DATA POLICY

Fair Processing Notice

How we use your information

N2S holds information about you and this document outlines how that information is used, with whom we may share that information, how we keep it secure (confidential) and what your rights are in relation to this.

The Health Care Professionals (HCP) provide you with care, and update the records about your health. These may contain any treatment or care you have received previously (e.g. NHS Trust, GP surgery, Community clinics or staff etc). These records help to provide you with the best possible healthcare. NHS health records may be electronic, on paper or a mixture of both and we use a combination of working practices and technology to ensure that your information is kept confidential and secure.

What information do we collect and use?

All personal data must be processed fairly and lawfully, whether is it received directly from you or from a third party in relation to the your care.

We will collect the following types of information from you or about you from a third party (provider organisation) engaged in the delivery of your care:
-‘Personal data’ means any information relating to an identifiable person who can be directly or indirectly identified from the data. This includes, but is not limited to name, date of birth, full postcode, address, next of kin and NHS Number; and ‘Special category / sensitive data’ such as medical history including details of appointments and contact with you, medication, emergency appointments and admissions, clinical notes, treatments, results of investigations, supportive care arrangements, social care status, race, ethnic origin, genetics and sexual orientation.
-Your healthcare records contain information about your health and any treatment or care you have received previously (e.g. from an acute hospital, GP, community care provider, mental health care provider, walk-in centre, social services). These records maybe electronic, a paper record or a mixture of both. We use a combination of technologies and working practices to ensure that we keep your information secure and confidential.

Why do we collect this information?
• Protect your vital interests;
• Pursue our legitimate interests as a provider of medical care,
• Perform tasks in the public’s interest;
• Deliver preventative medicine, medical diagnosis, medical research; and
• Manage the health and social care system and services.

What kind of information do we use?
• Details about you, such as address and next of kin information etc
• Any contact N2S has had with you such as appointments, clinic visits, emergency appointments and so on
• Notes and reports about your health
• Details about your treatment and care
• Results of investigations such as laboratory tests, x-rays etc.
• Relevant information from other HCPs, relatives or those who care for you

To ensure you receive the best possible care, your records are used to facilitate the care you receive. Information held about you may be used to help protect the health of the public and to help us manage the NHS. Information may be used for clinical audit to monitor the quality of the service provided and to plan NHS services.

Some of this information will be held centrally and used for statistical purposes. Where we do this, we take strict measures to ensure that individual patients cannot be identified.

We can only use any information that may identify you (known as personal information) in accordance with the General Data Protection Regulations (GDPR), Data Protection Act 1998 and other laws such as the Health and Social Care Act 2012. However, only minimum necessary identifiers are used in processing personal information for this purpose. We also have a Common Law Duty of Confidentiality to protect your information. This means that where a legal basis for using your personal or confidential information does not exist, we will not do so.

Apart from direct health care sensitive personal information may also be used in the following cases:
• To respond to patients, carers or Member of Parliament communication
• We have received consent from individuals to be able to use their information for a specific purpose.
• There is an over-riding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime.
• There is a legal requirement that will allow us to use or provide information (e.g. a formal court order).
• For the health and safety of others, for example to report an infectious disease such as meningitis or measles.

Invoice validation

If you have received treatment within the NHS, access to your personal information is required in order to determine which Clinical Commissioning Group (CCG) should pay for the treatment or procedure you have received. The validation of invoices is undertaken within a controlled environment for finance within NELCSU. This is carried out via a section 251 agreement and is undertaken to ensure that the CCG is paying for treatments relating to its patients only.

How do we maintain confidentiality of your records?

We are committed to protecting your privacy and will only use information collected. Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential. Anyone who received information from an NHS organisation has a legal duty to keep it confidential.

Our staff are trained in our Information Governance policies.

We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if others involved in your care have a genuine need for it. We will not disclose your information to any third party without your permission unless there are exceptional circumstances (e.g. life or death situations) or where the law requires information to be passed on.

The NHS Digital Code of Practice on Confidential Information applies to all of our staff, and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. All practice staff are expected to make sure information is kept confidential and receive annual training on how to do this. This is monitored by the practice and can be enforced through disciplinary procedures.

We also ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only and protect personal and confidential information held on equipment such as laptops with encryption (which masks data so that unauthorised users cannot see or make sense of it).

We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where information that could or does identify a person is processed.

We have a senior person responsible for protecting the confidentiality of patient information and enabling appropriate information sharing. This person is called the Caldicott Guardian. The Caldicott Guardian for N2S is Dr Tess Cafferty, Medical Director. We also have a Senior Information Risk Owner (SIRO) who is responsible for owning N2S’s information risk. The SIRO is James Foster. Our Data Processing Officer is Dr Tim Bosworth.

We are registered with the Information Commissioner’s Office (ICO) as a data controller which describes the purposes for which we process personal data. A copy of the registration is available from the ICO’s web site by searching on our name.

Who are our Partner Organisations?

We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations:
• NHS Trusts
• Specialist Trusts
• Independent contractors such as dentists, opticians, pharmacists
• Private sector providers
• Voluntary sector providers
• Ambulance Trusts
• Clinical Commissioning Groups
• Social Care and Health
• Local Authorities
• Education Services
• Fire & Rescue Services
• Police
• Other data processors

What are your rights?

Where information from which you can be identified is held, you have the right to ask to:
• View this or request copies of the records by making a subject access request – also see below.
• request information is corrected
• have the information updated where it is no longer accurate
• ask us to stop processing information about you where we are not required to do so by law – although we will first need to explain how this may affect the care you receive.

Access to personal information

You have a right under the Data Protection Act 1998 to access/view what information the surgery holds about you, and to have it amended or removed should it be inaccurate. This is known as ‘the right of subject access’. If we do hold information about you we will:
• Give you a description of it
• Tell you why we are holding it
• Tell you who it could be disclosed to, and
• Let you have a copy of the information in an intelligible form

If you would like to make a ‘subject access request’, please do so in writing to the Executive Manager.

Your right to withdraw consent

If you are happy for your data to be extracted and used for the purposes described in this Fair Processing Notice, then you do not need to do anything.

If you do not want your personal data being extracted and used for the purposes described in this Fair Processing Notice, then you need to let us know as soon as possible in writing to the Executive Manager.

Please note that withdrawing your consent from sharing data may, in some circumstances, cause a delay in your receiving care.

How long do you hold information for?

All records held by the practice will be kept for the duration specified by national guidance from the Department of Health, The Records Management Code of Practice for Health and Social Care 2016. Confidential information is securely destroyed in accordance with this code of practice.

Your right to opt out

In some instances, you are allowed to request that your confidential information is not used beyond your own care and treatment and to have your objections considered. To support this patients are able to register objections with the GP Practice to either prevent their identifiable data being released outside of the GP Practice (known as a Type 1 objection) or to prevent their identifiable data from any health and social care setting being released by NHS Digital (known as a Type 2 objection) where in either case it is for purposes other than direct patient care. If your wishes cannot be followed, you will be told the reasons (including the legal basis) for that decision. There are certain circumstances where a person is unable to opt out but these are only where the law permits this such as in adult or children’s safeguarding situations.

You have a right in law to refuse or withdraw previously granted consent to the use of your personal information. There are possible consequences of not sharing such as the effect this may have on your care and treatment but these will be explained to you to help with making your decision. If you wish to exercise your right to opt-out, or to speak to somebody to understand what impact this may have, if any, please contact us using the contact details at the top of this document.

What is the right to know?

The Freedom of Information Act 2000 (FOIA) gives people a general right of access to information held by or on behalf of public authorities, promoting a culture of openness and accountability across the public sector.

What sort of information can I request?

In theory, you can request any information that the practice holds, that does not fall under an exemption. You may not ask for information that is covered by the Data Protection Act. Your request must be in writing and can be either posted or emailed to the practice.

Complaints or questions?

We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. Please contact James Foster, Executive Manager, 55 Wessex Street, NR11RE.
Last updated: November 2020
Review: November 2022