Practice Policies & Patient Information
Welcome to St Paul’s Medical Centre Practice
We are situated within the heart of Blackpool, our surgery is wheelchair accessible with adjacent parking and we can also offer accessible toilet facilities.
We provide a wide range of medical services for our patients, from acute illnesses to managing long term illnesses.
St Paul’s Medical Centre has always wanted to provide the best for their patients, and as a result we have a wide variety of different professionals to cater for your needs.
When making appointments it is important we provide you with the right level of care, therefore when speaking with our staff, we may ask a few questions about your problem. If you don’t want to give any information, that’s OK, but it does help us make best use of our team.
Confidentiality
Whatever in connection with my professional practice or not in connection with it I see or hear in the life of men which should not be spoken of abroad I will not divulge as reckoning that all such should be kept secret (Hippocratic Oath, C5 BC) |
ALL PERSONAL AND MEDICAL INFORMATION RELATING TO PATIENTS AND STAFF IS STRICTLY CONFIDENTIAL
BREACH OF CONFIDENTIAL INFORMATION MAY CONSTITUTE GROSS MISCONDUCT AND CAN LEAD TO SUMMARY (IMMEDIATE) DISMISSAL
THE GUARDIAN OF CONFIDENTIALITY (CALDICOTT GUARDIAN) FOR THIS PRACTICE IS DR ROBERT STRAKER-BENNETT
GPs and practice staff have a legal, professional and moral duty to ensure that confidentiality of patient information is maintained. Any information held about patients must be factual, consistent and accurate, and recorded in line with the Recording of Patient Information Policy.
At St Paul’s we aim to follow the NHS Confidentiality Model, which is to:
- PROTECT – keep patient information secure
- INFORM – ensure patients know how information held about them is used
- PROVIDE CHOICE – allow patients to decide whether their information can be disclosed or used in particular ways within the restrictions of the law
- IMPROVE – on all of the above
Patients should be able to:
- Understand the reasons for processing personal information about them
- Give consent for the disclosure and use of personal information
- Gain trust in the way the NHS handles information, and
- Understand their rights to access information held about them.
The following precautions and procedures must be observed by all St Paul’s GPs and employees, locums, contractors, attached, visiting, community, Trust and voluntary workers, students, trainees and work-experience placements. The policy must be read in conjunction with the:
- Subject Access Request policy
- IMT & IG policy
1 – DISCLOSURE OF CONFIDENTIAL INFORMATION TO THE PATIENT
1:1 – Disclosure of information to the patient
1:1:1 Patients have a legal right to view and have copies of entries in their paper-based and/or computer held records, and to have these explained to them. The process for dealing with such requests is given in the Subject Access Request policy.
1:1:2 Patients may ring or call in to find out the results of investigations etc. Staff members may give the result to the patient AS INDICATED BY THE DOCTOR’S NOTES ON THE SCREEN, provided they have first confirmed the patient’s date of birth and are satisfied that they are speaking to the patient personally (or appropriate representative – see 1:3).
1:1:3 If a staff member needs to contact a patient to inform them of test results or arrange an appointment and is unable to do so by ‘text message or telephone, a letter must be sent to the patient’s home address, clearly marked with the patient’s name and annotated ‘Private and Confidential’.
1:1:4 Staff must be mindful of potential communication difficulties for example if the patient has little English, has a learning disability or a sight or hearing deficiency. Every effort must be made to ensure the patient can fully understand the information being disclosed to them, and it may be appropriate on occasion to recommend the assistance of an interpreter, representative or advocate. A loop system is in operation for patients with hearing aids.
1:1:5 If a patient wishes to speak to an admin staff member privately, the staff member should inform a manager so that cover can be arranged, and take the patient to a vacant consulting room, provided also that is no indication that this could cause a safety risk to the staff member. The staff member must ensure that he/she knows the location of the panic alarm within the consulting room and that the manager knows which room is to be used and the name of the patient. If there is a risk to the staff member, he/she must not see the patient alone.
1:1:6 Access is available for patients to view their problems, medications and investigations online. They must register for online access via one of the available applications and provide a form of photographic identification (unless using the NHS App as their identification has already been verified) for admin to grant permission on EMIS Web. If the patient wants full access to all their medical records a manager will be informed and the records checked to redact any information that could breach another person’s confidentiality, cause harm to the patient or risk leading to harm to others. Permission to give access to redacted notes will be sought from the patient’s GP and if granted patient access will be opened for access to all records.
1:2 – Disclosure of information to other healthcare workers
1:2:1 There is a legal basis under GDPR to share information with healthcare providers who are CURRENTLY and DIRECTLY involved in that’s patient’s care.
1:2:2 Local data-sharing agreement allow services such as Extensive Care and Out of Hours services (111 via FCMS) to access the patient record when required to provide health care or advice to the patient.
1:2:3 Patients may prohibit information being disclosed to other healthcare professionals. Their wishes must be respected wherever possible, but they must be informed about and understand the implications of their decision for the provision of care or treatment. The same considerations relating to communication difficulties as listed in 1:1:3 must be made.
1:2:4 It may be necessary to give information about a patient to healthcare workers without consent if they are likely to be at particular risk in dealing with the patient, for example if the patient is mentally unstable, violent, or a carrier of a serious contagious disease.
1:2:5 There is a legal basis under GDPR to share about a patient with health and social care staff or the police without consent if there is a risk to or from the patient under child and adult safeguarding procedures or in the interests of serious crime investigation.
1:2:6 Passing confidential information to a healthcare worker about a patient when there is NO risk to the worker and they are NOT directly involved in the patient’s care is NOT permissible.
1:2:7 Information about named patients must NOT be discussed by reception or other non-clinical staff unless there is a risk to their safety. Individual patient cases are not to be the subject of casual conversation.
1:3 – Disclosure to family or others
1:3:1 Medical information, including test results etc, may only be divulged to a relative, friend or advocate if the patient has given explicit consent in writing or in person, or the requester has a legal right to the information as described in the Subject Access Request policy.
1:3:2 Particular care must be taken when a parent or guardian requests information about a child. Refer to the Subject Access Request policy for guidance.
1:3:3 Confidentiality extends beyond the grave. There are restrictions on who may request information from deceased patients’ records – refer to the Subject Access Request policy
1:3:4 Staff must check with the Caldicott Lead or a manager before divulging information if there is any doubt about the requester’s right to the information – see the Subject Access Request policy
1:4 – Disclosure to health authorities, hospitals, etc
1:4:1 Enquiries from hospitals to confirm a patient’s personal details can usually be answered. If there is any doubt about the authenticity of the request, take the caller’s number and ring them back.
1:4:2 IOS or enhanced services claims may require details of patients, including the NHS number, and the procedures carried out. Staff must comply with the procedures and avoid giving confidential information unnecessarily to health providers or authorities.
1:4:3 Explicit patient consent is NOT required where mandatory notification of infectious diseases is required.
1:4:4 Patients must be informed that their records may be subject to inspection by health authority officers for the purposes of practice quality control or claims verification.
1:4:5 Great care must be taken when accessing patient details and processing referrals through Choose & Book and any of the Care Records Service functions as they come on-line.
1:5 – Disclosure to third parties
1:5:1 See the Subject Access Request policy for full details
1:5:2 The decision of whether or not to disclose must be made by a GP or a manager, preferably after discussion with the Caldicott Guardian or at least one colleague and if necessary, the medical defence body.
2 – CONFIDENTIALITY FOR TEENAGERS AGED UNDER 16 YEARS
2:1 Under the Children Act, any COMPETENT young person, regardless of age, can independently seek medical advice, give valid consent for medical treatment and expect the same standards of confidentiality as an adult. Confidentiality must be maintained in these cases in the same way as would be the case for an adult, and with the same exceptions.
2:2 A young person is deemed to be competent to consent to advice or treatment provided the Fraser guidelines (1985) have been satisfied. Although these have been worded in terms of a doctor giving specifically contraceptive advice and treatment, they should be applied to any healthcare professional giving any healthcare advice or treatment. The criteria are shown below:
- The young person understands the doctor’s advice
- The doctor cannot persuade the young person to inform his/her parents or allow them to be informed
- The young person is very likely to begin or continue having intercourse with or without contraceptive treatment
- Unless he/she receives contraceptive advice or treatment the young person’s physical or mental health or both are likely to suffer
- The young person’s best interests require the doctor to give contraceptive advice, treatment or both without parental consent.
2:3 People will seek health advice more willingly if they can trust that their consultations and treatment will be kept confidential. This is particularly true for teenagers and young people aged under 16 years who may need advice on any clinical issue, but may be particularly reluctant to discuss sensitive issues such as sexual health and contraception, pregnancy, termination, depression, self-harm, addiction and substance abuse, etc.
2:4 Care must be taken when communicating with young patients by home telephone or post if there is a risk that the information may be heard/seen by another person. A secure or acceptable means of communication should be agreed with the young person at the time of the consultation wherever possible.
2:5 Patients should be assured that their confidentiality will be maintained by providing information via the practice website, leaflet and information in the waiting room.
2:6 If the healthcare provider considers the young person to be incapable of giving consent because of immaturity, illness or mental capacity, they should encourage the young person to allow an appropriate adult to be involved in the consultation. If they refuse and the healthcare provider is convinced that it is essential in their medical interests, he/she may disclose relevant information to an appropriate person or authority. In such cases, the patient must be informed before disclosure, and where appropriate, the views of an advocate or carer sought. All the steps taken must be documented in the patient’s medical record.
3 – SECURITY/STORAGE OF CONFIDENTIAL INFORMATION
3:1 – Lloyd George (manual) records
3:1:1 Lloyd George notes must not be left accessible to unauthorised users and all storage cabinets must be locked when not in use and when the Medical Centre is closed.
3:1:2 Medical records must not be taken home. Home visit print-outs must not be left in practitioners’ cars or homes, from where they could be stolen or seen by others without the patient’s consent.
3:1:3 Patients/visitors to the practice must not be left unaccompanied in rooms where medical records could be accessible, for example in consulting rooms, reception or other offices. Documents containing patient identifiable data must be locked away when not in use.
3:1:4 Test result slips, hospital letters, etc must not be left on the reception desks where they might be seen by people at the counter.
3:1:5 Any rooms containing medical records must be locked when unoccupied.
3:1:6 All reasonable steps must be taken to avoid unauthorised access to the medical records. For example, the reception area should not be left vacant while patients or visitors to the practice are on the premises.
3:1:7 People who are seen within the surgery who cannot be identified as a genuine patient or visitor with grounds to be on the premises must be challenged, provided this can be done safely without risk of harm to the staff member.
3:1:8 A manager must be informed immediately if any medical records are lost or stolen or if there is believed to have been a breach of confidentiality.
3:2 – Computer records
3:2:1 All security measures described in the IMT & IG policy must be adhered to.
3:2:2 Patients or others must not be left unaccompanied in rooms where they could access computer information. It is necessary to log off or lock the computer when leaving a room for a period of time.
3:2:3 Logins and passwords must not be shared. Refer to the IM&T and IG policy for further details on using the computers and computer held information.
3:2:4 Computer screens showing information about patients must be positioned to avoid other patients seeing the screen.
3:2:5 Data must be wiped before a computer, photocopier, fax machine, scanner or other equipment capable of storing information is decommissioned or destroyed.
3:2:6 Smart cards, passwords and mobile devices must be stored securely to prevent access by unauthorised users in line with the IMT & IG policy.
3:2:7 Loss of smart cards or mobile devices must be reported immediately to the manager.
4 – TRANSMISSION OF CONFIDENTIAL INFORMATION
4:1 – Verbal transmission
4:1:1 Assuming justification/consent for disclosure has been established, information must be transmitted accurately, effectively and securely.
4:1:2 Discussion with or about patients must not take place within hearing of potential eavesdroppers.
4:1:3 When on the telephone, the identity of the patient to whom you are speaking must not be made explicit if you are within earshot of the waiting room.
4:1:4 Messages must NOT be left on patients’ answering machines or with relatives. If unable to contact a patient by ‘phone results/information must be sent by post marked private and confidential.
4:1:5 Particular care must be taken when contacting competent patients aged under 16. Ways in which to contact them confidentially should be agreed with them in advance wherever possible.
4:1:6 Patient enquiries at the reception counter must be answered discreetly, so that other patients cannot overhear. If the information is particularly sensitive, or if the patient wishes to speak to the receptionist privately, they should be taken to a vacant room.
4:1:7 The practice has a loop system, which can be used to assist patients with hearing aids to hear clearly without the need for the receptionist or practitioner to speak loudly.
4:1:8 Personal information may be texted to patients by prior arrangement with the patient provided they have given permission and updated their mobile ‘phone number each time such an arrangement is made.
4:2 – Written information
4:2:1 Envelopes must be marked private and confidential when writing to patients.
4:2:2 Letters, forms or other information must not be left where other patients or visitors could see them.
4:2:3 Confidential information awaiting disposal, including repeat prescription slips, must be placed in the confidential waste disposal bins
5 – TRAINING
5:1 All new staff must receive training in Confidentiality and the application of this policy as part of their induction.
5:2 All staff members are required to keep their knowledge about confidentiality and consent up-to-date in line with the mandatory training programme and their role within the practice. Training resources are available on the Bluestream Academy website.
6 – MISCELLANEOUS
6:1 Clinical audit is a valid use of patient information. Individual consent is not required unless direct patient feedback is involved. However, if consent has not been sought, personally identifiable information about participating patients must NOT be included in the write up or discussion.
6:2 Medical or personal information about patients or staff that a staff member has become aware of from a source outside the Medical Centre must be treated confidentially, as others may perceive disclosure of such information to be a breach of confidentiality from the Medical Centre. Disclosure of such information will be treated as a breach of confidentiality from a disciplinary point of view.
6:3 Personal information about staff members including telephone numbers must NOT be disclosed to enquirers.
6:4 All contractors visiting the site must sign the visitors’ register and complete a confidentiality agreement prior to commencing work on-site.
6:5 If it is believed that a breach of confidentiality may have occurred, whether deliberate or accidental, the practice a manager must be informed immediately, so that investigation and action can be put in place to protect the patient’s information as far as possible. Advice should be sought from the medical defence body if necessary.
6:6 Any queries about this policy must be directed to the practice business manager.
6:7 Clarification about the disclosure of information in a particular situation can be sought from a manager or the Caldicott Lead.
6:8 Patients must be informed about confidentiality and the use of their records in the practice patient information leaflet, poster in the waiting room and via privacy notices on the website.
6:9 Copies of this policy may be given to patients under the Freedom of Information Act.
6:10 The practice must periodically assess its performance against the principles of the Data Protection Act, GDPR and the Caldicott Committee recommendations.
KEY LEGISLATION/GUIDELINES PERTAINING TO PATIENT CONFIDENTIALITY
Public authorities including the NHS are obliged to comply with Administrative Law, which requires them to act intra vires (within their lawful powers).
Confidentiality is covered by various professional regulations, including the GMC, IHM and NMC Codes of Conduct, the common law duty of confidentiality and the NHS codes of practice for Confidentiality and Records Management. In addition, the NHS Care Record Guarantee for England and HSC 1999/012 require the highest standards of patient confidentiality to be maintained. Aspects of the holding and disclosure of personal and medical information are also protected by statute within the following legislation:
- Abortions Regulations 1991
- Access to Health Records Act 1990
- Access to Medical Reports Act 1988
- Caldicott Committee 1997
- Children Act
- Computer Misuse Act 1990
- Crime and Disorder Act 1998
- Data Protection Act 1998
- Freedom of Information Act 2000
- Health and Social Care Act 2001
- HSC 1999/012
- Human Fertilisation & Embryology Act 1990
- Human Rights Act 1998
- Mental Capacity Act 2005
- NHS Venereal Diseases Regulations 1974
- Public Health (Control of Diseases) Act 1984
- General Data Protection Regulations
TERMINOLOGY
Personal Data – Information about living, identifiable individuals, e.g. name and address etc. Statements of fact/expressions of opinion about an individual and information about the data controllers’ intentions towards them are personal data.
Processing – Processed by computer or other technology such as document image-processing systems. Processing also includes obtaining, storing & disclosing data.
Manual Records – Information that is recorded as part of a ‘relevant filing system’ (e.g. Lloyd George), where records are structured either by reference to individuals or by reference to certain criteria, so that specific information relating to individuals is readily available (e.g. disease registers).
Data Users – Those who control the contents & use of a collection of personal data.
Data Controller – Those who determine the purposes and manner in which any personal data are processed i.e. St Paul’s Medical Centre
Health Records – Record that relates to the physical or mental health of an individual, which has been made by or on behalf of a health professional in connection with the care of that individual.
Sensitive Personal Data – Information relating to:
- Racial/ethnic origin of the subject
- Political opinion
- Religious or other similar beliefs
- Trade Union membership
- Physical/mental health or condition
- Sexual life
- Commission or alleged commission of any offence
- Details of any proceedings for any offence/alleged offence
DATA PROTECTION ACT PRINCIPLES
Records containing personal information should…
- Be obtained and processed lawfully and fairly.
- Be obtained for only one or more specified and lawful purpose and not used for anything incompatible with that purpose.
- Be adequate, relevant and not excessive in relation to the purpose for which they are held.
- Be accurate and, where necessary, up to date.
- Be held for no longer than is necessary for the purpose for which they are held.
- Be processed in accordance with the rights of data subjects under this Act.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing and against accidental loss or destruction or damage to personal data.
- Not to be transferred to a country outside the EU unless that country ensures an adequate level of protection for the rights and freedoms of data subjects.
CALDICOTT COMMITTEE PRINCIPLES
- Justify the purpose – every proposed use/transfer of patient identifiable information should be clearly defined and scrutinised, with continuing users regularly reviewed by an appropriate guardian.
- Do not use patient identifiable information unless it is absolutely necessary.
- Use the minimum necessary patient identifiable information.
- Access to patient identifiable information should be on a strict need to know basis.
- Everyone should be aware of their responsibilities.
- Understand and comply with the law.
- The duty to share information can be as important as the duty to protect patient confidentiality
GDPR SUBJECT DATA RIGHTS
- The right to be informed
- The right of access
- The right to rectification
- The right to erase or ‘the right to be forgotten’
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision-making and profiling
DoH Standards of Information Handling (HORUS)
Information must be:
- Held securely and confidentially
- Obtained fairly and efficiently
- Recorded accurately and reliably
- Used effectively and ethically
- Shared appropriately and lawfully
Caldicott Audit completed _______________________ (date)
Data Protection Register No: Z5620272 (SPMC)
Data Protection Security No: 10230267 (SPMC)
Signed ______________________________ Date _______________
Dr R Straker- Bennett
Guardian of Confidentiality
GP Net Earnings
All GP practices are required to declare the mean earnings for GPs working to deliver NHS services to patients at each practice.
The average pay for GPs working in St Paul’s Medical Centre in the last financial year (2020/2021) was £88,426 before tax and national insurance. This is for 5 full time GPs and 3 part time GPs who worked in the practice for more than six months.
Disclaimer
NHS England require that the net earnings of doctors engaged in the practice is published, and the required disclosure is shown above. However it should be noted that the prescribed method for calculating earnings is potentially misleading because it takes no account of how much time doctors spend working in the practice, and should not be used to form any judgement about GP earnings, nor to make any comparison with any other practice.
National Data Opt Out
In May 2018, the strict rules about how this data can and cannot be used were strengthened. The NHS is committed to keeping patient information safe and always being clear about how it is used.
How Your Data is Used
Your health and care information is used to improve your individual care. It is also used to help us research new treatments, decide where to put GP clinics and plan for the number of doctors and nurses in your local hospital. Wherever possible we try to use data that does not identify you, but sometimes it is necessary to use your confidential patient information.
What is Confidential Patient Information?
Confidential patient information identifies you and says something about your health, care or treatment. You would expect this information to be kept private. Information that only identifies you, like your name and address, is not considered confidential patient information and may still be used: for example, to contact you if your GP practice is merging with another.
Who can use Your Confidential Patient
It is used by the NHS, local authorities, university and hospital researchers, medical colleges and pharmaceutical companies researching new treatments.
Making Your Data opt-out Choice
You can choose to opt out of sharing your confidential patient information for research and planning. There may still be times when your confidential patient information is used: for example, during an epidemic where there might be a risk to you or to other people’s health. You can also still consent to take part in a specific research project.
Will Choosing this opt-out Affect Your Care and Treatment?
No, your confidential patient information will still be used for your individual care.
Choosing to opt out will not affect your care and treatment. You will still be invited for screening services, such as screenings for bowel cancer.
What Should you do Next?
You do not need to do anything if you are happy about how your confidential patient information is used. If you do not want your confidential patient information to be used for research and planning, you can choose to opt out securely online or through a telephone service. You can change your choice at any time by clicking here.
Policy for the Recording of Patient Information
Introduction
Patients’ medical records should accurately reflect the medical conditions, care and treatment they have experienced over time. This is necessary for good continuing patient care and for medico-legal reasons. The records should therefore be correct, complete and, where possible, contemporaneous.
This policy applies to all GP principals, employed locums and assistants, practice-employed staff, and others working within the practice.
The Practice’s legal bases for collecting, storing, processing and destroying personal and medical information about patients under GDPR are:
Article 6(1)(e) – Public task
Article 9(2)(h) – For the purpose of preventative and occupational medicine
The highest standards of governance must be applied in recording, storing and disposing of patient information, in line with Caldicott principles, the Data Protection Act, General Data Protection Regulations and other legislation and regulations in force.
This policy should be read in conjunction with the following:
- Confidentiality and consent to the disclosure of confidential information
- Summarising policy
- IM&T policy
- Home visits protocol
Recording contacts with patients
- All patient consultations and other encounters/contacts with/about patients must be recorded in the computer record, whether they have been undertaken at the surgery, as a home visit, by telephone, text, email or letter. The encounter must reflect the place/type of consultation.
- Entries should be linked to the relevant problem title in the patient’s summary where appropriate. The problem will generally be a diagnosis rather than a symptom or procedure. New problems should be added using the correct read/Snomed code. Long-term conditions and single episode problems must be added as a problem once only.
- Active problems should include long-term conditions and chronic diseases, conditions currently under treatment by medication or under hospital care and those currently symptomatic.
- Other problems should be classified as Past Significant if likely to recur or have a future impact on the patient’s health and wellbeing, or otherwise Past Minor.
- Consultations should include details of the presenting problem, examinations undertaken, differential diagnoses, medication prescribed and care plan (investigations, medication changes, action to take for red flags, referrals, follow-up arrangements, etc).
- Unconfirmed or differential diagnoses should be entered as free text under the symptom code, or the Uncertain Diagnosis code (R2).
- Visit requests should be recorded on the EMIS Web Home Visit page. This record should then be annotated by the practitioner as appropriate when taking ownership of the visit and then updating the patient’s notes afterwards e.g. by adding in clinical findings and advice/treatment following the visit or consultation by telephone.
- Templates should be used to input clinical data (where available).
- Telephone, email and online consultations must be recorded in the same way as a face-to-face consultation, under the correct place of encounter.
- Where a patient is accompanied, details should be recorded. In the case of children aged under 16 years it must also be recorded if the patient is unaccompanied.
Medications
- Acute and repeat prescriptions must be recorded on the computer, even if hand-written, for example at the patient’s home and whether the items have been prescribed by a GP principal, locum, or nurse.
- All prescriptions must be linked to the associated problem title.
- Drug allergies must be coded into the appropriate section of the medical record, using the add allergy function in EMIS Web.
Path Lab Links
- Laboratory test results are received daily and are transferred into the patient’s medical record.
- The links team must allocate path links information to the correct practitioner and ensure that it is correctly re-directed if the practitioner is absent (e.g. on annual leave).
- Practitioners must go through their links information on a regular basis at least daily, and annotate as appropriate. Actions must be recorded from the picking list and full details provided in tasks sent.
- The links team must ensure that patients are notified of test results if advised by the GP and that follow-up is acted upon, e.g. contact the patient to inform them to collect a prescription or to make an appointment in line with the confidentiality policy.
Hospital/unscheduled care and scanned documents
- Hospital clinic letters must be processed as quickly as possible, especially those requiring follow-up action such as a prescription, using the workflow protocol.
Clinical Summaries
- Most patient records now arrive by GP2GP and contain a summary. For records received without GP2GP a brief summary must be requested and summary details coded. Lloyd George records must be summarised for these patients as soon as possible after receipt by the practice in line with the Network summarising protocol.
- Summaries must be kept up to date by ensuring that new diagnoses, investigations, operations and procedures etc are coded on using agreed codes and location within the record (active/past problem, health admin, significant/minor).
Other Patient Information
- Relevant personal information should be recorded appropriately to alert practitioners to their special needs. Examples include:
- On child at risk register
- History of violent/aggressive behaviour
- Terminally ill
- Is a carer or has a carer
- Housebound
- Disabilities (blind, deaf, wheelchair-bound, etc)
- Special communication needs (large print, braille, easy read, etc)
- Complaints made by the patient should not be entered onto the medical record. This information should be held separately.
- GMS1 forms should not be scanned on. These should be retained for three years then confidentially destroyed.
- New patient health check forms can be shredded once the information has been inputted.
- Requests for medical information, such as copies of records, PMA reports etc, should be recorded under Medical Report Requested in Health Administration, so that progress can be tracked as necessary.
Changes in Circumstances
- Change of name, address or telephone number must be processed as quickly as possible using the current protocol. The practice will, from time to time, send Data Quality forms to patients, in order to update personal information.
- Health visitors should be informed of detail changes for patients aged under five years.
- Details of patients who have died must be processed using the Deaths protocol.
Destruction of medical records
- Letters and reports that are scanned onto the computer must be placed in the secure shredding bins for confidential disposal.
- DNACPR forms should not be shredded, but should be filed in the patient’s Lloyd George record.
- Duplicate expired and irrelevant data must be removed from Lloyd George records and confidentially destroyed in line with the Summarising protocol and in line with current NHS guidelines on the retention and destruction of medical records.
- Data should not usually be deleted from the computer medical record unless it is duplicated data.
NB – Patient-identifiable data should not be recorded in staff members’ personal diaries and notebooks, which might be taken home with the risk of accidental breach of confidentiality.
Primary Care Network (PCN)
What is a Primary Care Network?
The definition of a Primary Care Network is to enable the provision of proactive, accessible, coordinated and more integrated primary and community care improving outcomes for patients.
They are formed around natural communities based on GP registered lists, serving populations of around 30,000 to 50,000.
The Central West Primary Care Network
The Central West Primary Care Network are a collaboration of 3 GP Practices, St Paul’s Medical Centre, Adelaide Street Surgery and South King Street Medial Centre. We serve a population of registered patients on our list equating to approximately 34,000 patients.
Networks need to be small enough to provide the personal care valued by both patients and GPs, but large enough to have impact through deeper collaboration between practices and others in the local health (community and primary care) and social care system. We are looking to provide a platform for providers of care to be sustainable into the longer term.
Privacy Notice – Research
This Practice participates in research. We will only agree to participate in any project if there is an agreed clearly defined reason for the research that is likely to benefit healthcare and patients. Such proposals will normally have a consent process, ethics committee approval, and will be in line with the principles of Article 89(1) of GDPR.
Research organisations do not usually approach patients directly, but will ask us to make contact with suitable patients to seek their consent. Occasionally research can be authorised under law without the need to obtain consent. This is known as the section 251 arrangement1. We may also use your medical records to carry out research within the practice.
You have the right to object to your identifiable information being used or shared for medical research purposes. Please speak to the practice if you wish to object.
We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.
1) Data Controller contact details | St Paul’s Medical Centre
Dickson Road, Blackpool, FY1 2HH Tel: 01253 623896 e-mail: [email protected] |
2) Data Protection Officer contact details | Compliance officer (DPO) = Hilary Gidman
The Caldicott Guardian is Dr Robert Straker-Bennett |
3) Purpose of the sharing | Medical research. |
4) Lawful basis for processing or sharing | Most information shared with researchers will not be identifiable, however where identifiable data will be shared with researchers, this will be either with explicit consent or, where the law allows, without consent. The lawful justifications are;
“Article 6(1)(a) “the data subject has given consent to the processing of his or her personal data for one or more specific purposes” and “Article 9(2)(j) – ‘processing is necessary for… scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member States law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject’. We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”2 |
5) Recipient or categories of recipients of the shared data | Information to be provided when available |
6) Rights to object | You do not have to consent to your data being used for research. If you have consented to your data being used in research you can change your mind and withdraw your consent at any time. Contact the Data Controller or the practice. We will normally comply with any request. |
7) Right to access and correct | You have the right to access any identifiable data that is being shared and have any inaccuracies corrected. |
8) Retention period | The data will be retained for the period as specified in the specific research protocol(s). |
9) Right to Complain. | You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/
or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate) |
1, Section 251 and the NHS Act, Health Research Authority. https://www.dropbox.com/s/sekq3trav2s58xw/Official%20Section%20251%20guidance%20Health%20Research%20Authority.pdf?dl=0
2 “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.
The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.
In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.
Three circumstances making disclosure of confidential information lawful are:
- where the individual to whom the information relates has consented;
- where disclosure is in the public interest; and
- where there is a legal duty to do so, for example a court order.
Privacy Notice – Commissioning, Planning, risk stratification, patient identification
The records we keep enable us to plan for your care.
This Practice keeps data on you that we apply searches and algorithms to in order to identify from preventive interventions.
This means using only the data we hold or in certain circumstances linking that data to data held elsewhere by other organisations and usually processed by organisations within or bound by contracts with the NHS.
If any processing of this data occurs outside the practice your identity will not be visible to the processors. Only this Practice will be able to identify you and the results of any calculated factors, such as your risk of having a heart attack in the next 10 years or your risk of being admitted to hospital with a complication of chest disease
You have the right to object to our processing your data in these circumstances and before any decision based upon that processing is made about you. Processing of this type is only lawfully allowed where it results in individuals being identified with their associated calculated risk. It is not lawful for this processing to be used for other ill-defined purposes, such as “health analytics”.
Despite this we have an overriding responsibility to do what is in your best interests. If we identify you as being at significant risk of having, for example a heart attack or stroke, we are justified in performing that processing.
We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.
1) Data Controller contact details | St Paul’s Medical Centre
Dickson Road, Blackpool, FY1 2HH Tel: 01253 623896 e-mail: [email protected] |
|
2) Data Protection Officer contact details | Compliance officer (DPO) = Hilary Gidman
Email: [email protected] Caldicott Guardian Dr Robert Straker-Bennett |
|
3) Purpose of the processing | The Practice performs computerised searches of some or all of our records to identify individuals who may be at increased risk of certain conditions or diagnoses i.e. Diabetes, heart disease, risk of falling). Your records may be amongst those searched. This is often called “risk stratification” or “case finding”. These searches are sometimes carried out by Data Processors who link our records to other records that they access, such as hospital attendance records. The results of these searches and assessment may then be shared with other healthcare workers, such as specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care. | |
4) Lawful basis for processing | The legal basis for this processing is
Article 6(1)(e); “necessary… in the exercise of official authority vested in the controller’ And Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…” We will recognise your rights under UK Law collectively known as the “Common Law Duty of Confidentiality”* |
|
5) Recipient or categories of recipients of the shared data | The data will be shared for processing with NHS Digital and for subsequent healthcare with the CCG. | |
6) Rights to object | You have the right to object to this processing where it might result in a decision being made about you. That right may be based either on implied consent under the Common Law of Confidentiality, Article 22 of GDPR or as a condition of a Section 251 approval under the HSCA. It can apply to some or all of the information being shared with the recipients. Your right to object is in relation to your personal circumstances. Contact the Data Controller or the Practice. | |
7) Right to access and correct | You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law. | |
8) Retention period | The data will be retained in line with the law and national guidance. https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Cre-2016 or speak to the practice. | |
9) Right to Complain | You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/
or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate) |
* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.
The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.
In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.
Three circumstances making disclosure of confidential information lawful are:
- where the individual to whom the information relates has consented;
- where disclosure is in the public interest; and
- where there is a legal duty to do so, for example a court order.
Privacy Notice – Direct Care, (routine care and referrals)
This Practice keeps data on you relating to who you are, where you live, what you do, your family, possibly your friends, your employers, your habits, your problems and diagnoses, the reasons you seek help, your appointments, where you are seen and when you are seen, who by, referrals to specialists and other healthcare providers, tests carried out here and in other places, investigations and scans, treatments and outcomes of treatments, your treatment history, the observations and opinions of other healthcare workers, within and without the NHS as well as comments and aide memoires reasonably made by healthcare professionals in this practice who are appropriately involved in your health care.
When registering for NHS care, all patients who receive NHS care are registered on a national database, the database is held by NHS Digital a national organisation which has legal responsibilities to collect NHS data.
GPs have always delegated tasks and responsibilities to others that work with them in their surgeries. On average GPs are responsible for 1,500 to 2,500 patients each (around 11,500 patients in our practice). It is not possible for the GP to provide hands on personal care for each and every one of those patients in those circumstances, for this reason GPs share your care with others, predominantly within the surgery, but occasionally with outside organisations.
If your health needs require care from others elsewhere outside this Practice, we will exchange with them whatever information about you that is necessary for them to provide that care. When you make contact with healthcare providers outside the Practice, but within the NHS it is usual for them to send us information relating to that encounter. We will retain part or all of those reports. Normally we will receive equivalent reports of contacts you have with non-NHS services, but this is not always the case.
Your consent to this sharing of data, within the practice and with those others outside the practice is assumed and is allowed by the Law.
People who have access to your information will only normally have access to that which they need to fulfil their roles, for instance admin staff will normally only see your name, address, contact details, appointment history and registration details in order to book appointments, the practice nurses will normally have access to your immunisation, treatment, significant active and important past histories, your allergies and relevant recent contacts whilst the GP you see or speak to will normally have access to everything in your record.
You have the right to object to our sharing your data in these circumstances but we have an overriding responsibility to do what is in your best interests. Please see below.
1) Data Controller contact details | St Paul’s Medical Centre
Dickson Road, Blackpool, FY1 2HH Tel: 01253 623896 e-mail [email protected] |
2) Data Protection Officer (DPO) contact details | Compliance officer (DPO) = Hilary Gidman
Email: [email protected] Caldicott Guardian Dr Robert Straker-Bennett |
3) Purpose of the processing | Direct Care is care delivered to the individual alone, most of which is provided in the surgery. After a patient agrees to a referral for direct care elsewhere, such as a referral to a specialist in a hospital, necessary and relevant information about the patient, their circumstances and their problem will need to be shared with the other healthcare workers, such as specialist, therapists, technicians etc. The information that is shared is to enable the other healthcare workers to provide the most appropriate advice, investigations, treatments, therapies and or care. |
4) Lawful basis for processing | The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:
Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’. and Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…” We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”* |
5) Recipient or categories of recipients of the processed data | The data will be shared with Health and care professionals and support staff in this surgery and at hospitals, diagnostic and treatment centres who contribute to your personal care. |
6) Rights to object | You have the right to object to some or all the information being processed under Article 21. Please contact the Data Controller or the practice. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance. |
7) Right to access and correct | You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law. |
8) Retention period | The data will be retained in line with the law and national guidance. https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016 or speak to the practice. |
9) Right to Complain | You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/
or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate) |
* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.
The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.
In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.
Three circumstances making disclosure of confidential information lawful are:
- where the individual to whom the information relates has consented;
- where disclosure is in the public interest; and
- where there is a legal duty to do so, for example a court order.
Privacy Notice – GPs as Employers
As employers we need to keep certain information so that we can remain your employer and manage payments. This is a combination of personal and financial information. We are required by law to hold certain types of data on those we employ under the Health and Social Care Act and this data is examined during CQC inspection visits. For more information about the CQC see http://www.cqc.org.uk/
We are also required to share information about you with NHS Digital under a submission known as the “Workforce Minimum Dataset”. To find out more visit https://digital.nhs.uk/data-and-information/areasof-interest/workforce/workforce-minimum-data-set-wmds Workforce Minimum Data Set (wMDS) – NHS Digital
We are also required by HMRC and various taxation laws, such as “The Income Tax (Pay As You Earn) Regulations 2003” to keep financial records.
We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.
1. Data Controller contact details | St Paul’s Medical Centre, Dickson Road, Blackpool, FY1 2HH. Tel: 01253 623896 [email protected] |
2. Data Protection Officer contact detail | Data Protection Officer: Hilary Gidman [email protected]
The Caldicott Guardian is Dr Robert Straker-Bennett |
3. Purpose of the processing | To comply with the Health and Social Care Act and taxation law. |
4. Lawful basis for the processing
|
Article 6(b) –performance of a contract with the data subjectArticle 6(f) –legitimate interests pursued by the controller or a third party
Article 9(b) – for carrying out obligations in the field of employment Article 9(h) – for purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management or health or social care systems |
5. Recipients or categories of recipients of the share data | HMRC, Pension provider, Practice Accountant, Health Education England – NW (HENW) and the Care Quality Commission (CQC), its officers and staff and members of the inspection teams that visit us from time to time. |
6. Right to object | You have the right to object to some or all of the information being shared with CQC. Contact the Data Controller or the practice. There is no right to have UK taxation related data deleted except after certain statutory periods. |
7. Right to access and correct | You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have records deleted except when ordered by a court of Law. |
8. Retention period | The data will be retained for active use during the processing and
thereafter according to NHS Policies, taxation and employment law. |
9. Right to Complain | If you are unhappy with the way in which your personal data has been processed you may in the first instances contact the Business Practice Manager or the HR Manager.
You also have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/ |
Privacy Notice – NHS Digital
NHS Digital is the secure haven for NHS patient data, a single secure repository where data collected from all branches of the NHS is processed. NHS Digital provides reports on the performance of the NHS, statistical information, audits and patient outcomes (https://digital.nhs.uk/data-and-information). Examples include: A&E and outpatient waiting times, the numbers of staff in the NHS, percentage target achievements, payments to GPs etc and more specific targeted data collections and reports such as the Female Genital Mutilation, general practice appointments data and English National Diabetes Audits.
GPs are required by the Health and Social Care Act to provide NHS Digital with information when instructed. This is a legal obligation which overrides any patient wishes. These instructions are called “Directions”. More information on the directions placed on GPs can be found at https://digital.nhs.uk/article/8059/NHS-England-Directions and www.nhsdatasharing.info
We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.
1) Data Controller contact details | St Paul’s Medical Centre
Dickson Road, Blackpool, FY1 2HH Tel: 01253 623896 e-mail: [email protected] |
2) Data Protection Officer contact details | Compliance officer (DPO) = Hilary Gidman
Email: [email protected] Caldicott Guardian Dr Robert Straker-Bennett |
3) Purpose of the processing | To provide the Secretary of State and others with information and reports on the status, activity and performance of the NHS. |
4) Lawful basis for processing | The legal basis will be
Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.” And Article 9(2)(h) “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;” |
5) Recipient or categories of recipients of the processed data | The data will be shared with NHS Digital according to directions which can be found at https://digital.nhs.uk/article/8059/NHS-England-Directions |
6) Rights to object | You have the right to object to some or all of the information being shared with NHS Digital. Contact the Data Controller or the practice. |
7) Right to access and correct | You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law. |
8) Retention period | The data will be retained for active use during the processing and thereafter according to NHS Policies and the law. |
9) Right to Complain | You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/
or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate) |
Privacy Notice – Payments
Contract holding GPs in the UK receive payments from their respective governments on a tiered basis. Most of the income is derived from baseline capitation payments made according to the number of patients registered with the practice on quarterly payment days. These amounts paid per patient per quarter varies according to the age, sex and other demographic details for each patient.
There are also graduated payments made according to the practice’s achievement of certain agreed national quality targets known as the Quality and Outcomes Framework (QOF), for instance the proportion of diabetic patients who have had an annual review. Practices can also receive payments for participating in agreed national or local enhanced services, for instance opening early in the morning or late at night or at the weekends. Practices can also receive payments for certain national initiatives such as immunisation programs and practices may also receive incomes relating to a variety of non patient related elements such as premises.
Finally there are short term initiatives and projects that practices can take part in. Practices or GPs may also receive income for participating in the education of medical students, junior doctors and GPs themselves as well as research2.
In order to make patient-based payments basic and relevant necessary data about you needs to be sent to the various payment services. The release of this data is required by English laws1
We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.
1) Data Controller contact details | St Paul’s Medical Centre
Dickson Road, Blackpool, FY1 2HH Tel: 01253 623896 e-mail: [email protected] |
2) Data Protection Officer contact details | Compliance officer (DPO) = Hilary Gidman
Email: [email protected] The Caldicott Guardian is Dr Robert Straker-Bennett |
3) Purpose of the processing | To enable GPs to receive payments. To provide accountability. |
4) Lawful basis for processing | The processing of personal data in the delivery of direct care and for providers’ administrative purposes in the surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:
Article 6(1)(c) “processing is necessary for compliance with a legal obligation to which the controller is subject.” And Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…” |
5) Recipient or categories of recipients of the processed data | The data will be shared with Health and care professionals and support staff in this surgery and at hospitals, diagnostic and treatment centres who contribute to your personal care. |
6) Rights to object | You have the right to object to some or all the information being processed under Article 21. Please contact the Data Controller or the practice. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance. |
7) Right to access and correct | You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law. |
8) Retention period | The data will be retained in line with the law and national guidance. https://digital.nhs.uk/article/1202/Records-Management-Code-of-Practice-for-Health-and-Social-Care-2016 or speak to the practice. |
9) Right to Complain | You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/
Or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate) |
1, NHS England’s powers to commission health services under the NHS Act 2006 or to delegate such powers to CCGs and the GMS regulations 2004 (73)1
2, For more information about payments the English GPs please see; https://digital.nhs.uk/NHAIS/gp-payments , https://digital.nhs.uk/catalogue/PUB30089 and http://www.nhshistory.net/gppay.pdf
Privacy Notice – Safeguarding
Some members of society are recognised as needing protection, for example children and vulnerable adults. If a person is identified as being at risk from harm we are expected as professionals to do what we can to protect them. In addition we are bound by certain specific laws that exist to protect individuals. This is called “Safeguarding”.
Where there is a suspected or actual safeguarding issue, we will share information that we hold with other relevant agencies whether the individual or their representative agrees.
There are three laws that allow us to do this without relying on the individual or their representatives agreement (unconsented processing), these are:
Section 47 of The Children Act 1989 : (https://www.legislation.gov.uk/ukpga/1989/41/section/47),
Section 29 of Data Protection Act (prevention of crime) https://www.legislation.gov.uk/ukpga/1998/29/section/29
and Section 45 of the Care Act 2014 http://www.legislation.gov.uk/ukpga/2014/23/section/45/enacted.
In addition there are circumstances when we will seek the agreement (consented processing) of the individual or their representative to share information with local child protection services, the relevant law being
Section 17 Children’s Act 1989 https://www.legislation.gov.uk/ukpga/1989/41/section/17
We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.
1) Data Controller contact details | St Paul’s Medical Centre
Dickson Road, Blackpool, FY1 2HH Tel: 01253 623896 e-mail: [email protected] |
2) Data Protection Officer contact details | Compliance officer (DPO) = Hilary Gidman
Email: [email protected] |
3) Purpose of the processing | The purpose of the processing is to protect the child or vulnerable adult. |
4) Lawful basis for processing | The sharing is a legal requirement to protect vulnerable children or adults, therefore for the purposes of safeguarding children and vulnerable adults, the following Article 6 and 9 conditions apply:
For consented processing; Article 6(1)(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes For unconsented processing; Article 6(1)(c) processing is necessary for compliance with a legal obligation to which the controller is subject and: Article 9(2)(b) ‘…is necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of …social protection law in so far as it is authorised by Union or Member State law..’ We will consider your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”* |
5) Recipient or categories of recipients of the shared data | The data will be shared with local safeguarding services. |
6) Rights to object | This sharing is a legal and professional requirement and therefore there is no right to object. There is also GMC guidance: https://www.gmc-uk.org/guidance/ethical_guidance/children_guidance_56_63_child_protection.asp
|
7) Right to access and correct | The Data Subject or legal representatives has the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law. |
8) Retention period | The data will be retained for active use during any investigation and thereafter retained in an inactive stored form according to the law and national guidance |
9) Right to Complain | You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/
or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate) |
* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.
The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.
In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.
Three circumstances making disclosure of confidential information lawful are:
- where the individual to whom the information relates has consented;
- where disclosure is in the public interest; and
- where there is a legal duty to do so, for example a court order.
Privacy Notice – Summary Care Record
The Summary Care Record is an English NHS development. It consists of a basic medical record held on a central government database on every patient registered with a GP surgery in England. The basic data is automatically extracted from your GP’s electronic record system and uploaded to the central system GPs are required by their contract with the NHS to allow this upload. The basic upload consists of current medication, allergies and details of any previous bad reactions to medicines, the name, address, date of birth and NHS number of the patient.
As well as this basic record additional information can be added and this can be far reaching and detailed. However, whereas the basic data is uploaded automatically any additional data will only be uploaded if you specifically request it and with your consent.
Summary Care Records can only be viewed within the NHS are NHS smartcard controlled screens or by organisation, such as pharmacies, contracted to the NHS.
You can find out more about the SCR here https://digital.nhs.uk/summary-care-records
You have the right to object to our sharing your data in these circumstances and you can ask your GP to block uploads.
We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.
1) Data Controller contact details | St Paul’s Medical Centre
Dickson Road, Blackpool, FY1 2HH Tel: 01253 623896 e-mail: [email protected] |
2) Data Protection Officer contact details | Compliance officer (DPO) = Hilary Gidman
Email: [email protected] Caldicott Guardian Dr Robert Straker-Bennett |
3) Purpose of the processing | Upload of basic and detailed additional Summary Care Record data |
4) Lawful basis for processing | The processing of personal data in the delivery of direct care and for providers’ administrative purposes in this surgery and in support of direct care elsewhere is supported under the following Article 6 and 9 conditions of the GDPR:
Article 6(1)(e) ‘…necessary for the performance of a task carried out in the public interest or in the exercise of official authority…’. Article 9(2)(h) ‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…” We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality”* |
5) Recipient or categories of recipients of the processed data | The data will be shared with Health and care professionals and support staff in this surgery and at hospitals, diagnostic and treatment centres who contribute to your personal care. |
6) Rights to object | You have the right to object to some or all the information being processed under Article 21. Please contact the Data Controller or the practice. You should be aware that this is a right to raise an objection, that is not the same as having an absolute right to have your wishes granted in every circumstance. |
7) Right to access and correct | You have the right to access the data that is being shared and have any inaccuracies corrected. There is no right to have accurate medical records deleted except when ordered by a court of Law. |
8) Retention period | The data will be retained in line with the law and national guidance
or speak to the practice. |
9) Right to Complain | You have the right to complain to the Information Commissioner’s Office, you can use this link https://ico.org.uk/global/contact-us/
or calling their helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 (national rate) |
* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament. It
is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case
law. The law is applied by reference to those previous cases, so common law is also said to be based on precedent.
The general position is that if information is given in circumstances where it is expected that a duty of confidence
applies, that information cannot normally be disclosed without the information provider’s consent.
In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or
held in the memory of the professional, must not normally be disclosed without the consent of the patient. It is
irrelevant how old the patient is or what the state of their mental health is; the duty still applies.
Three circumstances making disclosure of confidential information lawful are:
- where the individual to whom the information relates has consented;
- where disclosure is in the public interest; and
- where there is a legal duty to do so, for example a court order.
Statement of purpose
St Pauls Medical Centre
Dickson Road
Blackpool
FY1 2HH
Telephone: 01253 623896
Email: [email protected]
This is a Statement of Purpose for St Pauls Medical Centre which sets out the following information:
- The full name of the service provider and of any registered manager together with their business address, telephone number, and where available electronic mail addresses.
- The legal status of the service provider.
- Details of the locations at which the services provided for the purposes of the regulated activity carried on
- Our aims and objectives in carrying on the regulated activity.
- The kinds of services provided for the purpose of carrying on of the regulated activity.
- The range of service users’ needs, which those services are intended to meet.
Registered Manager:
Dr Colin Scott MB ChB, MRCGP
Partners:
Dr Leanne Rudnick MB ChB, MRCGP
Dr Robert Straker Bennett MB ChB, MRCGP
DR Lalitha Ganti MB BS
Dr Lubna Momin MB BS, MRCGP
Dr Sarah Cunliffe MBChB, MRCGP, DRCOG, PG Cert
Dr Shahzad Gul MB BS, MRCGP
St Pauls Medical Centre is a General Practice Partnership open to all patients living within our Practice boundary in Blackpool and the surrounding areas. We work in partnership with our patients and our Patient Participation Group to provide medical care for our patients. We are a General Medical Services (GMS) Practice offering Primary care services for the diagnosis and prevention of disease. We help patients to manage their health and prevent illness. Our GPs assess, diagnose, treat and manage illness. They carry out screening for some diseases and promote general health and wellbeing. Our GPs act as a patient’s advocate, supporting and representing a patient’s best interests to ensure they receive the best and most appropriate health and/or social care. Our GPs also provide the link to further health services and work closely with other healthcare colleagues. They may also arrange hospital admissions and referrals to other services and specialists and they link with secondary and community services about patient care, taking advice and sharing information where needed. They also collect and record important information from other healthcare professionals involved in the treatment of our patients.
Our GPs are also involved in the education and training of doctors, practice staff and other healthcare professionals.
Our Mission Statement:
‘We care for you we care about you’
Vision:
To work in partnership with our patients and staff to provide the best Primary Care services possible working within local and national governance, guidance and regulations.
Our Aims and Objectives:
- To provide high quality, safe, professional Primary Health Care General Practice services to our patients.
- To focus on prevention of disease by promoting health and wellbeing and offering care and advice to our patients.
- To work in partnership with our patients, their families and carers towards a positive experience and understanding, involving them in decision making about their treatment and care.
- To be a learning organisation that continually improves what we are able to offer patients.
- To treat patients as individuals and with the same respect we would want for ourselves or a member of our families, listening and supporting people to express their needs and wants and enabling people to maintain the maximum possible level of independence, choice and control
- To work in partnership with other agencies to tackle the causes of, as well as provide the treatment for ill health and where appropriate involve other professionals in the care of our patients.
- To encourage our patients to communicate with us by joining our Patient Participation Group, talking to us, participating in surveys, and feeding back and on the services that we offer
- To ensure all staff have the competency and motivation to deliver the required standards of care ensuring that all members of the team have the right skills and training to carry out their duties competently
- To take care of our staff offering them support to do their jobs and to protect them against abuse
- Have a zero tolerance of all forms of abuse.
- To provide our patients and staff with an environment which is safe and friendly
- To operate on a financially sound basis.
Our Services:
The GMS services provided by our GPs are defined under the Standard Personal Medical Services Contract. These services are mainly split into three groups:
- Essential
- Additional
- Enhanced
Essential services
We provide essential services for people who have health conditions from which they are expected to recover, chronic disease management and general management of terminally ill patients.
Our core services include:
- GP consultations
- Nurse Practitioner Consultations
- Paramedic consultations
- Asthma Clinics
- Chronic obstructive airways disease clinics
- Coronary heart disease clinics
- Diabetes clinics
- NHS Healthcheck clinics
Additional services
Our additional services include:
- Cervical cytology screening
- Child health surveillance
- Contraceptive services
- Maternity services
- Certain minor surgery procedures
- Vaccinations and immunisations
- INR Monitoring
Enhanced services
Our enhanced services include:
- Childhood vaccinations and immunisations
- Contraceptive coil fitting (IUD) and contraceptive implant fitting
- Diabetes Management
- Prostate Cancer Injection Therapy
- Extended minor surgery
- Flu immunisation
Other services
Our Practice also offers services including:
- Child health and development
- Dressing clinics
- ECGs (electrical heart trace)
- End of life care
- Epilepsy
- Lung testing (spirometry)
- Medication review
- Mental health
- Pregnancy testing and contraceptive advice
- Stop smoking support
- Travel advice
- Men’s and Women’s health
- LARC
Non-NHS Services
Our Practice also provides services which are non-NHS and are paid for by the patient. These services include:
- Insurance claims forms
- Non-NHS vaccinations
- Prescription for taking medication abroad
- Private sick notes
- Pre-employment and HGV medicals
- Vaccination certificates
Subject Access Request Policy and Protocol
Subject Access Requests- Following Implementation of GDPR (from 25 May 2018)
On 25 May 2018 the current UK Data Protection Act 1998 (DPA 1998) will be fully replaced by the General Data Protection Regulation (2016/679).
As with the DPA 1998, these new regulations give living individuals the right to request access to personal data held on them by the Trust. This is known as a Subject Access Request (SAR), the person who will hold data about is known as the Data Subject, in many cases this will be the patient, but could be a staff member, a contractor or contact.
Requests must be in writing, this includes, letter, e-mail or in person. The requester will be asked to complete a Subject Access Request form and provide appropriate identification both on submission of the form and the collection of the personal data.
Requesters must be either, the data subject OR have the written permission of the data subject OR have legal responsibility for managing the subject’s affairs in order to access personal information about that person. It is the requester’s responsibility to satisfy the Trust of their legal authority to act on behalf of the data subject.
We also must be satisfied of the identity of the requester before we can provide any personal information.
New Requirements for Subject Access
From 25 May 2018 some new requirements were introduced affecting the handling of subject access requests. These are listed below:
What do we need to provide to a requester?
As well as providing confirmation that their personal is being processed and providing a copy of this personal data that the data subject has asked for; (subject to any exemptions). Individuals will have the right to be provided with additional information which largely corresponds to the information to be provided in a privacy notice:
- Source of the data.
- Recipient, including details international transfers.
- Retention period for the data.
- How to amend inaccurate data.
- How to complain to the Information Commissioner’s Office (internal review will usually need to be satisfied first
Scope
This policy provides a process for the management of subject access requests (SARs) for personal information (for living individuals) under the Data Protection Act (DPA), the General Data Protection Regulations (GDPR) and (for deceased individuals) the Access to Health Records Act 1990. It defines a process for achieving legislative requirements and ensuring effective and consistent management of such requests.
This policy does not cover requests for medical reports or for copies of medical records requested under the Access to Medical Reports Act 1998 (AMRAs) usually for insurance and claims purposes.
Under the DPA, subject to certain conditions, an individual is entitled to be:
- Told whether any personal data is being processed;
- Given a description of the personal data, the reasons it is being processed and whether it will be given to any other organisations or people; and
- Given a copy of the information comprising the data; and given details of the source of the data (where this is available)
Personal data held by the practice may be:
- Personnel/staff records relating to a member of staff present, past or prospective
- Health records consisting of information about the physical or mental health of an identifiable individual made by or on behalf of a health professional in connection with the care of that individual.
Access encompasses the following rights:
- To obtain a copy of the record in permanent form
- To have information provided in an intelligible format (and explained where necessary)
The DPA also gives subjects who now reside outside the UK the right to apply for access to their former UK health and employment records:
- Employees are legally entitled to request their personal records and may take them outside of the UK at their own discretion
- Original health records must not be given to people to take outside the UK. A GP or community health professional may be prepared to provide the patient with a summary of treatment; alternatively the patient may make a request for access in the usual way.
Individuals’ rights regarding the sharing of their personal information are supported by the Care Record Guarantees, which set out high-level commitments for protecting and safeguarding service user information, particularly in regard to rights of access to their own information, how information will be shared (both within and outside the practice) and how decisions on sharing information will be made.
Who can make an Access Request?
This policy applies to any request by a patient or member of staff for access to their personal information held by the practice as a Subject Access Request.
This non-contractual policy applies to all staff employed by the partners at St Paul’s Medical Centre. Failure to adhere to the standards outlined herein could lead to disciplinary action.
An application for access to personal data may be made by any of the following:
- An individual
- A person authorised by the individual in writing to make the application on their behalf e.g. solicitor, family member or carer
- A person appointed by a court to manage the affairs of an individual who is deemed incompetent
- Individuals who hold a health and welfare Lasting Power of Attorney
Where the individual has died, the patient’s personal representative (the executor of the deceased’s will; someone who has been appointed as an administrator of the estate by the courts; someone who has the written consent of the either of the above to be given access) and any person who may have a claim arising out of the patient’s death can make a subject access request to the practice. Moreover where the deceased made a Subject Access Request prior to their death, this should continue to be actioned under GDPR.
Requests for copies of paper medical records of deceased patients that have been returned to PCSE and are no longer available to the practice can be made by a personal representative by contacting Primary Care Support England – 03330 142884.
Where a request is made by someone with no legal rights to access, they should be advised to contact a solicitor.
Police do not have an automatic right to access to patient’s medical or personal information unless they have a Court Order. The information can be disclosed to support the prevention and detection of a serious crime, but this decision must be made by a GP partner or manager.
Serious crime includes murder, manslaughter, rape, treason, kidnapping, child abuse, other serious harm to an individual, security of the state or to public order, and crimes that involve substantial financial gain or loss. Theft, fraud and damage to property are NOT usually sufficient cause to disclose confidential information. Serious harm includes child abuse, neglect, assault, road traffic accident and spread of potentially life-threatening infectious disease.
This clause also relates to copies of CCTV footage from cameras within the building, which must not be supplied to the police except under the circumstances outlined above. Footage from public areas such as the car park can be supplied to the police.
Parental responsibility for a child is defined in the Children’s Act 1989 as ‘all the rights, duties, powers, responsibilities and authority, which by law a parent of a child has in relation to a child and his property’. Responsibilities would include safeguarding and promoting a child’s health, development and welfare, including if relevant their employment records. Included in the parental rights which would fulfil the parental responsibilities above are:
- Having the child live with the person with responsibility or having a say in where the child lives
- If the child is not living with him/her, have a personal relationship and regular contact with the child
- Controlling, guiding and directing the child’s upbringing
Foster parents are not ordinarily awarded parental responsibility for a child. It is more likely that this rests with the child’s social worker and appropriate evidence of identity should be sought in the usual way.
The law regards young people aged 16 or 17 to be adults for the purposes of consent to employment or treatment and the right to confidentiality. Therefore if a 16-year-old wishes their information to be kept confidential, this wish must be respected.
Children aged under 16 who have the capacity and understanding to take decisions about their own treatment are also entitled to decide whether personal information may be passed on and generally to have their confidence respected. Where a child is considered capable of making decisions about medical treatment, their consent must be sought before a person with parental responsibility may be given access. Consent will usually be required from any child aged 13+ before information can be disclosed to a parent, guardian or third party.
Where in the view of the appropriate professional the child is not capable of understanding the nature of the application, the holder of the record is entitled to deny access if it is not felt to be in the patient’s best interests.
The identity and consent of the applicant must always be established.
The applicant does not have to give a reason for applying for access.
The practice is a Data Controller and can only provide information held by the organisation. Other data controllers must be applied to directly; the practice will not transfer requests from one organisation to another.
Application
Patients wishing to exercise their right of access should inform a member of staff personally, by telephone, by email, by post, or (preferably) by completing the Access to Health Records Request form.
Where the Access to Health Records Request form has not been used, the information required on the form will need to be elicited from the patient and filled in by the member of staff.
Current, past or prospective employees should inform Julie Holford, Practice Manager using the relevant Subject Access Request form.
The practice as ‘data controller’ is responsible for ascertaining the purpose of the request and the manner in which the information is supplied.
A simple request by a patient for either vaccination history or a list of current medications can be processed by any member of the team. Full details of the request and the stages of processing need to be completed on the request form and the information checked by a second person before being handed to the patient. The usual ID and eligibility checks must be made. If the patient is not collecting there and then, place the request form with the prepared information in the concertina file and make sure the collection details are noted on the form when the patient collects. The form can then be put in the hospital letters tray.
All other patient requests must be passed to Sheila Kirkham (put in her tray). Requests from current or former staff must be passed to Julie Holford.
Fees and response time
The practice must provide information free of charge unless it is manifestly unfounded, excessive, can easily be obtained through Patient Access or is repetitive (i.e. has been provided before).
The fee must be based on the administrative cost of providing the information only.
The request must be complied with without delay and within 28 days of receipt of the request. We can extend the period for a further 2 months where requests are complex or numerous, however we must inform the individual of any delay within 28 days, along with an explanation.
The release stages
Consent/eligibility for the request must be checked before preparing the information. Particular care must be taken when the request is from a third party or in respect of a child. Informed consent must be sought for any patient aged 13 or more unless the patient lacks capacity under the Mental Health Act or is not deemed to be competent to make the decision if aged under 16, in which case a ‘best interests’ decision will need to be made.
A reason for denying or restricting access does not need to be given but the applicant should be directed through the appropriate complaint channels.
Further guidance must be sought if the request is vague, to avoid disclosing information that is not relevant or not required by the requester.
The record must be collated, redacted where applicable and signed off by a GP partner or manager before being prepared for release. On no account may the original record be released.
Where possible iGPR will be used to produce and collate the information available on EMIS and Docman. Lloyd George records must be pruned of expired information in line with defined retention periods (see Summarising Policy) before being photocopied.
Where information is not readily intelligible an explanation e.g. of abbreviations or terminology must be given
The format of the released information must comply with the requester’s wishes wherever possible. If no specific format is requested, we can provide the information in the same manner as the original request e.g. by email (preferred format).
Information can be emailed using the st.pauls.medicalcentre.nhs.uk email address provided it is encrypted. First email instructions on how to open encrypted information to the requester, then send the relevant documents by secure email by putting [secure] as the title.
Where the information is provided in paper form, this must be collected from the surgery by the individual or his/her representative provided we have been notified by the requester in advance of who the representative is. In either case proof of identity will need to be shown before the records can released.
Ensure that the date the information is emailed or collected has been completed on the request form before sending this for scanning.
If it is agreed that the subject or their representative may directly inspect the record, a health professional must supervise the access (manager for employee requests). The supervisor must not comment or advise on the content of a medical record if they are not a healthcare professional.
Exemptions
Access may be denied or restricted where:
- The record contains information which relates to or identifies a third party that is not a care professional and has not consented to the disclosure.
- Access to all or part of the record will prejudice the carrying out of social work because serious harm to the physical or mental well-being of the individual or any other person is likely.
- Access to all or part of the record will seriously harm the physical or mental well-being of the individual or any other person
- If an assessment identifies that to comply with a Subject Access Request would involve disproportionate effort under section 8(2)(a) of the Data Protection Act
Where possible the individual should be provided with that part of the record that does not form one of the above restrictions.
There is no requirement to disclose to the applicant the fact that certain information may have been withheld.
Where the information is to be withheld on the basis of disproportionate effort, the practice will engage with the applicant, having an open conversation about the information they require. It may be appropriate to have the applicant view the records in practice and select the elements that they require a copy of.
Complaints and appeals
The applicant has the right to appeal against a practice decision to refuse access to their information. This appeal should be made to Tracey Swift, Patient Services Lead (patients) or Anne Bagot-Moore (staff).
If an applicant is unhappy with the outcome of their access request, the usual complaints (patients) or grievance (staff) procedure should be applied.
Monitoring and review
The Caldicott Lead (Dr C W Scott) has executive responsibility for Subject Access Requests.
All staff will receive training on how to recognise and manage a Subject Access Request.
The Practice Business Manager monitors all Subject Access Requests to ensure the correct process has been followed and monitors and appeals/complaints relating to Subject Access Requests.
Equality impact
In applying this policy the practice will have due regard for the need to eliminate unlawful discrimination, promote equality of opportunity and provide for good relations between people of diverse groups, in particular on the grounds of the characteristics protected by the Equality Act 2010 (see Equal Opportunities Policy) in addition to offending background, trade union membership or any other personal characteristic.
Record-keeping
Where an Access to Health Records Request has been completed in respect of a patient, the completed request form must be placed in the hospital letters drawer for scanning/attaching to the medical record as a problem heading under Health Administration using one of the following read codes:
- 8MA (SNOMED 647551000000110) – Patient requests copy of medical record (free text in if patient representative)
- 9ER8 (SNOMED 2159182015) – Patient record requested by solicitor
- 9l8 (SNOMED 2129781000000118) – Copy of clinical record requested by insurance company
The date the information has been supplied must also be recorded using the appropriate code:
- 9lA (SNOMED 2129861000000118) – Copy of clinical record given to patient (if collected from surgery)
- 9lB (SNOMED 2129901000000113) – Copy of clinical record sent to patient (if emailed)
- 9lC (SNOMED 2129941000000111) – Copy of clinical record sent to solicitor
- 9l9 (SNOMED 2129821000000114) – Copy of clinical record sent to insurance company
The scanned form must then be returned to a member of the Administration Team for filing in the SARS folder.
Details of requests from staff and dates of information supplied will be recorded securely in the employment record for current and previous staff and in the recruitment folder for prospective employees and will therefore be held until those records are destroyed.
Terms and Conditions
Click here to view our latest Terms & Conditions
Your data, privacy and the Law
How we use your medical records
- This practice handles medical records according to the laws on data protection and confidentiality.
- We share medical records with health professionals who are involved in providing you with care and treatment. This is on a need to know basis and event by event.
- Some of your data is automatically copied to the Shared Care Summary Record.
- We share some of your data with local out of hours, urgent care and emergency care services
- Data about you is used to manage national screening campaigns such as Flu, Cervical Cytology and Diabetes prevention.
- Data about you, usually de-identified, is used to manage the NHS and make payments.
- We share information when the law requires us to do, for instance when we are inspected or reporting certain illnesses or safeguarding vulnerable people.
- Your data is used to check the quality of care provided by the NHS.
- We may also share medical records for medical research
For more information ask at reception for copies of individual Service Privacy Notices.