Fair Processing Notice
Who we are and what we do
Gosport Medical Centre is responsible for providing Primary care services for the local population of Gosport, Hampshire. .
Your Information, Your rights
Being transparent and providing accessible information to patients about how we will use your personal information is a key element of the Data Protection Act 2018 and the EU General Data Protection Regulation(GDPR)
The following notice reminds you of your rights in respect of the above legislation and how we as your GP practice will use your information for lawful purpose, in order to deliver your care and the effective management of the local system.
This notice reflects how we use your information for:
- The management of patient records;
- Communication concerning your clinical, social and supported care;
- Ensuring the quality of your care and the best clinical outcomes are achieved through clinical audit and retrospective review;
- Participation in health and social care research;and
- The management and clinical planning of services to ensure that appropriate care is in place for our patients today and in the future.
As your registered GP practice, our GP’s are the data controller for any personal data that we hold about you.
The practice has a senior member of staff responsible for protecting the confidentiality of patient information. This person is called the Caldicott Guardian. The contact details of our Caldicott Guardian are as follows:
Dr Bozena Gorecka, GP. Surgery number 02392 583302.
Data Protection Officer(DPO)
Data protection officers are responsible for ensuring that the practice complies and implements the data protection policy. Our DPO is Caroline Sims.
What information do we collect and use?
As a GP practice we hold collect and hold the following types of information from you or about you from a third party engaged in the delivery of your care.
- ‘Personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified from the data. This includes, but is not limited to name, date of birth, address, postcode, NHS number and next of kin;
- ‘Special category/sensitive data’ such as medical history, medication, treatment you have received and where, clinical notes, hospital letters, test results, referrals, care arrangements, social care status, ethnic origin, communications from you including concerns or complaints.
Your healthcare records contain information about your health and any treatment or care you have received previously (e.g. from a hospital clinic, same day access clinic, community care provider, mental health provider, walk in centres, social services). These records may be electronic, a paper record or a mixture of both. We use a combination of technologies and working practices to ensure that we keep your information secure and confidential.
Why do we collect this information?
The NHS Act 2006 and Health and Social Care Act 2012 invests statutory functions on GP practices to promote and provide primary health services in England, improve quality of services, reduce inequalities, conduct research, review performance of services and deliver education and training. To do this we will need to process your information in accordance with current data protection legislation to:
- Protect your vital interests;
- Pursue our legitimate interests as a provider of medical care, particularly where the individual is a child or a vulnerable adult;
- Perform tasks in the public’s interest;
- Deliver preventative medicine, medical diagnosis, medical research; and
- Manage the health and social care system and services.
What do we use your personal information for?
- For your direct care needs and to ensure you receive the best possible care;
- To respond to queries from you or health care providers directly involved in your care;
- To identify whether you are at risk of a future, unplanned hospital admission;
- To support and effectively manage a long term condition;
- For clinical audit to monitor the quality of service provided;
- To understand the local population needs and plan for future requirements. This is known as ‘Risk Stratification for Commissioning’;
How is this information collected?
Your information is collected electronically using secure NHS email or a secure electronic document transfer system using an NHS encrypted network connection. In addition, physical information in paper form will be sent to the practice. This information will be stored within your GP electronic record or within your physical medical record.
Who will we share your information with?
In order to deliver, coordinate and improve your health and social care, we may share information with the following organisations:
- Acute Visiting Service, GP Extended Access and local GP practices in order to deliver extended primary care services
- Portsmouth Hospitals NHS trust (QA hospital, Gosport War Memorial hospital, St Mary’s hospital and Petersfield Hospital)
- NHS 111, Southern Central Ambulance and the out of hours services
- Local social services and community care services such as district nurses, palliative care nurses, counsellors, health visitors
- Voluntary support organisations commissioned to provide services by Fareham and Gosport CCG
- Product services commissioned by the CCG such as the continence and stoma service
- Fareham and Gosport CCG
Your information will only be shared if it appropriate for the provision of your care or to satisfy our statutory function and legal obligations.
We do not share information that identifies you unless we have a fair and lawful basis, such as:
- You have given us permission; consented;
- We need to act to protect children and vulnerable adults;
- When a formal court order has been served upon us;
- When we are lawfully required to report certain information to the appropriate authorities e.g. to prevent fraud or a serious crime;
- Emergency planning reasons such as for protecting the health and safety of others;
- When permission is given by the Secretary of State or the Health Research Authority on the advice of the Confidentiality Advisory Group to process confidential information without the explicit consent of individuals;
Your information will not be transferred outside the European Union.
The information from your patient record will only be used for purposes that benefit care – we would never share it for marketing or insurance purposes.
We may share anonymised, pseudonymised and aggregated statistical information with other organisations for the purpose of improving local services, research, audit and public health; for example understanding how health conditions spread across our local area compared to other areas.
Who do we receive information from?
Whilst we share your information with the above organisations, we may also receive information from them to ensure your medical records are kept up to date and so that your GP can provide the best care.
We also receive data from NHS Digital (as directed by the Department of Health) such as the uptake of flu vaccinations and disease prevalence in order to assist us to improve community primary care.
How do we maintain confidentiality of your records?
We are committed to protecting your privacy and will only use information that has been collected lawfully.
Every member of staff who works for an NHS organisation has a legal obligation to keep information about you confidential and only share for the purpose of providing direct health care.
We ensure that access to your personal data is limited to appropriate staff and information is only shared with organisations and individuals that have a legitimate and legal reason for access.
We maintain our duty of confidentiality by conducting annual training and regular review of policies and protocols.
We have a clear desk policy which means that at all patient identifiable data should be locked away at the end of the day.
All paper records are stored in lockable cupboards and kept in an office with a code locked door.
All faxes are received in a safe haven area where only staff access is allowed.
All patient information transferred by email is done an NHS mail email account. This has the highest security standards.
Information is not held longer than necessary and is held in accordance with the Records Management Code of Practice for Health and Social Care 2016.
How long do we keep information about you?
Retention of Medical Records
Consent and Objections
Do I need to give my consent?
The GDPR sets a high standard for consent. Consent means offering people genuine choice and control over how their data is used. When consent is used properly, it helps to build trust. However, consent is only one potential lawful basis for processing information so your we may not need to seek your explicit consent for every instance of processing and sharing your information, on the condition that it is used for your direct care.
‘We do not rely on consent to use your information as a ‘legal basis for processing’. We rely on specific provisions under Article 6 of the General Data Protection Regulation, such as ‘…a task carried out in the public interest or in the exercise of official authority vested in the controller’ and ‘…processing is necessary for compliance with a legal obligation’. We are also guided by Article 9 which states we can use information ‘necessary for the purposes of preventative or occupational medicine for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services…’ This means we can use your personal information to provide you with your care without seeking your consent. However, you do have the right to say ‘NO’ to our use of your information but this could have an impact on our ability to provide you with care.
We will contact you if we are required to share your information for any other purpose which is not mentioned in this notice and your consent will be documented in your electronic record.
What will happen if I withhold my consent or raise an objection?
You have the right to write to withdraw your consent at any time for any particular instance of processing, provided consent is the legal basis for the processing, for example if you have your health record available for other healthcare professionals to see, in the form of a summary care record, you can withdraw consent for this at any time.
If you need a referral to a specialist for further treatment, your GP does not need to ask for consent but if you then tell the GP you do not want them to send any of your relevant health information to the specialist, the GP may then not be able to refer.
Please contact the practice if you require further information and to raise any objections.
Health Risk Screening/Risk Stratification
This is a process that helps us to determine whether you are at risk of an unplanned admission or deterioration in health. By using selected information such as age, gender, NHS number, diagnosis, long-term conditions, medication, admissions we may be able to judge if you are likely to need more support, or if the right services are in place to support the local population’s needs.
To summarise, Risk Stratification is used in the NHS to:
- Help decide if a patient is at a greater risk of suffering from a particular condition;
- Prevent an emergency admission;
- Identify if a patient needs medical help to prevent a health condition from getting worse; and/or
- Review and amend provision of current health and social care needs.
We use our computer system to do specialised searches to identify patients who are most at risk. This is done with support from our local Commissioning Support Unit who is tasked by the NHS to assist healthcare providers in performing their duties, plus an accredited risk stratification provider. These contracts are arranged Fareham and Gosport CCG in accordance with the current Section 251 Agreement. None of these parties will have access to your personal data; they are only there to assist.
We routinely conduct the risk stratification process in the practice, it is conducted electronically. The resulting report is then reviewed by a multidisciplinary team of staff, here, which may result in us contacting you if alterations to your care are needed.
A Section 251 Agreement is where the Secretary of State for Health and Social Care has granted permission for personal data to be used for the purpose of risk stratification.
As mentioned above, you have the right to object to your information being used in this way. However, you should be aware that your objection may have a negative impact on the timely and proactive provision of your care.
Please contact the practice if you would like to discuss how disclosure of your personal record can be limited.
Sharing of your electronic patient record within the NHS
Electronic patient records are kept in most places you receive healthcare. Our clinical system is called EMIS and this enables your parts of your record to be shared with organisations involved in your direct care, such as:
- GP practices
- Community services such as district nurses, rehab services.
- Child health services that undertake routine treatment or health screening
- Urgent care organisations, minor injury units or out of hours services
- Community hospitals
- Palliative care hospitals and services
- Mental health trusts
- Social care organisations
Summary Care Record
In addition, we have the Summary Care record which contains information such as your current medications and allergies but could also include health problems, if you opt for this and this is available to healthcare professionals across the country. The SCR means other healthcare staff can give you better care if, for example, you are in an emergency or if you are seen out of normal surgery houses. You can opt out of this service, please speak to a member of staff or the next link for more information.
Care and Health Information Exchange (CHIE)
Formerly known as the Hampshire Health Record, is a local health and social care record which brings together information from participating Health and Care organisations ie GP practices, community providers, acute hospitals and social care providers. From your patient record we share your name, address, contacts ie your next of kin, diagnosis, allergies and alerts as well as information about your appointments, care plans, immunisations and referrals, with CHIE. If you do not want your information shared with CHIE, please discuss this with your healthcare professional.
For more information, please visit http://www.careandhealthinformationexchange.org.uk/
The Practice shares your diabetes related data with the Diabetic Eye Screening Programme operated by Health Intelligence (commissioned by NHS England). This supports your invitation for eye screening (where you are eligible and referred by the Practice) and ongoing care by the screening programme. This data may be shared with any Hospital Eye Services you are under the care of to support further treatment and with other healthcare professionals involved in your care, for example your Diabetologist.
For further information, take a look at Health Intelligence’s Privacy Notice on the diabetic eye screening website: www.desphiow.co.uk
NHS Health Check
The NHS Health Check is a health check-up for adults in England aged 40-74. It's designed to spot early signs of stroke, kidney disease, heart disease, type 2 diabetes or dementia. As we get older, we have a higher risk of developing one of these conditions. An NHS Health Check helps find ways to lower this risk. For the invitation to get to you we share your name, address and month of birth with Public Health at Hampshire County Council. If you do not wish to have these invites please let us know. We also share anonymised data from the NHS Health checks in order to get a better idea of health issues in our area.
Data Extraction by the Clinical Commissioning Group
The clinical commissioning group at times extracts information about your care, but the information they extract via our computer systems cannot identify you to them. This information only refers to you by way of a code that only your practice can identify (it is pseudonymised). We will never give the CCG access to any system or information that would enable them to identify you.
The Clinical Commissioning Group requires this pseudonymised information for the following purposes:
- For management and monitoring of the GP Practice core contract
- For management and monitoring of the GP Practice enhanced services
- For assurance of compliance with these contracts
- For assurance of the effective spending of public funding
- To conform with delegated responsibilities from NHS England
- To fulfil the CCGs role in ensuring services commissioned meet patient population need and are being delivered in accordance with commissioning intentions
On behalf of NHS England, NHS Digital assesses the effectiveness of the care provided by publicly-funded services – we have to share information from your patient record such as referrals, assessments, diagnoses, activities (e.g. taking a blood pressure) and in some cases, your answers to questionnaires on a regular basis to meet our NHS contract obligations. You have the right to object to us sharing your information to NHS Digital – this will not affect your care in any way. For information about how you can Opt-Out of sharing your data with NHS Digital please visit the NHS Digital National Data Opt-Out Programme Website.
If you have received treatment within the NHS, the local Commissioning Support Unit (CSU) may require access to your personal information to determine which Clinical Commissioning Group is responsible for payment for the treatment or procedures you have received. Information such as your name, address, date of treatment and associated treatment codes may be passed onto the CSU to enable them to process the bill. These details are held in a secure environment and kept confidential and will not be shared for any other purposes.
Improving Health, Care and Services through Research
Here at Gosport Medical Centre we actively promote research with a view to improving future care. Researchers can improve how physical and mental health can be treated and prevented.
If we use your patient information for research, we remove your name and all other personal data which would identify you, such as when we use the information from your patient record in the Clinical Practice Research Datalink (CPRD) or QResearch at the University of Nottingham . If we need the information in a form that would personally identify you, we would ask for your permission first and this would normally be as part of a formal study we have signed up to.
If you do not want the information from your patient record used to support research, please contact our Data Protection Officer
How can you access the information we hold about you?
You have a right to see the information we hold about you, both on paper or electronic, except for information that:
- Has been provided about you by someone else if they haven’t given permission for you to see it
- Relates to criminal offences
- Is being used to detect or prevent crime
- Could cause physical or mental harm to you or someone else
You can access much of your electronic medical record using our Patient Access service. For further information or to request access to any paper records, please contact the surgery:
In writing or person: Gosport Medical Centre, Bury Road, PO12 3AQ
By telephone: 02392 583302
By email: firstname.lastname@example.org
We will request proof of identity before we can give access to Patient Access or disclose personal information.
In the event that you feel we have not complied with the current data protection legislation, either in responding to your request for access to your record or in our general processing of your personal information, you should raise your concerns, in the first in writing to the practice manager at:
Gosport Medical Centre Bury Road Gosport PO12 3AQ
If you remain dissatisfied with our response you can contact:
Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF
Telephone: 0303 123 1113
Legal Basis for sharing information
Clinical Commissioning Group
Purpose – Anonymous information is shared to plan and design care services within the locality
Legal Basis – non identifiable data only
Data Processor – Fareham & Gosport & SE Hants CCG
Individual Funding Requests – The CSU
Purpose – We may need to share your information with the IFR team for the funding of treatment that is not normally covered in the standard contract
Legal Basis – The clinical professional who first identifies that you may need the treatment will explain to you the information that is needed to be collected and processed in order to assess your needs and commission your care; they will gain your explicit consent to share this.
Data processor – We ask NHS South, Central and West Commissioning Support Unit (CSU) to do this on our behalf.
Summary Care Records
Purpose – Limited Personal identifiable data is shared with the Summary Care Record to help with emergency doctors and nurses help you when you contact them when the surgery is closed.
Legal Basis – This is for your direct care and in an emergency – you can opt out of your record being shared
Data Processor – Central NHS database
Care and Health Information Exchange (CHIE)
Purpose – Is a local combined electronic health record. It brings together information in your health records from different parts of the NHS to assist with your direct care – you may opt out of having your information shared on this system.
Legal Basis – This service is for provision of health, social care or treatment and in order for treatment to be safe, knowledge of a patients medical history is required. - you can opt in or out at any point.
Data Processor – Local NHS organisation
Care and Health Information Analytics (CHIA)
Purpose - This is a database which holds pseudonymised information, which means no patients can be identified. This information is received from the CHIE and it is used to look at trends in health, to improve future care, to shape NHS services and support medical research.
Legal basis - This database collection enables our CCG and local authorities to provide good health and social care, which is a duty in law. You can opt in or out at any point.
Data Processor - South Central and West Commissioning Support unit
EMIS WEB data storage chains
In order to deliver the best possible service, the practice will share data (where required) with other NHS bodies such as other GP practices and hospitals. In addition the practice will use carefully selected third party service providers. When we use a third party service provider to process data on our behalf then we will always have an appropriate agreement in place to ensure that they keep the data secure, that they do not use or share information other than in accordance with our instructions and that they are operating appropriately. Examples of functions that may be carried out by third parties includes:
- Companies that provide IT services & support, including our core clinical systems; systems which manage patient facing services (such as our website and service accessible through the same); data hosting service providers; systems which facilitate appointment bookings or electronic prescription services; document management services etc.
- Delivery services (for example if we were to arrange for delivery of any medicines to you).
- Payment providers (if for example you were paying for a prescription or a service such as travel vaccinations).
Other GP practices within Fareham & Gosport and SE Hants CCG in relation to the GP Extended Access Service (GPEAS)
Purpose - We will enable other GP’s and staff in other GP practices to have access to your medical record to allow you to receive acute medical care within that service.
Legal Basis – This service is for your direct care and is fully consented, permission to share your medical record will be gained prior to an appointment being made in the service and again once you are in the consultation.
Data processor – Your registered surgery will continue to be responsible for your full medical record
Pharmacists from the CCG
Purpose – to provide monitoring and advice in line with the national directive for prescribing. Anonymous data is collected by the CCG.
Legal Basis – direct care
Data Processor – Fareham & Gosport and SE Hants CCG
MASH – Multi Agency Safeguarding Board - Safeguarding Children
Purpose – We share information with health and social care authorities for safeguarding issues
Legal Basis - Because of public Interest issues, e.g. to protect the safety and welfare of Safeguarding we will rely on a statutory basis rather than consent to share information for this use. See section on 'fair and lawful' basis.
Data Processor –Multi Agency Safeguarding Authorities.
Purpose – Risk stratification is a process for identifying and managing patients who are at high risk of emergency hospital admission.
Risk stratification tools use various combinations of historic information about patients, for example, age, gender, diagnoses and patterns of hospital attendance and admission and primary care data collected from GP practice record systems.
GPs will be able to identify which of their patients are at risk in order to offer a preventative service to them.
Legal Basis - Risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority
NHS England encourages GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help and prevent avoidable hospital admissions and to promote quality improvement in GP practices.
Data Processors – NHS South, Central and West Commissioning Support Unit (CSU) to assist us with providing Risk Stratification tools.
Data Processing activities for Risk Stratification – The GP practice instructs its GP IT system supplier to provide primary care data identifiable by your NHS Number.
Opting Out - If you do not wish information about you to be included in our risk stratification programme, please contact the GP Practice. They can add a code to your records that will stop your information from being used for this purpose. Further information about risk stratification is available from: https://www.england.nhs.uk/ourwork/tsd/ig/risk-stratification/
Quality monitoring, concerns and serious incidents
Purpose – We need to ensure that the health services you receive are safe, effective and of excellent quality. Sometimes concerns are raised about the care provided or an incident has happened that we need to investigate. You may not have made a complaint to us directly but the health care professional looking after you may decide that we need to know in order to help make improvements.
Legal Basis – The health care professional raising the concern or reporting the incident should make every attempt to talk to you about this and gain your consent to share information about you with us. Sometimes they can do this without telling us who you are. We have a statutory duty under the Health and Social Care Act 2012, Part 1, Section 26, in securing continuous improvement in the quality of services provided.
Data processor – We share your information with health care professionals that may include details of the care you have received and any concerns about that care. In order to look into these concerns we may need to talk to other organisations such as Fareham & Gosport and SE Hants CCG as well as other Public bodies and Government agencies such as NHS Improvement, the Care Quality Commission, NHS England as well as the Providers of your care.
Commissioning, planning, contract monitoring and evaluation
Purpose – We share aggregated, anonymous, patient data about services we have provided.
Legal Basis - Our legal basis for collecting and processing information for this purpose is statutory. We set our reporting requirements as part of our contracts with NHS service providers and do not ask them to give us identifiable data about you.
If patient level data was required for clarity and extensive evaluation of a service, consent will be gained for the surgery to share this information.
Data Processor – Various organisations, CCG, third party organisations commissioned by the NHS to perform actuarial services, NHS England.
National Registries (such as the Learning Disabilities Register) have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user.
Surveys and asking for your feedback
Purpose - Sometimes we may offer you the opportunity to take part in a survey that the practice is running. We will not generally ask you to give us any personal confidential information as part of any survey.
Legal Basis – you are under no obligation to take part and where you do, we consider your participation as consent to hold and use the responses you give us.
Data Processor – eg Survey Monkey
Purpose - To support research oriented proposals and activities in our commissioning system
Legal Basis - Your consent will be obtained by the organisation holding your records before identifiable information about you is disclosed for any research. If this is not possible then the organisation wishing to use your information will need to seek formal approval from The Independent Group Advising on the Release of Data (IGARD) http://content.digital.nhs.uk/IGARD
Other organisations who provide support services for us
Purpose - The Practice may use the services of additional organisations (other than those listed above), who will provide additional expertise to support the Practice.
Legal Basis - We have entered into contracts with other organisations to provide some services for us or on our behalf.
Continence and Stoma Service – for direct care in providing continence/stoma products and monitoring.
i-Talk Counselling service
Purpose - To enable healthcare professionals working for Gosport medical centre to provide the necessary information to another healthcare professional or organisation, when a referral for further treatment is needed. This also applies when specialists ring the surgery to discuss on going care or when healthcare professionals within the medical centre need to contact other healthcare professionals to discuss a patients on going treatment.
Legal Basis - This is for direct care and provision of health. Your consent will be sought by the GP/nurse at the point of decision to refer on. You can object to your information being shared but your GP/nurse may not be able to refer you without it.
If a patient objects but lacks capacity to make an informed decision, it may be in their best interest to continue with the disclosure in order to complete the referral safely.
Purpose - Phlebotomy is a fundamental and essential tool in primary care and is used for diagnostic and therapeutic purposes. Blood tests are frequently requested by GPs (or other clinical professionals).
Removing blood from a patient by means of a needle and syringe (blood testing) is sometimes known as ‘venotomy’ or ‘venesection’. Once collected, samples are labelled with the patient’s name and NHS number and forwarded to the pathology laboratory at Queen Alexandra Hospital, Portsmouth for analysis. The pathologist will then send an analysis report about each blood sample back to the GP practice.
We have a contract with Southern Hampshire Primary Care Alliance Limited (SHPCA) who provide our blood taking services
Legal Basis – Clinician’s ‘Duty of Care’. The clinical professional who sees you will explain to you if, and when they require you to have a blood test. One or more blood samples of your blood may be needed in order to analyse substances contained within it. Blood test results enable the clinician to determine the correct and most effective way to manage and treat your medical condition.
Patients who require further testing, or a new course of treatment, or a change in their existing treatment will be informed and asked to book an appointment to see their doctor or clinical professional.
Data Processors - SHPCA processes essential information about you to fulfil your GP's blood test request but we will continue to be responsible for your full medical record.