it has become even more important to share health and care information quickly across relevant organisations, to deliver care to individuals, support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. The health and social care system is facing significant extra pressures due to the Covid-19 outbreak.

Existing law allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. The Secretary of State requires NHS Digital; NHS England and NHS Improvement; Arm’s Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the Covid-19 outbreak. Any arrangements put in place specifically to use or share information during the Covid-19 are temporary and will be limited to the period of the outbreak unless there is another existing legal basis that covers the use and sharing of that data.

During the COVID-19 outbreak London Clinical Commissioning Groups will not process any new requests to opt-out of local data sharing arrangements such as the One London Health and Care Record exemplar, Connecting your Care or The National Data Opt-Out.

All opt-out requests currently submitted will be held until the outbreak ceases at which point, the request to opt-out will be processed.

It may take us longer to respond to Subject Access Requests and Freedom of Information requests whilst we focus our efforts on responding to the outbreak.

In order to look after your health and care needs, we may share your confidential patient information including health and care records with clinical and non-clinical staff in other health and care providers,for example, neighbouring GP practices, hospitals and NHS 111. We may also use the details we have to send public health messages to you, either by phone, text or email.

We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance, such as Public Health England, for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. During this period of emergency, you may be offered a consultation via telephone or videoconferencing. Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation.

We may amend this privacy notice at any time so please review it frequently. The date at the top of this page will be amended each time this notice is updated.

Data Controller

AT Medics Limited is the data controller for any personal data that we hold about you.

Data Protection Officer

The Practice Data Protection Officer is Hasib Aftab of AT Medics Limited. Any queries regarding Data Protection issues should be addressed to him at:

Email: dpo.atm@nhs.net
Postal:
AT Medics Limited
26-28 Streatham Place
London, SW2 4QY

Purpose of the processing of your data

The purpose of the envisaged temporary Covid-19 data flows is to effectively treat and prevent the onward spread of COVID-19, as such there is a need to share Patient Identifiable Data and Special Category (or sensitive) information. However, for each new data flow a review will be undertaken to ensure that the minimum amount of personal data is processed and processed securely.

Lawful basis for processing your data

Under the General Data Protection Regulation (EU GDPR), Article 6, 1(c)- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

There are a number of pieces of legislation currently available to allow the processing of personal data and special category data in response to public health breakouts, which includes:

  • Public Health (Control of Disease) Act 1984
  • The Health and Social Care Act 2008 (by virtue of The Care Act 2014)

The relevant basis in UK law is set out in the Data Protection Act (DPA) 2018, in Schedule 1 condition 2. This condition covers the following purposes:

  • preventive or occupational medicine;
  • the assessment of an employee’s working capacity;
  • medical diagnosis;
  • the provision of health care or treatment;
  • the provision of social care (this is likely to include social work, personal care and social support services); or
  • the management of health care systems or services or social care systems or services.

Article 9(3) of the GDPR contains the additional safeguard that you can only rely on this condition if the personal data is being processed by (or under the responsibility of) a professional who is subject to an obligation of professional secrecy. Section 11 of the DPA 2018 makes it clear that in the UK this includes:

  • a health professional or a social work professional; or
  • another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.

By virtue of the Data Protection Act 2018 (c. 12) Schedule 1 — Special categories of personal data and criminal convictions etc data, Part 1 – Conditions relating to employment, health and research etc, paragraph 3(a), processing meet the GDPR Article 9 condition ‘if processing is necessary for reasons of public interest in the area of public health’.

Recipient or categories of recipients of the processed data

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

  • Data Protection Act 2018
  • The General Data Protection Regulations 2016
  • Human Rights Act 1998
  • Common Law Duty of Confidentiality
  • Health and Social Care Act 2012
  • NHS Codes of Confidentiality, Information Security and Records Management
  • Information: To Share or Not to Share Review

Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential.

We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (i.e. life or death situations), where the law requires information to be passed on and / or in accordance with the information sharing principle following Dame Fiona Caldicott’s information sharing review (Information to share or not to share) where “The duty to share information can be as important as the duty to protect patient confidentiality.” This means that health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by the Caldicott principles.

Our practice policy is to respect the privacy of our patients, their families and our staff and to maintain compliance with the General Data Protection Regulation (GDPR) and all UK specific Data Protection Requirements. Our policy is to ensure all personal data related to our patients will be protected.

All employees and sub-contractors engaged by our practice are asked to sign a confidentiality agreement. The practice will, if required, sign a separate confidentiality agreement if the client deems it necessary. If a sub-contractor acts as a data processor for AT Medics, an appropriate contract (art 24-28) will be established for the processing of your information.

In certain circumstances you may have the right to withdraw your consent to the processing of data. Please contact the Data Protection Officer in writing if you wish to withdraw your consent. If some circumstances we may need to store your data after your consent has been withdrawn to comply with a legislative requirement.

Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified. Sometimes your information may be requested to be used for research purposes – the surgery will always gain your consent before releasing the information for this purpose in an identifiable format. In some circumstances you can Opt-out of the surgery sharing any of your information for research purposes.

Right to access and correct

All the personal data we process is processed by our staff in the UK however for the purposes of IT hosting and maintenance this information may be located on servers within the European Union.

No 3rd parties have access to your personal data unless the law allows them to do so and appropriate safeguards have been put in place such as a Data Processor as above). We have a Data Protection regime in place to oversee the effective and secure processing of your personal and or special category (sensitive, confidential) data.

Retention period

The data will be retained in line with the law and national guidance. https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016 or speak to the South West London CCG.

Right to Complain

You have the right to complain to the practice, to the Data Protection Officer (details above) or the Information Commissioner’s Office (ICO), you can use this link https://ico.org.uk/global/contact-us/

or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
There are National Offices for Scotland, Northern Ireland and Wales, (see ICO website).

Note: This Privacy Notice issued sets aside the requirements of Common Law Duty of Confidentially for COVID-19 purposes, Regulation 4 Health Service Control of Patient Information Regulations 2002 provides that ‘information may be processed in accordance with these Regulations, notwithstanding any common law obligation of confidence’, meaning that identifiable patient data can be shared with other organisations where it is ‘necessary’ for a COVID-19 purpose.

Three circumstances making disclosure of confidential information lawful are:

  • where the individual to whom the information relates has consented;
  • where disclosure is in the public interest; and
  • where there is a legal duty to do so, for example a court order.

Summary Care Records Privacy Notice

summary-care
A Summary Care Record is an electronic record containing key health information, which can be made available to NHS healthcare staff caring for you in an emergency or when your GP practice is closed. If you haven’t already made your choice, please make it now.

Yes I would like a Summary Care Record

You do not need to do anything and a Summary Care Record will be made for you.

No I do not want a Summary Care Record

There are two ways to opt out from the Summary Care Record.

Your existing health record at your GP practice will continue to be used as it is now.

If you are still unsure

Please ask us for a leaflet at reception if you are still unsure about the Summary Care Record which provides more information to help you decide. You can also phone the Summary Care Record information line on 0300 123 3020 or visit the website at systems.hscic.gov.uk/scr

Information sharing with other services

We may need to share your medical information with other organisations involved in the delivery of your care e.g. Podiatry or District Nursing. We will not share identifiable information with anyone that isn’t involved in your care unless legally required to.

You would have been asked to opt in or out when you registered at one of our GP surgeries as follows: “Are you happy for us to Share Out your full medical records electronically with other services involved in your care and/or to view (Share In) medical records held by other services?”

If you wish to reconsider or do not consider that you have opted in or out, you may contact our practice reception to discuss further and appropriate action will be taken.

Information sharing for research purposes

The staff at this GP practice/GP hub record information about you and your health so that you can receive the right care and treatment. We need to record this information, together with the details of the care you receive, because it may be needed if we see you again.

We may use some of this information for other reasons, for example, to help us to protect the health of the general public, to plan for the future, to train staff and to carry out medical and other health research to drive healthcare forwards and improve patient outcomes.

If you are happy for your information to be used in this way you do not have to do anything. If you have any concerns or wish to prevent this from happening, please speak to your GP practice/GP hub.

Your care and your relationship with your doctor will not be affected in any way if you decided not to share your data for research purposes.

Current research programmes:

IQVIA

We are currently involved in a research and patient insights programme called the IQVIA Medical Research Extraction Scheme (MRES) for which we provide non-identified information from patients’ electronic medical records. The data collected is non-identified which means it DOES NOT include any direct patient identifiers such as names, addresses, NHS numbers, or full dates of birth, nor any direct identifiers of practices participating in this data extraction scheme. Individual patients’ records are added into a much larger non-identified database, containing records from millions of patients across the UK and may be linked to other data, such as hospital data.

If you would like to opt out of the IQVIA MRES data collection scheme, you can opt out by speaking to your doctor, and no data from your records will be collected for use in research. This will not affect your care in any way.

For more information visit:
https://documentcloud.adobe.com/link/review?uri=urn:aaid:scds:US:e839459c-5cc3-4e0b-90c7-d0ccf52cd407

For more information on how your data is used visit:
https://www.iqvia.com/locations/uk-and-ireland/medical-research-data

CPRD

Clinical Practice Research Datalink (CPRD) is a government organisation that provides anonymised patient data for research to improve patient and public health. You cannot be identified from the information sent to CPRD. If you do not want anonymised information from your patient record to be used in research you can opt out by speaking to your doctor.
For more information about how your data is used visit: www.cprd.com/public

Last updated on 07/10/2020