GDPR

South Manchester GP Federation Ltd

LADYBARN GROUP PRACTICE

General Practice Privacy Notice

Document name Members Privacy Notice
Version 0.1
Name of originator/author:
Policy Owner:
Date created: May 2018
Date reviewed: 01 June 2018
Reviewer:
Date ratified:
Ratified by:
Next review date: May 2019

The Data controller is:
LADYBARN GROUP PRACTICE 54 Briarfield Road Withington Manchester M20 4SS

How we use your information

This privacy notice explains why the Ladybarn Group Practice collects
personal information about you, and how that information may be used.
We are committed to being transparent about how we collect and use
that data and to meeting our data protection obligations.
As Data Controllers, GPs have responsibilities under the Data Protection
Act 2018 (DPA18). This means ensuring that your personal data is
handled in ways that are safe, transparent and what you would
reasonably expect.
We respect your trust in us to use, store and share your information. In
this notice we explain how we collect personal information about you,
how we use it and how you can interact with us about it.
We try to keep this notice as simple as possible but if you are unfamiliar
with our terms, or want more detail on any of the information here,
please contact us at 54 Briarfield Road Withington Manchester M20 4SS.

Capturing images – CCTV

Visiting our premises
Our premises are monitored by CCTV so your image may be captured
whenever you enter our site boundary and within our premises. We use
CCTV for maintaining public safety, the protection and security of our
property and our staff and for the detection, prevention and
investigating of crime. It may also be used to monitor staff when
carrying out work duties.
For these reasons, the information processed may include visual images,
including personal appearance and behaviour of those displayed and
recorded on the system.

Where the CCTV is located on our premises but near a public space, it
may also record these images even if you have not directly visited our
premises.

There are signs to show you when you are entering an area monitored
by our CCTV. CCTV images are normally held for 30 days and then
deleted unless we require to retain them for investigative or policing
enquiries.

Meeting our legal and regulatory obligations

To use your information lawfully, we rely on one or more of the
following legal bases:

  • for the performance of a task carried out in the public interest or
    where it is necessary in the exercise of official authority vested in
    us
  • the performance of a contract
  • where the processing is necessary for compliance with our legal
    obligations
  • protecting the vital interests of you or others
  • for our organisational legitimate interests; e.g. for incidental and
    ancillary data processing, for example the management of nonpatient
    or medical databases used for our internal administrative
    purposes
  • where appropriate with your consent
  • where necessary for the purposes of preventative or occupational
    medicine, for the assessment of medical diagnosis, the provision of
    health or social care or treatment or the management of health or
    social care systems and services.

We also respect the common law duty of confidentiality and to satisfy
the common law we may rely on implied consent to share confidential
health data for the provision of direct care; for example, when a patient
agrees to a referral from one healthcare professional to another.

Health care professionals are required to maintain records about your
health including any treatment or care you have received within the NHS
(e.g. NHS Hospital Trust, GP Surgery, Walk-in clinic, etc.). Using these
records helps us to provide the best possible healthcare for our patients.
NHS health records may be processed electronically or on paper or a
mixture of both and a combination of working practices and technology
are used to ensure that your information is kept confidential and secure.
Records used and stored by this GP Practice may include the following
information:

  • Any contact we have with you, such as appointments, clinic visits,
    emergency appointments, telephone triage etc.
  • Notes and reports about your health
  • Details about your treatment and care
  • Details about you, including your date of birth, NHS number,
    address and next of kin etc.
  • Results of investigations about you such as laboratory tests, xrays,
    etc.
  • Relevant information from other health professionals, agencies,
    relatives or those who care for you

This Practice collects and holds data for the sole purpose of providing
healthcare services to our patients and we will ensure that such
sensitive information is kept confidential.
However, we may disclose your personal information if:

(a) It is required by law
(b) You consent to do so – either implicitly (e.g. for your own
treatment and care) or explicitly for other purposes (e.g. sending
you newsletters etc.
(c) It is justified in the public interest

Some of your personal data will be held centrally and used for statistical
purposes. Where we hold data centrally, we take strict measures to
ensure that individual patients cannot be identified.

Sometimes information about you may be requested to be used for
research purposes. Ladybarn Group Practice will always endeavour to
gain your consent before releasing such information.

Under the powers of the Health and Social Care Act 2012 (HSCA) the
Health and Social Care Information Centre (HSCIC) can request Personal
Data from GP Practices without seeking the patient’s consent.
Improvements in information technology are also making it possible for
us to share data with other healthcare providers with the objective of
providing you with better care.

Any patient can choose to withdraw their consent to their data being
used in this way. When Ladybarn Group Practice is about to participate
in any new data-sharing scheme we will make patients aware by
displaying prominent notices in the surgery and on our website, at least
four weeks before the scheme is due to start. We will also explain clearly
what you have to do to ‘opt-out’ of each new scheme.

A patient can object to their personal information being shared with
other health care providers, however if this limits the treatment that you
can receive then the doctor will explain this to you at the time.

Risk Stratification

Risk stratification is a process for identifying and managing patients who
are at a higher risk of emergency hospital admission. Normally, this is
because patients have a long-term condition such as chronic obstructive
pulmonary disease (COPD) or some cancers. NHS England encourages
GPs to use risk stratification tools as part of their local strategies for
supporting patients with long-term conditions and to help prevent
avoidable admissions.
In order to achieve this, information about you is collated from several
sources, including this GP Practice and from NHS Trusts etc. A risk score
is then produced through an analysis of your anonymous information
using computer programmes. Your information is only provided back to
your GP or member of your care team in an identifiable form.

Risk stratification enables your GP to focus on the prevention of ill health
and not just the treatment of sickness. If necessary, your GP may be
able to offer you additional services.

Please note that you have the right to opt out of Risk Stratification.

Should you have any concerns about how your information is managed
or wish to opt out of any data collection at Ladybarn Group Practice,
please contact Mr. Kurtis Starkie or your healthcare professional to
discuss how the disclosure of your personal information can be
restricted.

All our patients have the right to change their minds and reverse a
previous decision. Please contact Mr. Kurtis Starkie if you change your
mind regarding any previous decision.

Invoice Validation

If you have received treatment within the NHS, access to your personal
information may be required to determine which Clinical Commissioning
Group should pay for the treatment or procedure that you have
received.

This information would most likely include information such as your
name, address, date of treatment and may be passed on to enable the
billing process. These details are held in a secure environment and kept
confidential. This information will only be used to validate invoices and
will not be shared for any further purposes.

Hospital attendance

Personal data about any hospital attendance is obtained from the Health
and Social Care Information Centre (HSCIC) and matched to NHS data
to create a risk profile about you.

NHS Health Checks

All our patients aged 40-74, not previously diagnosed with
cardiovascular disease, are eligible to be invited for an NHS Health
Check. Nobody outside the healthcare team at Ladybarn Group Practice
will see confidential information about you during the invitation process.
Your details will be securely transferred to a third-party data processor
(if appropriate). You may be offered the chance to attend your health
check either within Ladybarn Group Pracitce Practice or at a local
community venue. If your health check is at a community venue, all
data collected will be securely transferred back into the Ladybarn Group
Practice system and nobody outside the healthcare team at Ladybarn
Group Practice will see any confidential information about you during
this process.

How do we maintain the confidentiality of your records?

We are committed to protecting your privacy and will only use
information collected lawfully in accordance with the DPA18 and DPA 18,
the Human Rights Act, the Common Law Duty of Confidentiality, the
Health and Social Care Act 2012 and the NHS Codes of Confidentiality
and Security.

All our staff, contractors and professional members receive appropriate
and on-going training to ensure they are aware of their personal
responsibilities. They also have employment contractual obligations to
uphold your confidentiality, which are enforceable through disciplinary
procedures. Your information may be shared internally, including with
members of the practice team but only a limited number of authorised
staff have access to your personal information (where it is appropriate
to their role) and access is only allowed on a strict ‘need-to-know’ basis.

We strive to maintain our duty of confidentiality to you at all times. We
will only ever use or pass on personal identifiable information about you
if others involved in your care have a genuine need to have it.

We will not disclose your information to any third-party without your permission,
unless there are exceptional circumstances (i.e. life or death situations),
or where the law requires information to be passed on.
We are mindful of the UK information sharing principle following Dame
Fiona Caldicott’s information sharing review amongst health
professionals. We recognise that our duty to share information can be as
important as the duty to protect patient confidentiality.

Therefore, we encourage our health and social care professionals to have the
confidence to share information in the best interests of our patients
within the framework set out by the Caldicott principles;
‘To share or not to share – the Information Governance Review’.

Who do we share your information with?

We may also share your information, subject to strict agreements on
how it will be used, with other care providers and agencies. These could
include:

    • NHS and specialist hospitals, Trusts
    • Other GPs
    • Independent Contractors such as dentists, opticians, pharmacists
    • Private and Voluntary Sector Providers
    • GP practice federations
    • Ambulance Trusts
    • Clinical Commissioning Groups and NHS England
    • NHS Digital
    • National Institute for Health and Care Excellence
    • Care Quality Commission
    • NHS Improvement
    • NHS Shared Business Services
    • Universities
    • Social Care Services and Local Authorities
    • Education Services
    • Police and Fire and Rescue Services
    • Other ‘data processors’ during specific project work e.g. Diabetes
      UK

Health & Safety requirements:

If you have an accident whilst you are on any of our premises, this must
be reported and will be recorded and kept for the purposes of health
and safety and insurance requirements.

How do we protect your data?

We take the security of your data very seriously. We have internal
policies and controls in place to try to ensure that your data is not lost,
accidentally destroyed, misused or disclosed, and is not accessed except
by its employees in the performance of their duties.
Where we engage with third parties to process personal data on our
behalf, we stipulate our privacy expectations in written instructions.
They are under a strict duty of confidentiality and are obliged to
implement appropriate technical and organisational measures to ensure
the security of data.

Access to personal information

We aim to be as open as we can regarding access to personal
information.

Individuals can find out if we hold any personal information about them
by making a ‘subject access request’ under the DPA 18. You also have
the right to require it to be amended or removed should it be inaccurate.
If we do hold information about you, we will:

      • give you a description of it;
      • tell you why we are holding it;
      • tell you who it could be disclosed to; and
      • let you have a copy of the information in an intelligible form
        provided it is lawful to do so.

To make a request to Ladybarn Group Practice for any of your personal
information we may hold, you need to contact Mr. Kurtis our Data
Protection Officer on the data controller address given in this document.
You have the right to complain to the Information Commissioners’ Office
if you believe that we have not complied with the requirements of the
DPA18 regarding your personal data.

Storing or transferring your information outside the European Economic Area (“EEA”).

We do not transfer or store your personal information outside the EEA.

How long we’ll keep your information

We only keep your information for as long as we need it. We’ll retain
certain information (e.g. contact information and bank details) for as
long as you have a relationship with us. The length of time depends on
the purpose of the processing. In accordance with NHS Codes of
Practice for Records Management, your Health Care records will be
retained for 10 years after death, or if a patient emigrates, for 10 years
after the date of emigration.

Complaints or Queries

Ladybarn Group Practice tries to meet the highest standards when
collecting and using personal information. For this reason, we take any
complaints we receive about this very seriously. We encourage people to
bring it to our attention if they think that our collection or use of
information is unfair, misleading or inappropriate. We would also
welcome any suggestions for improving our procedures. We are happy
to provide any additional information or explanation needed. Any queries
you have should be addressed to: smccg.ladybarngp@nhs.net or
telephone us on 0161 448 4500

You can also contact the Information Commissioner’s Office at
www.ico.org.uk or write to Wycliffe House Water Lane, Wilmslow,
Cheshire SK9 5AF or 0303 123 1113 for information, advice or to make a
complaint.
Any changes to this notice will be published on our website and on Ladybarn Group Practice notice board.