Privacy Notice

Phoenix Health Group aims to ensure the highest standard of medical care for our patients.  To do this we keep records about you, your health and the care we have provided or plan to provide to you.

This Privacy Notice does not provide exhaustive details of all aspect of the collection and use of personal information by Phoenix Health Group.  However, we are happy to provide any additional information or explanation needed.  If you require further information please contact us via our website.

How We Use Your Information

In order to provide for your care, we need to collect and keep information about you and your health on our records.  Your information is used to:

  • Provide a basis for all health decisions made by care professionals with and for you;
  • Make sure your care is safe and effective;
  • Work effectively with others providing you with care;
  • Send text notifications to you about appointment reminders, flu clinics, health promotion information, etc. (You can opt out of the text notification service at any time by phoning the practice on 01285 652056).

We may also use, or share, your information for the following purposes:

  • Looking after the health of the general public;
  • Making sure that our services can meet patient needs in the future;
  • Auditing – Using patient health information to review and improve the quality of healthcare. Patient identifiable information is only used within the practice. (Patients have the right to request that their health information is not included in audits);
  • Preparing statistics on NHS performance and activity (only anonymised information is used)
  • Investigating concerns, complaints or legal claims;
  • Helping staff to review the care they provide to make sure it is of the highest standards;
  • Training and educating staff;
  • Research approved by the Local Research Ethics Committee. (If anything to do with the research would involve you personally, you will be contacted to provide consent).

Disclosure of Information to Other Health and Social Professionals

We work with a number of other NHS and partner agencies to provide healthcare services to you.  Below is a list of organisations that we may share your information with:

Our Partner Organisations:-

  • Other NHS hospitals
  • Relevant GP Practices
  • Dentists, Opticians and Pharmacies
  • Private Sector Providers (private hospitals, care homes, hospices, contractors providing services to the NHS)
  • Voluntary Sector Providers who are directly involved in your care
  • Ambulance Service
  • Specialist Services
  • Health and Social Care Clusters
  • Out of Hours Medical Service
  • NHS England

We may also share your information with your consent, and subject to strict sharing protocols, about how it will be used, with:

  • Health and Social Care
  • Police and Fire Services

Details That We Collect About You

The health care professionals who provide you with care maintain records about your health and any treatment or care you have received previously (e.g. NHS Trust, GP Surgery, Walk in Clinic etc.). These records help to provide you with the best possible healthcare.

Records which this Practice may hold about you could include the following:-

  • Details about you, such as your address, contact details, next of kin etc.
  • Any contact the surgery has had with you, such as appointments, clinic visits, emergency appointments, etc.
  • Notes and reports about your health
  • Details about your treatment and care
  • Results of investigations, such as laboratory tests, x-rays, etc.
  • Relevant information from other health professionals, relatives or those who care for you

How the NHS and care services use your information

We are one of many organisations working in the health and care system to improve care for patients and the public.

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • direct patient care
  • improving the quality and standards of care provided
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law. See Annex A for further information.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters.  On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply

You can also find out more about how patient information is used at:

https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and

https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.

Risk Prediction

Risk prediction data tools are increasingly being used in the NHS to help determine a person’s risk of suffering a particular condition, preventing an unplanned or (re)admission and identifying a need for preventive information.  Information about you is collected from a number of sources in NHS England including this GP Practice.  A risk score is then arrived at through an analysis of your

de-identifiable information.  Risk prediction enables your GP to focus on preventing ill health and not just the treatment of illness.  If necessary, your GP may be able to offer you additional services.

Summary Care Record (SCR)

Emergency care information such as your name, date of birth, the name of your GP, any medicines which your GP has prescribed, any medicines you are allergic to or react badly to, is shared with Out of Hours as this might be important if you need urgent medical care when the GP surgery is closed.

NHS staff (Doctors, Nurses, Accident and Emergency, Ambulance control and crews) can look at your SCR if they need to treat you when the surgery is closed. They will ask for your consent before they look at your records. In an emergency and if you are unconscious, staff may look at your SCR without your agreement to let them give you the best possible care. Whenever NHS staff looks at your SCR, a record will be kept so we can always check who has looked at your information.

Online Registration for Booking Appointments and Ordering Repeat Prescriptions

This service allows you to book a routine GP appointment 24 hours a day, check your repeat medication, order repeat prescriptions, view your online medical record and make changes to your email and mobile contact number where appropriate.

You will need to register to use this service and can de-register at any time.

The General Practice Data for Planning and Research (GPDPR) Service

The NHS needs data about the patients it treats in order to plan and deliver its services and to ensure that care and treatment provided is safe and effective. The General Practice Data for Planning and Research data collection will help the NHS to improve health and care services for everyone by collecting patient data that can be used to do this.  Further information is available at:-

General Practice Data for Planning and Research: GP Practice Privacy Notice – NHS Digital

Medical Student Placements

The Practice is involved in the training of medical students. As part of this programme medical students work in the Practice and may be involved in your care. If staff would like a student to be present they will ask for your permission before the start of the consultation. The treatment or care you receive will not be affected if you refuse to have a student present during your appointment.

It is usual for GPs to discuss patient case histories as part of their continuing education or for the purpose of training GPs or medical students. In these cases the identity of the patient concerned is not revealed.

Mail to Patients

We occasionally use a printing company to send letters to our patients.  Data sent is encrypted and the Company puts it in a format to print the letter, despatch via Royal Mail, and then delete the information we send.

Mobile Telephone Number

If you provide us with your mobile phone number we may use this to send you reminders about appointments or other health information. Please let us know if you do not wish us to contact you by your mobile phone.

Medicine Management

The Practice may conduct Medicines Management Reviews of medications prescribed to its patients.  This service performs a review of prescribed medications to ensure patients receive the most appropriate, up to date and cost effective treatments.  This service is provided by our clinicians or a Pharmacist working within the Practice.

Clinical Research

We are a Research Practice, so from time to time will participate in research studies. If your data is requested for this purpose we will always gain consent from you before releasing any information for this purpose.

Clinical Practice Research Datalink (CPRD)

Information in patient records is important for medical research to develop new treatments and test the safety of medicines. This practice supports medical research by sending some of this information from patient records to CPRD.

CPRD is a government organisation that provides anonymised patient data for research to improve patient and public health. You cannot be identified from the information sent to CPRD.

If you do not want to anonymised information from your patient record to be used in research you can opt out by speaking to one of our Doctors.

For more information about how your data is used please visit: www.cprd.com/public.

Clinical Audit

Information may be used for clinical audit to monitor the quality of the services we provide. Some of this information may be held centrally, in an anonymised form, within the NHS and used for statistical purposes, e.g. the National Diabetes Audit.

Computer System

This Practice operates a Clinical Computer System on which our staff record information securely.  This information can then be shared with other Clinicians so that everyone caring for you is fully informed about your relevant medical history.

To provide around the clock safe care, unless you have asked us not to, we will make information available to trusted organisations.  Wherever possible, their staff will ask your consent before information is viewed.

We consider patient consent as being the key factor in dealing with your health information.

Shared Care Records

To support your care, and improve the sharing of relevant information to our partner organisations when they are involved in looking after you, we will share information to other NHS systems e.g. medication details for out of hours care.  The general principle is that information is passed to these systems unless you request this does not happen, but that system users should ask for your consent before viewing your record.

Local Sharing Via Joining Up Your Information (JUYI)

Your patient record is held securely and confidentially on our electronic system. If you require services from a health professional at another location, i.e. Emergency Department, Minor Injury Unit or Out of Hours those treating you are able to give appropriate care if some of the information from your GP records is available to them. This information can be shared locally via the JUYI system.

The information is only used by authorised health and social care professionals in Gloucestershire-based organisations, involved in your direct patient care. Your permission will be asked before the information is accessed, unless the health and social care professional is unable to ask you and there is a valid reason for access, which will then be logged.

If you do not wish to share your medical records outside the Practice you can opt out by contacting us via our website, but this might have an impact on the care you receive.

Further information about JUYI can be found at https://www.juyigloucestershire.org/.

How We Keep Your Information Confidential and Secure

We are committed to protecting your privacy and will only use information collected lawfully in accordance with the Data Protection Act 1998, Article 8 of the Human Rights Act, the Common Law of Confidentiality, The General Data Protection Regulation and the NHS Codes of Confidentiality and Security.  Everyone working in, or for the NHS must use personal information in a secure and confidential way.

We will only ever use or pass on your information if there is a genuine need to do so.  We will not disclose information about you to third parties without your permission unless there are exceptional circumstances, such as when the law requires.

To protect your confidentiality, we will not normally disclose any medical information about you over the telephone, or by fax, unless we are sure that we are talking to you.  This means that we will not disclose information to your family, friends, and colleagues about any medical matters at all, unless we know that we have your consent to do so.

Anyone Who Receives Information From Us Is Also Under A Legal Duty to Keep It Confidential and Secure

All persons in the Practice sign a confidentiality agreement that explicitly makes clear, their duties in relation to personal health information and the consequences of breaching that duty.

Please be aware that your information will be accessed by non-clinical Practice staff in order to perform tasks enabling the functioning of the Practice.  These are, but not limited to:

  • Typing referral letters to Hospital Consultants or allied Health Professionals
  • Opening letters from hospitals and Consultants
  • Scanning clinical letters, radiology reports and any other documents not available in Electronic format
  • Photocopying or printing documents for referral to Consultants
  • Handling, printing, photocopying and postage of medico legal and life assurance reports and other associated documents

Right of Access to Your Health Information

The General Data Protection Regulation allows you to find out what information about you is held on computer and in manual records.  This is known as “right of subject access” and applies to personal information held about you.  If you want to see or receive information that the Practice holds about you:

  • You will need to make a written request to the Practice.
  • There may be a charge for excessive requests for information held about you
  • We are required to respond to you within one month
  • You will need to give us adequate information (e.g. full name, address, date of birth, NHS Number) to enable us to identify you and provide the correct information

Who Else May Ask to Access Your Information

  • The Court can insist that we disclose medical records to them;
  • Solicitors often ask for medical reports. We will require your signed consent for us to disclose information.  We will not normally release details about other people that are contained in your records (e.g. wife, children parents etc.) unless we also have their consent;
  • Social Services – The Benefits Agency and others may require medical reports on you from time to time. We will need your signed consent to provide information to them.
  • Life Assurance Companies/Employers/Occupational Health Doctors frequently ask for medical reports on individuals. These are always accompanied by your signed consent form.  We will only disclose the relevant medical information as per your consent. You have the right, should you request it, to see reports prepared for Insurance Companies, employers or occupational Health doctors before they are sent.

Sharing Your Information without Consent

We will normally ask you for your consent, but there are times when we may be required by law to share your information without your consent, for example:

  • Where there is a serious risk of harm or abuse to you or other people
  • Where a serious crime, such as assault, is being investigated or where it could be prevented
  • Where we encounter infectious diseases that may endanger the safety of others, such as meningitis or measles (but not sensitive information such as HIV/AIDS)
  • Where a formal Court Order has been issued
  • Where there is a legal requirement, e.g. if you had committed a Road Traffic Offence

Your Right to Opt Out of Data Sharing and Processing

The NHS Constitution states ‘You have a right to request that your personal and confidential information is not used beyond your own care and treatment and to have your objections considered’. For further information please visit: The NHS Constitution

Type 1 Opt Out

This is an objection that prevents an individual’s personal confidential information from being shared outside of their general practice except when it is being used for the purposes of direct care, or in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease. If you wish to apply a Type 1 Opt Out to their record they should make their wishes know to the practice manager.

National data opt-out

The national data opt-out was introduced on 25 May 2018, enabling patients to opt-out from the use of their data for research or planning purposes, in line with the recommendations of the National Data Guardian in her Review of Data Security, Consent and Opt-Outs.

By 2020 all health and care organisations are required to apply national data opt-outs where confidential patient information is used for research and planning purposes. NHS Digital has been applying national data opt-outs since 25 May 2018. Public Health England has been applying national data opt-outs since September 2018.

The national data opt-out replaces the previous ‘type 2’ opt-out, which required NHS Digital not to share a patient’s confidential patient information for purposes beyond their individual care. Any patient that had a type 2 opt-out recorded on or before 11 October 2018 has had it automatically converted to a national data opt-out. Those aged 13 or over were sent a letter giving them more information and a leaflet explaining the national data opt-out.  For more information go to National data opt out programme

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters.

Practice Website

The Practice is committed to ensuring that your privacy is protected.  Should we ask you to provide certain information by which you can be identified when using our website, you can be assured that it will only be used in accordance with this privacy statement.

Data Retention

We approach the management of patient records in line with the Records Management NHS Code of Practice for Health and Social Care, which sets the required standards of practice in the management of records for those who work within or under contract to NHS organisations in England, based on current legal requirements and professional best practice.

Changes to This Privacy Notice

We keep our Privacy Notice under regular review.  This Privacy Notice will be reviewed again in April 2022.

Concerns about Sharing Your Information

If you have any concerns about how we use or share your information, or you do not wish us to share your information, please contact us on 01285 652056 or via our website.

Complaints

If you have a complaint about how your information is managed at the practice, please contact the Complaints Manager.  If you remain unhappy with the Practice’s response, you can complain to the Information Commissioner Office www.ico.gov.uk

Change of Details

It is important that you tell us if any of your details such as your name, address or telephone number has changed or if any of your details such as date of birth is incorrect in order for this to be amended.   You have a responsibility to inform us of any changes so our records are kept accurate and up to date at all times.

Appendix A – The Practice will share your information with these organisations where there is a legal basis to do so.

Activity Rationale
CCG Purpose – Anonymous data is used by the CCG for planning and performance as directed in the practices contract.

 

Legal Basis – Contractual

 

Processor – Gloucestershire Clinical Commissioning Group

JUYI – Joining Up Your Information Purpose – JUYI is the secure online system for sharing information in Gloucestershire, giving local health and social care professionals directly involved in your care instant access to your health and social care records.

Sharing your electronic records with the people who look after you gives them the most up-to-date information about you and makes your care safer and more efficient and cost effective.

For information about the county’s JUYI shared care record and fair processing notice please click here.

 

Legal Basis – Direct Care

 

Summary Care Record Purpose – The NHS in England uses a national electronic record called the Summary Care Record (SCR) to support patient care. It contains key information from your GP record. Your SCR provides authorised healthcare staff with faster, secure access to essential information about you in an emergency or when you need unplanned care, where such information would otherwise be unavailable.

 

Legal Basis – Direct Care

 

Please be aware that if you choose to opt-out of SCR, NHS healthcare staff caring for you outside of this surgery may not be aware of your current medications, allergies you suffer from and any bad reactions to medicines you have had, in order to treat you safely in an emergency. Your records will stay as they are now with information being shared by letter, email, phone. If you wish to opt-out of having an SCR please return a completed opt-out form to the practice.

 

Processor – NHS England and NHS Digital

 

 

Research Purpose – We may share personal confidential or anonymous information with research companies. Where you have opted out of having your identifiable information shared for this purpose your information will be removed.

 

Legal Basis – consent is required to share confidential patient information for research, unless there is have support under the Health Service (Control of Patient Information Regulations) 2002 (‘section 251 support’) applying via the Confidentiality Advisory Group in England and Wales

 

Individual Funding Requests Purpose – We may need to process your personal information where we are required to fund specific treatment for you for a particular condition that is not already covered in our contracts.

 

Legal Basis – The clinical professional who first identifies that you may need the treatment will explain to you the information that is needed to be collected and processed in order to assess your needs and commission your care; they will gain your explicit consent to share this. You have the right to withdraw your consent at any time

 

Data processor – Gloucestershire Clinical Commissioning Group

 

Child Health Information Service Purpose – We wish to make sure that your child has the opportunity to have immunisations and health checks when they are due. We share information about childhood immunisations, the 6-8 week new baby check and breast-feeding status with health visitors and school nurses.

 

Legal Basis – Direct Care

 

Data Processor – Health Intelligence, on behalf of NHS England

 

Safeguarding Adults Purpose – We will share personal confidential information with the safeguarding team where there is a need to assess and evaluate any safeguarding concerns.

 

Legal Basis – Because of public Interest issues, e.g. to protect the safety and welfare of vulnerable adults, we will rely on a statutory basis rather than consent to process information for this use.

 

Data Processor – Gloucestershire Clinical Commissioning Group, Gloucestershire County Council Safeguarding.

 

Safeguarding Children Purpose – We will share children’s personal information where there is a need to assess and evaluate any safeguarding concerns.

 

Legal Basis – Because of public Interest issues, e.g. to protect the safety and welfare of Safeguarding we will rely on a statutory basis rather than consent to share information for this use.

 

Data Processor – Gloucestershire Clinical Commissioning Group, Gloucestershire County Council Safeguarding.

 

Risk Stratification – Preventative Care Purpose –  ‘Risk stratification for case finding’ is a process for identifying and managing patients who have or may be at-risk of health conditions (such as diabetes) or who are most likely to need healthcare services (such as people with frailty). Risk stratification tools used in the NHS help determine a person’s risk of suffering a particular condition and enable us to focus on preventing ill health before it develops.

Information about you is collected from a number of sources including NHS Trusts, GP Federations and your GP Practice. A risk score is then arrived at through an analysis of your de-identified information.  This can help us identify and offer you additional services to improve your health.

 

If you do not wish information about you to be included in any risk stratification programmes, please let us know. We can add a code to your records that will stop your information from being used for this purpose. Please be aware that this may limit the ability of healthcare professionals to identify if you have or are at risk of developing certain serious health conditions.

 

Type of Data – Identifiable/Pseudonymised/Anonymised/Aggregate Data

 

Legal Basis

GDPR Art. 6(1) (e) and Art.9 (2) (h). The use of identifiable data by CCGs and GPs for risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority (approval reference (CAG 7-04)(a)/2013)) and this approval has been extended to the end of September 2020 NHS England Risk Stratification  which gives us a statutory legal basis under Section 251 of the NHS Act 2006 to process data for risk stratification purposes which sets aside the duty of confidentiality. We are committed to conducting risk stratification effectively, in ways that are consistent with the laws that protect your confidentiality.

 

 Processors – Sollis; South, West and Central Commissioning Support Unit; Gloucestershire Clinical Commissioning Group

 

Public Health

Screening programmes (identifiable)

Notifiable disease information (identifiable)

Smoking cessation (anonymous)

Sexual health (anonymous)

 

 

Purpose – Personal identifiable and anonymous data is shared.

The NHS provides national screening programmes so that certain diseases can be detected at an early stage. These currently apply to bowel cancer, breast cancer, aortic aneurysms and diabetic retinal screening service. The law allows us to share your contact information with Public Health England so that you can be invited to the relevant screening programme.

More information can be found at: https://www.gov.uk/topic/population-screeningprogrammes [Or insert relevant link] or speak to the practice

Legal Basis – Article 6(1)(e); “necessary… in the exercise of official authority vested in the controller’ And Article 9(2)(h) as stated below

 

NHS Trusts Purpose – Personal information is shared with other secondary care trusts in order to provide you with direct care services. This could be hospitals or community providers for a range of services, including treatment, operations, physio, and community nursing, ambulance service.

 

Legal Basis – The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions as stated below:

 

Processors – Gloucestershire Hospitals NHS Foundation Trust; Gloucestershire Care Services NHS Trust; 2gether NHS Foundation Trust; South Western Ambulance Service NHS Foundation Trust

 

Care Quality Commission Purpose – The CQC is the regulator for the English Health and Social Care services to ensure that safe care is provided. They will inspect and produce reports back to the GP practice on a regular basis. The Law allows the CQC to access identifiable data.

 

More detail on how they ensure compliance with data protection law (including GDPR) and their privacy statement is available on our website: https://www.cqc.org.uk/about-us/our-policies/privacy-statement

 

Legal Basis – Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.” And Article 9(2) (h) as stated below

 

Processors – Care Quality Commission

 

Payments, Invoice validation Purpose –  Contract holding GPs in the UK receive payments from their respective governments on a tiered basis. Most of the income is derived from baseline capitation payments made according to the number of patients registered with the practice on quarterly payment days. These amount paid per patient per quarter varies according to the age, sex and other demographic details for each patient. There are also graduated payments made according to the practice’s achievement of certain agreed national quality targets known as the Quality and Outcomes Framework (QUOF), for instance the proportion of diabetic patients who have had an annual review. Practices can also receive payments for participating in agreed national or local enhanced services, for instance opening early in the morning or late at night or at the weekends. Practices can also receive payments for certain national initiatives such as immunisation programs and practices may also receive incomes relating to a variety of non patient related elements such as premises. Finally there are short term initiatives and projects that practices can take part in. Practices or GPs may also receive income for participating in the education of medical students, junior doctors and GPs themselves as well as research. In order to make patient based payments basic and relevant necessary data about you needs to be sent to the various payment services. The release of this data is required by English laws.

 

Legal Basis – Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.” And Article 9(2)(h) ‘as stated below

 

Data Processors – NHS England, CCG, Public Health

 

Patient Record data base Purpose – Your medical record will be shared, in order that a data base can be maintained and managed in a secure way

 

Legal Basis – Article 6(1)(e); “necessary… in the exercise of official authority vested in the controller’ And Article 9(2)(h) as stated below

 

Processor – Clinical System Supplier – EMIS

 

AccurRX Purpose – Your anonymous information will be shared in order to optimise your medication within your record. This will enable your GP to provide a more efficient medication regime.

 

Legal Basis – Article 6(1)(e); “necessary… in the exercise of official authority vested in the controller’ And Article 9(2)(h) as stated below

 

Processor – FDB

PCN Purpose – Your medical record will be shared with the South Cotswold Primary Care Network in order that they can provide direct care services to the patient population.

 

Legal Basis – Article 6(1)(e); “necessary… in the exercise of official authority vested in the controller’ And Article 9(2)(h) as stated below

 

Processor – Rendcomb Surgery, Cirencester Health Group, Upper Thames Medical Group, Hilary Cottage Surgery.

 

Social Prescribers Purpose – Access to medical records is provided to social prescribers to undertake a full service to patients dependent on their social care needs.

 

Legal Basis – Consented

 

Processor – Our Social Prescriber is employed by the Gloucestershire Rural Community Council.

 

Mental Health provider Purpose – For the provision of mental health services

 

Legal Basis – Direct Care

 

Processor – 2gether NHS Foundation Trust

 

Clinical Audit (including Primary Care Data Extraction Process (PCDES)) Purpose – Information will be used by the CCG for clinical audit to monitor the quality of the service provided to patients with long terms conditions. When required, information will be held centrally and used for statistical purposes (e.g. the National Diabetes Audit). When this happens, strict measures are taken to ensure that individual patients cannot be identified from the data.

 

Legal Basis – Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…’

 

Processor – Gloucestershire Clinical Commissioning Group; Sollis

 

Department for Work and Pensions Purpose – Our practice is legally required to provide limited data to the Department for Work and Pensions for the management of the social care system and fraud prevention.

 

Legal Basis – Article 9(2)(b) ‘necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection..’

 

Processor – Department for Work & Pensions

 

Improving Diabetes Care Purpose – Information that does not identify individual patients is used to enable focussed discussions to take place at practice-led local diabetes review meetings between health care professionals. This enables the professionals to improve the management and support of these patients.

 

Legal Basis – Anonymised information

 

National Fraud Initiative – Cabinet Office Purpose – The use of data by the Cabinet Office for data matching is carried out with statutory authority. It does not require the consent of the individuals concerned under Data Protection legislation. Data matching by the Cabinet Office is subject to a Code of Practice. For further information see:

https://www.gov.uk/government/publications/code-of-data-matching-practice-for-national-fraud-initiative

 

Legal Basis – Part 6 of the Local Audit and Accountability Act 2014

 

Medication/Prescribing Purpose : Prescriptions containing personal identifiable and health data will be shared with chemists/pharmacies, in order to provide patients with essential medication or treatment as their health needs dictate. This process is achieved either by face to face contact with the patient or electronically. Where patients have specified a nominated pharmacy they may wish their repeat or acute prescriptions to be  ordered and sent directly to the pharmacy making a more efficient process. Arrangements can also be made with the pharmacy to deliver medication

 

Legal Basis : Article 6(1)(e); “necessary… in the exercise of official authority vested in the controller’ And Article 9(2)(h) as stated below

 

Patients will be required to nominate a preferred pharmacy.

 

Processor – Pharmacy of choice

 

Supporting Locally Commissioned Services Purpose – CCGs support GP practices by auditing anonymised data to monitor locally commissioned services, measure prevalence and support data quality.  The data does not include identifiable information and is used to support patient care and ensure providers are correctly paid for the services they provide.

 

Legal Basis – Anonymised Data

 

Processor – Gloucestershire Clinical Commissioning Group

 

Police Purpose – The police may request information in relation to on-going enquiries, all requests are reviewed and only appropriate information will be shared under legislation.

 

Legal Basis – 9(2) (c) Vital Interests

9(2) (f) Legal claims or judicial acts

9(2) (g) Reasons of substantial public interest (with a basis in law)

 

Processor – Police

Coroners Purpose – A Coroner’s office may request copies of information in relation to a deceased individual.  The practice will share relevant information in relation to the request

 

Legal Basis – Coroners and Justice Act 2009

 

Processor – Coroner

 

Subject Access Requests Purpose – Personal information will be shared with the person or their representative at their request

 

Legal Basis – Contractual agreement with the patient – and consented

 

Processor – Patients and or their representatives – e.g. family members, solicitors, insurance companies

 

Medical Reports Purpose – Personal information will be shared with Insurance companies, or potential or active employers at the patients request

 

Legal Basis – Consented

 

Processor – Patients and or their representatives – e.g. Insurance companies, RAF, Navy

 

General Practice Extraction Service (GPES)

Covid-19 Planning and Research data

Purpose : Personal confidential and Special Category data will be extracted at source from GP systems for the use of planning and research for the Covid-19 pandemic emergency period. Requests for data will be required from NHS Digital via their secure NHSX SPOC Covid-19 request process.

 

Legal Basis : NHS Digital has been directed by the Secretary of State under section 254 of the 2012 Act under the COVID-19 Direction to establish and operate a system for the collection and analysis of the information specified for this service: GPES Data for Pandemic Planning and Research (COVID-19). A copy of the COVID-19 Direction is published here:

https://digital.nhs.uk//about-nhs-digital/corporate-information-and-documents/directions-and-data-provision-notices/secretary-of-state-directions/covid-19-public-health-directions-2020

 

Patients who have expressed an opt out preference via Type 1 objections with their GP surgery not to have their data extracted for anything other than their direct care will not be party to this data extraction.

 

Processor : NHS Digital

 

General Practice Data for Planning and Research (GPDPR) Purpose: Patients personal confidential data will be extracted and shared with NHS Digital in order to support vital health and care planning and research. Further information can be found here

 

Patients may opt out of having their information shared for Planning or Research by applying a National Data Opt Out or a Type 1 Opt Out (see above).

 

Legal Basis : The legal basis for this activity can be found at this link : General Practice Data for Planning and Research: NHS Digital Transparency Notice – NHS Digital

 

Processor: NHS Digital