GP Healthcare Alliance Limited processes information about you in order to provide health care services, and in doing so has to comply with the requirements of the General Data Protection Regulation (GDPR). This means that data held about you must only be used for specific purposes as defined by law.
This Fair Processing Notice has been created to inform you about the types of information held about you, why that information is held about you, and to whom that information may be shared.
Our Commitment to Data Privacy and Confidentiality Issues
We are committed at all times to protecting your privacy and will only use information ethically and lawfully in accordance with the General Data Protection Regulations (GDPR), the Data Protection Act (DPA) 2018, the Human Rights Act 1998 and the common law duty of confidentiality. The various laws and rules about using and sharing confidential information, with which GPHA comply, are available in a guide to confidentiality in health and social care which is published on the NHS Digital website.
GPHA is a Data Controller under the terms of the GDPR/DPA 2018 which means that we are legally responsible for ensuring that whether we collect, use, hold, obtain, record or share personal confidential information about you, we do it in compliance with GDPR/DPA 2018 Article 5 – Principles Relating to Processing of Personal Data.
All Data controllers must register with the Information Commissioner’s Office (ICO). Our ICO Data Protection Registration Number is ZA061802 and our entry can be found on the data protection register on the ICO website.
Everyone working for the NHS has a legal duty to keep information about you confidential. The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.
All identifiable information that we hold about you is held securely and kept confidential. We use strict controls to ensure that only authorised staffs are able to see information that identifies you. A limited number of authorised staff have access to information that identifies you, but only where it is appropriate to their role and on a strictly need-to-know basis. All health and social care organisations are required to provide annual evidence of compliance with applicable laws, regulations and standards through the Data Security and Protection Toolkit. This shows our current level of compliance as ‘XXX’ and provides assurance to you on how we protect your information.
All staff working within GPHA receives appropriate and on-going training to ensure that they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures. All staff is trained to ensure that they understand how to recognise and report an incident. GPHA has specific procedures for investigating, managing, reporting and learning lessons from any incidents that may occur.
GPHA only retain information in accordance with the schedules set out in the Records Management Code of Practice for Health and Social Care 2016. GPHA record management policies include guidance around the secure destruction of information in line with the code of practice.
GPHA has a Caldicott Guardian, who is a senior person responsible for protecting confidentiality of patient/staff information and enabling appropriate information sharing. Our Caldicott Guardian is Dr Sanjeet Chana, please see the ‘contact us’ section on our website for contact details.
The GDPR requires an organisation to appoint a Data Protection Officer (DPO) if they are a public authority or body, or if you carry out certain types of processing activities.
DPOs assist organisations to monitor internal compliance, inform and advise on data protection obligations, and act as a point of data subjects and the supervisory authority. The DPO for GPHA is Ian Murphy.
Legal Obligations to collect and use information
In the circumstances where we are required to use personal identifiable information we will only do this if:
You have certain legal rights, including a right to have your information processed fairly, lawfully, in a transparent manner and the right to access any personal information we hold about you. You have the right to privacy and to expect us to keep your information confidential and secure. Individuals have the right to request us to correct any mistakes within the information that we hold about you by contacting us.
You have the right to:
All information held by GPHA is governed by the information lifecycle management policy and is held, retained and destroyed in line with the records management code of practice for health and social care.
What information is kept about me?
Every time you see a doctor or healthcare professional, they must keep a record of the care you receive. Your records include information about your health, appointments, treatment and test results. This information may be stored on paper or electronically and may include x– rays, photos and image slides (MRI and CT).
Why do we need your information?
The people that care for you may use this information to ensure that you receive the care you need:
We will sometimes use your information, in an anonymised form, to:
Your name and address and other information that tells others who you are, will be removed from any information used in these situations. This is called anonymised data.
The information we may keep, often includes your personal information. For example:
How your personal information is used:
Your records are used to direct, manage and deliver the care you receive to ensure that:
Who will we share your information with?
To make sure that you receive all the care and treatment you need, we may need to share your information with other staff and organisations which may be involved in your care and treatment. These could include:
We share information in line with the legislation from the Health and Social Care Act 2015 and we process/share your information under the Data Protection legislation and the new GDPR (General Data Protection Regulation) legislation of article 6(1)(c), 6(1)(d), 6(1)(f) and article 9 EU GDPR (processing of special categories of personal data) including Article 9 (2) (h) where – Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional.
Below are some key definitions of terms used within this notice:
Personal Data – Data which relates to a living individual who can be identified from that data or from that data and other information which is in the possession of, or is likely to come into possession of GPHA (for example, name, address, date of birth, NHS Number)
Sensitive Personal Data – (in the context of the NHS) – ‘Data’ consisting of information as to an individual’s physical or mental health condition.
Primary Care Data – Primary care refers to the work of health professionals who act as a first point of contact for patients such as GP’s, pharmacists, Emergency Care Practitioners etc. Primary Care Data is therefore data collected within GP Practices, dental practices, community pharmacies and high street optometrists.
Secondary Care Data – Secondary care is the health care provided by specialist who generally do not have first contact with patients, it includes hospital care, community care and mental health care. Secondary Care data is therefore data collected by a hospital, mental health and community services.
Aggregated Data – The consolidation of data relating to multiple individuals, and therefore the data cannot be traced back to a specific individual.
Anonymised Data – Anonymisation is the process of turning data into a form which does not identify individuals and where identification is not likely to take place.