ALL PERSONAL AND MEDICAL INFORMATION RELATING TO PATIENTS AND STAFF IS STRICTLY CONFIDENTIAL

BREACH OF CONFIDENTIAL INFORMATION MAY CONSTITUTE GROSS MISCONDUCT AND CAN LEAD TO SUMMARY (IMMEDIATE) DISMISSAL

THE GUARDIAN OF CONFIDENTIALITY (CALDICOTT GUARDIAN) FOR THIS PRACTICE IS

DR C W SCOTT

GPs and practice staff have a legal, professional and moral duty to ensure that confidentiality of patient information is maintained.  Any information held about patients must be factual, consistent and accurate, and recorded in line with the Recording of Patient Information Policy.

At St Paul’s we aim to follow the NHS Confidentiality Model, which is to:

• PROTECT – keep patient information secure
• INFORM – ensure patients know how information held about them is used
• PROVIDE CHOICE – allow patients to decide whether their information can be disclosed or used in particular ways within the restrictions of the law
• IMPROVE – on all of the above

Patients should be able to:

• Understand the reasons for processing personal information about them
• Give consent for the disclosure and use of personal information
• Gain trust in the way the NHS handles information, and
• Understand their rights to access information held about them.

The following precautions and procedures must be observed by all St Paul’s GPs and employees, locums, contractors, attached, visiting, community, Trust and voluntary workers, students, trainees and work-experience placements.  The policy must be read in conjunction with the:

• Subject Access Request policy
• IMT & IG policy

1 – DISCLOSURE OF CONFIDENTIAL INFORMATION TO THE PATIENT

1:1 – Disclosure of information to the patient

1:1:1    Patients have a legal right to view and have copies of entries in their paper-based and/or computer held records, and to have these explained to them.  The process for dealing with such requests is given in the Subject Access Request policy.

1:1:2    Patients may ring or call in to find out the results of investigations etc.  Staff members may give the result to the patient AS INDICATED BY THE DOCTOR’S NOTES ON THE SCREEN, provided they have first confirmed the patient’s date of birth and are satisfied that they are speaking to the patient personally (or appropriate representative – see 1:3).

1:1:3    If a staff member needs to contact a patient to inform them of test results or arrange an appointment and is unable to do so by ‘text message or telephone, a letter must be sent to the patient’s home address, clearly marked with the patient’s name and annotated ‘Private and Confidential’.

1:1:4    Staff must be mindful of potential communication difficulties for example if the patient has little English, has a learning disability or a sight or hearing deficiency.  Every effort must be made to ensure the patient can fully understand the information being disclosed to them, and it may be appropriate on occasion to recommend the assistance of an interpreter, representative or advocate.  A loop system is in operation for patients with hearing aids.

1:1:5    If a patient wishes to speak to an admin staff member privately, the staff member should inform a manager so that cover can be arranged, and take the patient to a vacant consulting room, provided also that is no indication that this could cause a safety risk to the staff member.  The staff member must ensure that he/she knows the location of the panic alarm within the consulting room and that the manager knows which room is to be used and the name of the patient.  If there is a risk to the staff member, he/she must not see the patient alone.

1:1:6    Access is available for patients to view their problems, medications and investigations online.  They must register for online access via one of the available applications and provide a form of photographic identification (unless using the NHS App as their identification has already been verified) for admin to grant permission on EMIS Web.   If the patient wants full access to all their medical records a manager will be informed and the records checked to redact any information that could breach another person’s confidentiality, cause harm to the patient or risk leading to harm to others.  Permission to give access to redacted notes will be sought from the patient’s GP and if granted patient access will be opened for access to all records.

1:2 – Disclosure of information to other healthcare workers

1:2:1    There is a legal basis under GDPR to share information with healthcare providers who are CURRENTLY and DIRECTLY involved in that’s patient’s care.

1:2:2    Local data-sharing agreement allow services such as Extensive Care and Out of Hours services (111 via FCMS) to access the patient record when required to provide health care or advice to the patient.

1:2:3    Patients may prohibit information being disclosed to other healthcare professionals.  Their wishes must be respected wherever possible, but they must be informed about and understand the implications of their decision for the provision of care or treatment.  The same considerations relating to communication difficulties as listed in 1:1:3 must be made.

1:2:4    It may be necessary to give information about a patient to healthcare workers without consent if they are likely to be at particular risk in dealing with the patient, for example if the patient is mentally unstable, violent, or a carrier of a serious contagious disease.

1:2:5    There is a legal basis under GDPR to share about a patient with health and social care staff or the police without consent if there is a risk to or from the patient under child and adult safeguarding procedures or in the interests of serious crime investigation.

1:2:6    Passing confidential information to a healthcare worker about a patient when there is NO risk to the worker and they are NOT directly involved in the patient’s care is NOT permissible.

1:2:7    Information about named patients must NOT be discussed by reception or other non-clinical staff unless there is a risk to their safety.  Individual patient cases are not to be the subject of casual conversation.

1:3 – Disclosure to family or others

1:3:1    Medical information, including test results etc, may only be divulged to a relative, friend or advocate if the patient has given explicit consent in writing or in person, or the requester has a legal right to the information as described in the Subject Access Request policy.

1:3:2    Particular care must be taken when a parent or guardian requests information about a child.  Refer to the Subject Access Request policy for guidance.

1:3:3    Confidentiality extends beyond the grave.  There are restrictions on who may request information from deceased patients’ records – refer to the Subject Access Request policy

1:3:4    Staff must check with the Caldicott Lead or a manager before divulging information if there is any doubt about the requester’s right to the information – see the Subject Access Request policy

1:4 – Disclosure to health authorities, hospitals, etc

1:4:1    Enquiries from hospitals to confirm a patient’s personal details can usually be answered.  If there is any doubt about the authenticity of the request, take the caller’s number and ring them back.

1:4:2    IOS or enhanced services claims may require details of patients, including the NHS number, and the procedures carried out.  Staff must comply with the procedures and avoid giving confidential information unnecessarily to health providers or authorities.

1:4:3    Explicit patient consent is NOT required where mandatory notification of infectious diseases is required.

1:4:4    Patients must be informed that their records may be subject to inspection by health authority officers for the purposes of practice quality control or claims verification.

1:4:5    Great care must be taken when accessing patient details and processing referrals through Choose & Book and any of the Care Records Service functions as they come on-line.

1:5 – Disclosure to third parties

1:5:1    See the Subject Access Request policy for full details

1:5:6    The decision of whether or not to disclose must be made by a GP or a manager, preferably after discussion with the Caldicott Guardian or at least one colleague and if necessary, the medical defence body.

2 – CONFIDENTIALITY FOR TEENAGERS AGED UNDER 16 YEARS

2:1       Under the Children Act, any COMPETENT young person, regardless of age, can independently seek medical advice, give valid consent for medical treatment and expect the same standards of confidentiality as an adult.  Confidentiality must be maintained in these cases in the same way as would be the case for an adult, and with the same exceptions.

2:2       A young person is deemed to be competent to consent to advice or treatment provided the Fraser guidelines (1985) have been satisfied.  Although these have been worded in terms of a doctor giving specifically contraceptive advice and treatment, they should be applied to any healthcare professional giving any healthcare advice or treatment.  The criteria are shown below:

• The young person understands the doctor’s advice
• The doctor cannot persuade the young person to inform his/her parents or allow them to be informed
• The young person is very likely to begin or continue having intercourse with or without contraceptive treatment
• Unless he/she receives contraceptive advice or treatment the young person’s physical or mental health or both are likely to suffer
• The young person’s best interests require the doctor to give contraceptive advice, treatment or both without parental consent.

2:3       People will seek health advice more willingly if they can trust that their consultations and treatment will be kept confidential.  This is particularly true for teenagers and young people aged under 16 years who may need advice on any clinical issue, but may be particularly reluctant to discuss sensitive issues such as sexual health and contraception, pregnancy, termination, depression, self-harm, addiction and substance abuse, etc.

2:4       Care must be taken when communicating with young patients by home telephone or post if there is a risk that the information may be heard/seen by another person.  A secure or acceptable means of communication should be agreed with the young person at the time of the consultation wherever possible.

2:5       Patients should be assured that their confidentiality will be maintained by providing information via the practice website, leaflet and information in the waiting room.

2:6       If the healthcare provider considers the young person to be incapable of giving consent because of immaturity, illness or mental capacity, they should encourage the young person to allow an appropriate adult to be involved in the consultation.  If they refuse and the healthcare provider is convinced that it is essential in their medical interests, he/she may disclose relevant information to an appropriate person or authority.  In such cases, the patient must be informed before disclosure, and where appropriate, the views of an advocate or carer sought.  All the steps taken must be documented in the patient’s medical record.

3 – SECURITY/STORAGE OF CONFIDENTIAL INFORMATION

3:1 – Lloyd George (manual) records

3:1:1    Lloyd George notes must not be left accessible to unauthorised users and all storage cabinets must be locked when not in use and when the Medical Centre is closed.

3:1:2    Medical records must not be taken home.  Home visit print-outs must not be left in practitioners’ cars or homes, from where they could be stolen or seen by others without the patient’s consent.

3:1:3    Patients/visitors to the practice must not be left unaccompanied in rooms where medical records could be accessible, for example in consulting rooms, reception or other offices.  Documents containing patient identifiable data must be locked away when not in use.

3:1:4    Test result slips, hospital letters, etc must not be left on the reception desks where they might be seen by people at the counter.

3:1:5    Any rooms containing medical records must be locked when unoccupied.

3:1:6    All reasonable steps must be taken to avoid unauthorised access to the medical records.  For example, the reception area should not be left vacant while patients or visitors to the practice are on the premises.

3:1:7    People who are seen within the surgery who cannot be identified as a genuine patient or visitor with grounds to be on the premises must be challenged, provided this can be done safely without risk of harm to the staff member.

3:1:8    A manager must be informed immediately if any medical records are lost or stolen or if there is believed to have been a breach of confidentiality.

3:2 – Computer records

3:2:1    All security measures described in the IMT & IG policy must be adhered to.

3:2:2    Patients or others must not be left unaccompanied in rooms where they could access computer information.  It is necessary to log off or lock the computer when leaving a room for a period of time.

3:2:3    Logins and passwords must not be shared.  Refer to the IM&T and IG policy for further details on using the computers and computer held information.

3:2:4    Computer screens showing information about patients must be positioned to avoid other patients seeing the screen.

3:2:5    Data must be wiped before a computer, photocopier, fax machine, scanner or other equipment capable of storing information is decommissioned or destroyed.

3:2:6    Smart cards, passwords and mobile devices must be stored securely to prevent access by unauthorised users in line with the IMT & IG policy.

3:2:7    Loss of smart cards or mobile devices must be reported immediately to the manager.

4 – TRANSMISSION OF CONFIDENTIAL INFORMATION

4:1 – Verbal transmission

4:1:1    Assuming justification/consent for disclosure has been established, information must be transmitted accurately, effectively and securely.

4:1:2    Discussion with or about patients must not take place within hearing of potential eavesdroppers.

4:1:3    When on the telephone, the identity of the patient to whom you are speaking must not be made explicit if you are within earshot of the waiting room.

4:1:4    Messages must NOT be left on patients’ answering machines or with relatives.  If unable to contact a patient by ‘phone results/information must be sent by post marked private and confidential.

4:1:5    Particular care must be taken when contacting competent patients aged under 16.  Ways in which to contact them confidentially should be agreed with them in advance wherever possible.

4:1:6    Patient enquiries at the reception counter must be answered discreetly, so that other patients cannot overhear.  If the information is particularly sensitive, or if the patient wishes to speak to the receptionist privately, they should be taken to a vacant room.

4:1:7    The practice has a loop system, which can be used to assist patients with hearing aids to hear clearly without the need for the receptionist or practitioner to speak loudly.

4:1:8    Personal information may be texted to patients by prior arrangement with the patient provided they have given permission and updated their mobile ‘phone number each time such an arrangement is made.

4:2 – Written information

4:2:1    Envelopes must be marked private and confidential when writing to patients.

4:2:2    Letters, forms or other information must not be left where other patients or visitors could see them.

4:2:3    Confidential information awaiting disposal, including repeat prescription slips, must be placed in the confidential waste disposal bins

5 – TRAINING

5:1       All new staff must receive training in Confidentiality and the application of this policy as part of their induction.

5:2       All staff members are required to keep their knowledge about confidentiality and consent up-to-date in line with the mandatory training programme and their role within the practice.  Training resources are available on the Bluestream Academy website.

6 – MISCELLANEOUS

6:1       Clinical audit is a valid use of patient information.  Individual consent is not required unless direct patient feedback is involved.  However, if consent has not been sought, personally identifiable information about participating patients must NOT be included in the write up or discussion.

6:2       Medical or personal information about patients or staff that a staff member has become aware of from a source outside the Medical Centre must be treated confidentially, as others may perceive disclosure of such information to be a breach of confidentiality from the Medical Centre.  Disclosure of such information will be treated as a breach of confidentiality from a disciplinary point of view.

6:3       Personal information about staff members including telephone numbers must NOT be disclosed to enquirers.

6:4       All contractors visiting the site must sign the visitors’ register and complete a confidentiality agreement prior to commencing work on-site.

6:5       If it is believed that a breach of confidentiality may have occurred, whether deliberate or accidental, the practice a manager must be informed immediately, so that investigation and action can be put in place to protect the patient’s information as far as possible.  Advice should be sought from the medical defence body if necessary.

6:6       Any queries about this policy must be directed to the practice business manager.

6:7       Clarification about the disclosure of information in a particular situation can be sought from a manager or the Caldicott Lead.

6:8       Patients must be informed about confidentiality and the use of their records in the practice patient information leaflet, poster in the waiting room and via privacy notices on the website.

6:9       Copies of this policy may be given to patients under the Freedom of Information Act.

6:10     The practice must periodically assess its performance against the principles of the Data Protection Act, GDPR and the Caldicott Committee recommendations.

KEY LEGISLATION/GUIDELINES PERTAINING TO PATIENT CONFIDENTIALITY

Public authorities including the NHS are obliged to comply with Administrative Law, which requires them to act intra vires (within their lawful powers).

Confidentiality is covered by various professional regulations, including the GMC, IHM and NMC Codes of Conduct, the common law duty of confidentiality and the NHS codes of practice for Confidentiality and Records Management.  In addition, the NHS Care Record Guarantee for England and HSC 1999/012 require the highest standards of patient confidentiality to be maintained.  Aspects of the holding and disclosure of personal and medical information are also protected by statute within the following legislation:

• Abortions Regulations 1991
• Access to Health Records Act 1990
• Access to Medical Reports Act 1988
• Caldicott Committee 1997
• Children Act
• Computer Misuse Act 1990
• Crime and Disorder Act 1998
• Data Protection Act 1998
• Freedom of Information Act 2000
• Health and Social Care Act 2001
• HSC 1999/012
• Human Fertilisation & Embryology Act 1990
• Human Rights Act 1998
• Mental Capacity Act 2005
• NHS Venereal Diseases Regulations 1974
• Public Health (Control of Diseases) Act 1984
• General Data Protection Regulations

TERMINOLOGY

Personal Data – Information about living, identifiable individuals, e.g. name and address etc.  Statements of fact/expressions of opinion about an individual and information about the data controllers’ intentions towards them are personal data.

Processing – Processed by computer or other technology such as document image-processing systems.  Processing also includes obtaining, storing & disclosing data.

Manual Records – Information that is recorded as part of a ‘relevant filing system’ (e.g. Lloyd George), where records are structured either by reference to individuals or by reference to certain criteria, so that specific information relating to individuals is readily available (e.g. disease registers).

Data Users – Those who control the contents & use of a collection of personal data.

Data Controller – Those who determine the purposes and manner in which any personal data are processed i.e. St Paul’s Medical Centre

Health Records – Record that relates to the physical or mental health of an individual, which has been made by or on behalf of a health professional in connection with the care of that individual.

Sensitive Personal Data – Information relating to:

• Racial/ethnic origin of the subject
• Political opinion
• Religious or other similar beliefs
• Trade Union membership
• Physical/mental health or condition
• Sexual life
• Commission or alleged commission of any offence
• Details of any proceedings for any offence/alleged offence

DATA PROTECTION ACT PRINCIPLES

Records containing personal information should…

• Be obtained and processed lawfully and fairly.
• Be obtained for only one or more specified and lawful purpose and not used for anything incompatible with that purpose.
• Be adequate, relevant and not excessive in relation to the purpose for which they are held.
• Be accurate and, where necessary, up to date.
• Be held for no longer than is necessary for the purpose for which they are held.
• Be processed in accordance with the rights of data subjects under this Act.
• Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing and against accidental loss or destruction or damage to personal data.
• Not to be transferred to a country outside the EU unless that country ensures an adequate level of protection for the rights and freedoms of data subjects.

CALDICOTT COMMITTEE PRINCIPLES

• Justify the purpose – every proposed use/transfer of patient identifiable information should be clearly defined and scrutinised, with continuing users regularly reviewed by an appropriate guardian.
• Do not use patient identifiable information unless it is absolutely necessary.
• Use the minimum necessary patient identifiable information.
• Access to patient identifiable information should be on a strict need to know basis.
• Everyone should be aware of their responsibilities.
• Understand and comply with the law.
• The duty to share information can be as important as the duty to protect patient confidentiality

GDPR SUBJECT DATA RIGHTS

• The right to be informed
• The right of access
• The right to rectification
• The right to erase or ‘the right to be forgotten’
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision-making and profiling

DoH Standards of Information Handling (HORUS)

Information must be:

• Held securely and confidentially
• Obtained fairly and efficiently
• Recorded accurately and reliably
• Used effectively and ethically
• Shared appropriately and lawfully

Caldicott Audit completed _______________________ (date)

Data Protection Register No:              Z5620272 (SPMC)      

Data Protection Security No:              10230267 (SPMC)     

Signed ______________________________            Date _______________

Dr C W Scott

Guardian of Confidentiality

All GP practices are required to declare the mean earnings for GPs working to deliver NHS services to patients at each practice.

The average pay for GPs working in St Paul’s Medical Centre in the last financial year (2020/2021) was £88,426 before tax and national insurance. This is for 5 full time GPs and 3 part time GPs who worked in the practice for more than six months.

Disclaimer

NHS England require that the net earnings of doctors engaged in the practice is published, and the required disclosure is shown above. However it should be noted that the prescribed method for calculating earnings is potentially misleading because it takes no account of how much time doctors spend working in the practice, and should not be used to form any judgement about GP earnings, nor to make any comparison with any other practice.

Introduction

Patients’ medical records should accurately reflect the medical conditions, care and treatment they have experienced over time. This is necessary for good continuing patient care and for medico-legal reasons. The records should therefore be correct, complete and, where possible, contemporaneous.

This policy applies to all GP principals, employed locums and assistants, practice-employed staff, and others working within the practice.

The Practice’s legal bases for collecting, storing, processing and destroying personal and medical information about patients under GDPR are:

Article 6(1)(e) – Public task

Article 9(2)(h) – For the purpose of preventative and occupational medicine

The highest standards of governance must be applied in recording, storing and disposing of patient information, in line with Caldicott principles, the Data Protection Act, General Data Protection Regulations and other legislation and regulations in force.

This policy should be read in conjunction with the following:

• Confidentiality and consent to the disclosure of confidential information
• Summarising policy
• IM&T policy
• Home visits protocol

Recording contacts with patients

1. All patient consultations and other encounters/contacts with/about patients must be recorded in the computer record, whether they have been undertaken at the surgery, as a home visit, by telephone, text, email or letter. The encounter must reflect the place/type of consultation.

• Entries should be linked to the relevant problem title in the patient’s summary where appropriate. The problem will generally be a diagnosis rather than a symptom or procedure.  New problems should be added using the correct read/Snomed code. Long-term conditions and single episode problems must be added as a problem once only.

• Active problems should include long-term conditions and chronic diseases, conditions currently under treatment by medication or under hospital care and those currently symptomatic.
• Other problems should be classified as Past Significant if likely to recur or have a future impact on the patient’s health and wellbeing, or otherwise Past Minor.

• Consultations should include details of the presenting problem, examinations undertaken, differential diagnoses, medication prescribed and care plan (investigations, medication changes, action to take for red flags, referrals, follow-up arrangements, etc).

• Unconfirmed or differential diagnoses should be entered as free text under the symptom code, or the Uncertain Diagnosis code (R2).

• Visit requests should be recorded on the EMIS Web Home Visit page. This record should then be annotated by the practitioner as appropriate when taking ownership of the visit and then updating the patient’s notes afterwards e.g. by adding in clinical findings and advice/treatment following the visit or consultation by telephone.

• Templates should be used to input clinical data (where available).

• Telephone, email and online consultations must be recorded in the same way as a face-to-face consultation, under the correct place of encounter.

1. Where a patient is accompanied, details should be recorded. In the case of children aged under 16 years it must also be recorded if the patient is unaccompanied.

Medications

1. Acute and repeat prescriptions must be recorded on the computer, even if hand-written, for example at the patient’s home and whether the items have been prescribed by a GP principal, locum, or nurse.

1. All prescriptions must be linked to the associated problem title.

1. Drug allergies must be coded into the appropriate section of the medical record, using the add allergy function in EMIS Web.

Path Lab Links

1. Laboratory test results are received daily and are transferred into the patient’s medical record.

1. The links team must allocate path links information to the correct practitioner and ensure that it is correctly re-directed if the practitioner is absent (e.g. on annual leave).

1. Practitioners must go through their links information on a regular basis at least daily, and annotate as appropriate. Actions must be recorded from the picking list and full details provided in tasks sent.

1. The links team must ensure that patients are notified of test results if advised by the GP and that follow-up is acted upon, e.g. contact the patient to inform them to collect a prescription or to make an appointment in line with the confidentiality policy.

Hospital/unscheduled care and scanned documents

1. Hospital clinic letters must be processed as quickly as possible, especially those requiring follow-up action such as a prescription, using the workflow protocol.

Clinical Summaries

1. Most patient records now arrive by GP2GP and contain a summary. For records received without GP2GP a brief summary must be requested and summary details coded. Lloyd George records must be summarised for these patients as soon as possible after receipt by the practice in line with the Network summarising protocol.

• Summaries must be kept up to date by ensuring that new diagnoses, investigations, operations and procedures etc are coded on using agreed codes and location within the record (active/past problem, health admin, significant/minor).

Other Patient Information

• Relevant personal information should be recorded appropriately to alert practitioners to their special needs. Examples include:

• On child at risk register
• History of violent/aggressive behaviour
• Terminally ill
• Is a carer or has a carer
• Housebound
• Disabilities (blind, deaf, wheelchair-bound, etc)
• Special communication needs (large print, braille, easy read, etc)

• Complaints made by the patient should not be entered onto the medical record. This information should be held separately.

• GMS1 forms should not be scanned on. These should be retained for three years then confidentially destroyed.

• New patient health check forms can be shredded once the information has been inputted.

• Requests for medical information, such as copies of records, PMA reports etc, should be recorded under Medical Report Requested in Health Administration, so that progress can be tracked as necessary.

Changes in Circumstances

• Change of name, address or telephone number must be processed as quickly as possible using the current protocol. The practice will, from time to time, send Data Quality forms to patients, in order to update personal information.

• Health visitors should be informed of detail changes for patients aged under five years.

• Details of patients who have died must be processed using the Deaths protocol.

Destruction of medical records

• Letters and reports that are scanned onto the computer must be placed in the secure shredding bins for confidential disposal.

• DNACPR forms should not be shredded, but should be filed in the patient’s Lloyd George record.

• Duplicate expired and irrelevant data must be removed from Lloyd George records and confidentially destroyed in line with the Summarising protocol and in line with current NHS guidelines on the retention and destruction of medical records.

• Data should not usually be deleted from the computer medical record unless it is duplicated data.

NB – Patient-identifiable data should not be recorded in staff members’ personal diaries and notebooks, which might be taken home with the risk of accidental breach of confidentiality.

What is a Primary Care Network?

The definition of a Primary Care Network is to enable the provision of proactive, accessible, coordinated and more integrated primary and community care improving outcomes for patients.

They are formed around natural communities based on GP registered lists, serving populations of around 30,000 to 50,000.

The Central West Primary Care Network

The Central West Primary Care Network are a collaboration of 3 GP Practices, St Paul’s Medical Centre, Adelaide Street Surgery and South King Street Medial Centre. We serve a population of registered patients on our list equating to approximately 34,000 patients.

Networks need to be small enough to provide the personal care valued by both patients and GPs, but large enough to have impact through deeper collaboration between practices and others in the local health (community and primary care) and social care system. We are looking to provide a platform for providers of care to be sustainable into the longer term.

The records we keep enable us to plan for your care. This Practice keeps data on you that we apply searches and algorithms to in order to identify from preventive interventions. This means using only the data we hold or in certain circumstances linking that data to data held elsewhere by other organisations and usually processed by organisations within or bound by contracts with the NHS.

If any processing of this data occurs outside the practice your identity will not be visible to the processors. Only this Practice will be able to identify you and the results of any calculated factors, such as your risk of having a heart attack in the next 10 years or your risk of being admitted to hospital with a complication of chest disease. You have the right to object to our processing your data in these circumstances and before any decision based upon that processing is made about you. Processing of this type is only lawfully allowed where it results in individuals being identified with their associated calculated risk. It is not lawful for this processing to be used for other ill-defined purposes, such as “health analytics”.

Despite this we have an overriding responsibility to do what is in your best interests.  If we identify you as being at significant risk of having, for example a heart attack or stroke, we are justified in performing that processing.   We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.

* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament.  It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case law.  The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient.  It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament.  It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case law.  The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient.  It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

1, NHS England’s powers to commission health services under the NHS Act 2006 or to delegate such powers to CCGs and the GMS regulations 2004 (73)1

2, For more information about payments the English GPs please see; https://digital.nhs.uk/NHAIS/gp-payments , https://digital.nhs.uk/catalogue/PUB30089 and http://www.nhshistory.net/gppay.pdf

This Practice participates in research. We will only agree to participate in any project if there is an agreed clearly defined reason for the research that is likely to benefit healthcare and patients. Such proposals will normally have a consent process, ethics committee approval, and will be in line with the principles of Article 89(1) of GDPR.

Research organisations do not usually approach patients directly, but will ask us to make contact with suitable patients to seek their consent. Occasionally research can be authorised under law without the need to obtain consent. This is known as the section 251 arrangement¹. We may also use your medical records to carry out research within the practice.
You have the right to object to your identifiable information being used or shared for medical research purposes.  Please speak to the practice if you wish to object.
We are required by Articles in the General Data Protection Regulations to provide you with the information in the following 9 subsections.

1, Section 251 and the NHS Act, Health Research Authority.  https://www.dropbox.com/s/sekq3trav2s58xw/Official%20Section%20251%20guidance%20Health%20Research%20Authority.pdf?dl=0

2 “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament.  It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case law.  The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient.  It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament.  It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case law.  The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient.  It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

* “Common Law Duty of Confidentiality”, common law is not written out in one document like an Act of Parliament.  It is a form of law based on previous court cases decided by judges; hence, it is also referred to as ‘judge-made’ or case law.  The law is applied by reference to those previous cases, so common law is also said to be based on precedent.

The general position is that if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent.

In practice, this means that all patient information, whether held on paper, computer, visually or audio recorded, or held in the memory of the professional, must not normally be disclosed without the consent of the patient.  It is irrelevant how old the patient is or what the state of their mental health is; the duty still applies.

Three circumstances making disclosure of confidential information lawful are:

• where the individual to whom the information relates has consented;
• where disclosure is in the public interest; and
• where there is a legal duty to do so, for example a court order.

St Pauls Medical Centre
Dickson Road
Blackpool
FY1 2HH

Telephone: 01253 623896
Email: [email protected]

This is a Statement of Purpose for St Pauls Medical Centre which sets out the following information:

• The full name of the service provider and of any registered manager together with their business address, telephone number, and where available electronic mail addresses.
• The legal status of the service provider.
• Details of the locations at which the services provided for the purposes of the regulated activity carried on
• Our aims and objectives in carrying on the regulated activity.
• The kinds of services provided for the purpose of carrying on of the regulated activity.
• The range of service users’ needs, which those services are intended to meet.

Registered Manager:
Dr Colin Scott MB ChB, MRCGP

Partners:

Dr Leanne Rudnick MB ChB, MRCGP

Dr Robert Straker Bennett MB ChB, MRCGP

DR Lalitha Ganti MB BS

Dr Lubna Momin MB BS, MRCGP

Dr Sarah Cunliffe MBChB, MRCGP, DRCOG, PG Cert

Dr Shahzad Gul MB BS, MRCGP

St Pauls Medical Centre is a General Practice Partnership open to all patients living within our Practice boundary in Blackpool and the surrounding areas. We work in partnership with our patients and our Patient Participation Group to provide medical care for our patients. We are a General Medical Services (GMS) Practice offering Primary care services for the diagnosis and prevention of disease. We help patients to manage their health and prevent illness. Our GPs assess, diagnose, treat and manage illness. They carry out screening for some diseases and promote general health and wellbeing. Our GPs act as a patient’s advocate, supporting and representing a patient’s best interests to ensure they receive the best and most appropriate health and/or social care. Our GPs also provide the link to further health services and work closely with other healthcare colleagues. They may also arrange hospital admissions and referrals to other services and specialists and they link with secondary and community services about patient care, taking advice and sharing information where needed. They also collect and record important information from other healthcare professionals involved in the treatment of our patients.

Our GPs are also involved in the education and training of doctors, practice staff and other healthcare professionals.

Our Mission Statement:
‘We care for you we care about you’

Vision:
To work in partnership with our patients and staff to provide the best Primary Care services possible working within local and national governance, guidance and regulations.

Our Aims and Objectives:

• To provide high quality, safe, professional Primary Health Care General Practice services to our patients.
• To focus on prevention of disease by promoting health and wellbeing and offering care and advice to our patients.
• To work in partnership with our patients, their families and carers towards a positive experience and understanding, involving them in decision making about their treatment and care.
• To be a learning organisation that continually improves what we are able to offer patients.
• To treat patients as individuals and with the same respect we would want for ourselves or a member of our families, listening and supporting people to express their needs and wants and enabling people to maintain the maximum possible level of independence, choice and control
• To work in partnership with other agencies to tackle the causes of, as well as provide the treatment for ill health and where appropriate involve other professionals in the care of our patients.
• To encourage our patients to communicate with us by joining our Patient Participation Group, talking to us, participating in surveys, and feeding back and on the services that we offer
• To ensure all staff have the competency and motivation to deliver the required standards of care ensuring that all members of the team have the right skills and training to carry out their duties competently
• To take care of our staff offering them support to do their jobs and to protect them against abuse
• Have a zero tolerance of all forms of abuse.
• To provide our patients and staff with an environment which is safe and friendly
• To operate on a financially sound basis.

Our Services:

The GMS services provided by our GPs are defined under the Standard Personal Medical Services Contract. These services are mainly split into three groups:

• Essential
• Additional
• Enhanced

Essential services
We provide essential services for people who have health conditions from which they are expected to recover, chronic disease management and general management of terminally ill patients.

Our core services include:

• GP consultations
• Nurse Practitioner Consultations
• Paramedic consultations
• Asthma Clinics
• Chronic obstructive airways disease clinics
• Coronary heart disease clinics
• Diabetes clinics
• NHS Healthcheck clinics

Additional services

Our additional services include:

• Cervical cytology screening
• Child health surveillance
• Contraceptive services
• Maternity services
• Certain minor surgery procedures
• Vaccinations and immunisations
• INR Monitoring

Enhanced services

Our enhanced services include:

• Childhood vaccinations and immunisations
• Contraceptive coil fitting (IUD) and contraceptive implant fitting
• Diabetes Management
• Prostate Cancer Injection Therapy
• Extended minor surgery
• Flu immunisation

Other services

Our Practice also offers services including:

• Child health and development
• Dressing clinics
• ECGs (electrical heart trace)
• End of life care
• Epilepsy
• Lung testing (spirometry)
• Medication review
• Mental health
• Pregnancy testing and contraceptive advice
• Stop smoking support
• Travel advice
• Men’s and Women’s health
• LARC

Non-NHS Services
Our Practice also provides services which are non-NHS and are paid for by the patient. These services include:

• Insurance claims forms
• Non-NHS vaccinations
• Prescription for taking medication abroad
• Private sick notes
• Pre-employment and HGV medicals
• Vaccination certificates

Subject Access Requests- Following Implementation of GDPR (from 25 May 2018)

On 25 May 2018 the current UK Data Protection Act 1998 (DPA 1998) will be fully replaced by the General Data Protection Regulation (2016/679).

As with the DPA 1998, these new regulations give living individuals the right to request access to personal data held on them by the Trust. This is known as a Subject Access Request (SAR), the person who will hold data about is known as the Data Subject, in many cases this will be the patient, but could be a staff member, a contractor or contact.

Requests must be in writing, this includes, letter, e-mail or in person. The requester will be asked to complete a Subject Access Request form and provide appropriate identification both on submission of the form and the collection of the personal data.

Requesters must be either, the data subject OR have the written permission of the data subject OR have legal responsibility for managing the subject’s affairs in order to access personal information about that person. It is the requester’s responsibility to satisfy the Trust of their legal authority to act on behalf of the data subject.

We also must be satisfied of the identity of the requester before we can provide any personal information.

New Requirements for Subject Access

From 25 May 2018 some new requirements were introduced affecting the handling of subject access requests. These are listed below:

What do we need to provide to a requester?

As well as providing confirmation that their personal is being processed and providing a copy of this personal data that the data subject has asked for; (subject to any exemptions). Individuals will have the right to be provided with additional information which largely corresponds to the information to be provided in a privacy notice:

• Source of the data.
• Recipient, including details international transfers.
• Retention period for the data.
• How to amend inaccurate data.
• How to complain to the Information Commissioner’s Office (internal review will usually need to be satisfied first

Scope

This policy provides a process for the management of subject access requests (SARs) for personal information (for living individuals) under the Data Protection Act (DPA), the General Data Protection Regulations (GDPR) and (for deceased individuals) the Access to Health Records Act 1990.  It defines a process for achieving legislative requirements and ensuring effective and consistent management of such requests.

This policy does not cover requests for medical reports or for copies of medical records requested under the Access to Medical Reports Act 1998 (AMRAs) usually for insurance and claims purposes.

Under the DPA, subject to certain conditions, an individual is entitled to be:

• Told whether any personal data is being processed;
• Given a description of the personal data, the reasons it is being processed and whether it will be given to any other organisations or people; and
• Given a copy of the information comprising the data; and given details of the source of the data (where this is available)

Personal data held by the practice may be:

• Personnel/staff records relating to a member of staff present, past or prospective
• Health records consisting of information about the physical or mental health of an identifiable individual made by or on behalf of a health professional in connection with the care of that individual.

Access encompasses the following rights:

• To obtain a copy of the record in permanent form
• To have information provided in an intelligible format (and explained where necessary)

The DPA also gives subjects who now reside outside the UK the right to apply for access to their former UK health and employment records:

• Employees are legally entitled to request their personal records and may take them outside of the UK at their own discretion
• Original health records must not be given to people to take outside the UK.  A GP or community health professional may be prepared to provide the patient with a summary of treatment; alternatively the patient may make a request for access in the usual way.

Individuals’ rights regarding the sharing of their personal information are supported by the Care Record Guarantees, which set out high-level commitments for protecting and safeguarding service user information, particularly in regard to rights of access to their own information, how information will be shared (both within and outside the practice) and how decisions on sharing information will be made.

Who can make an Access Request?

This policy applies to any request by a patient or member of staff for access to their personal information held by the practice as a Subject Access Request.

This non-contractual policy applies to all staff employed by the partners at St Paul’s Medical Centre.  Failure to adhere to the standards outlined herein could lead to disciplinary action.

An application for access to personal data may be made by any of the following:

• An individual
• A person authorised by the individual in writing to make the application on their behalf e.g. solicitor, family member or carer
• A person appointed by a court to manage the affairs of an individual who is deemed incompetent
• Individuals who hold a health and welfare Lasting Power of Attorney

Where the individual has died, the patient’s personal representative (the executor of the deceased’s will; someone who has been appointed as an administrator of the estate by the courts; someone who has the written consent of the either of the above to be given access) and any person who may have a claim arising out of the patient’s death can make a subject access request to the practice.  Moreover where the deceased made a Subject Access Request prior to their death, this should continue to be actioned under GDPR.

Requests for copies of paper medical records of deceased patients that have been returned to PCSE and are no longer available to the practice can be made by a personal representative by contacting Primary Care Support England – 03330 142884.

Where a request is made by someone with no legal rights to access, they should be advised to contact a solicitor.

Police do not have an automatic right to access to patient’s medical or personal information unless they have a Court Order.  The information can be disclosed to support the prevention and detection of a serious crime, but this decision must be made by a GP partner or manager.

Serious crime includes murder, manslaughter, rape, treason, kidnapping, child abuse, other serious harm to an individual, security of the state or to public order, and crimes that involve substantial financial gain or loss.  Theft, fraud and damage to property are NOT usually sufficient cause to disclose confidential information.  Serious harm includes child abuse, neglect, assault, road traffic accident and spread of potentially life-threatening infectious disease.

This clause also relates to copies of CCTV footage from cameras within the building, which must not be supplied to the police except under the circumstances outlined above.  Footage from public areas such as the car park can be supplied to the police.

Parental responsibility for a child is defined in the Children’s Act 1989 as ‘all the rights, duties, powers, responsibilities and authority, which by law a parent of a child has in relation to a child and his property’.  Responsibilities would include safeguarding and promoting a child’s health, development and welfare, including if relevant their employment records.  Included in the parental rights which would fulfil the parental responsibilities above are:

• Having the child live with the person with responsibility or having a say in where the child lives
• If the child is not living with him/her, have a personal relationship and regular contact with the child
• Controlling, guiding and directing the child’s upbringing

Foster parents are not ordinarily awarded parental responsibility for a child.  It is more likely that this rests with the child’s social worker and appropriate evidence of identity should be sought in the usual way.

The law regards young people aged 16 or 17 to be adults for the purposes of consent to employment or treatment and the right to confidentiality.  Therefore if a 16-year-old wishes their information to be kept confidential, this wish must be respected.

Children aged under 16 who have the capacity and understanding to take decisions about their own treatment are also entitled to decide whether personal information may be passed on and generally to have their confidence respected.  Where a child is considered capable of making decisions about medical treatment, their consent must be sought before a person with parental responsibility may be given access.  Consent will usually be required from any child aged 13+ before information can be disclosed to a parent, guardian or third party.

Where in the view of the appropriate professional the child is not capable of understanding the nature of the application, the holder of the record is entitled to deny access if it is not felt to be in the patient’s best interests.

The identity and consent of the applicant must always be established.

The applicant does not have to give a reason for applying for access.

The practice is a Data Controller and can only provide information held by the organisation.  Other data controllers must be applied to directly; the practice will not transfer requests from one organisation to another.

Application

Patients wishing to exercise their right of access should inform a member of staff personally, by telephone, by email, by post, or (preferably) by completing the Access to Health Records Request form.

Where the Access to Health Records Request form has not been used, the information required on the form will need to be elicited from the patient and filled in by the member of staff.

Current, past or prospective employees should inform Julie Holford, Practice Manager using the relevant Subject Access Request form.

The practice as ‘data controller’ is responsible for ascertaining the purpose of the request and the manner in which the information is supplied.

A simple request by a patient for either vaccination history or a list of current medications can be processed by any member of the team.  Full details of the request and the stages of processing need to be completed on the request form and the information checked by a second person before being handed to the patient.  The usual ID and eligibility checks must be made.  If the patient is not collecting there and then, place the request form with the prepared information in the concertina file and make sure the collection details are noted on the form when the patient collects.  The form can then be put in the hospital letters tray.

All other patient requests must be passed to Sheila Kirkham (put in her tray).  Requests from current or former staff must be passed to Julie Holford.

Fees and response time

The practice must provide information free of charge unless it is manifestly unfounded, excessive, can easily be obtained through Patient Access or is repetitive (i.e. has been provided before).

The fee must be based on the administrative cost of providing the information only.

The request must be complied with without delay and within 28 days of receipt of the request.  We can extend the period for a further 2 months where requests are complex or numerous, however we must inform the individual of any delay within 28 days, along with an explanation.

The release stages

Consent/eligibility for the request must be checked before preparing the information.  Particular care must be taken when the request is from a third party or in respect of a child.  Informed consent must be sought for any patient aged 13 or more unless the patient lacks capacity under the Mental Health Act or is not deemed to be competent to make the decision if aged under 16, in which case a ‘best interests’ decision will need to be made.

A reason for denying or restricting access does not need to be given but the applicant should be directed through the appropriate complaint channels.

Further guidance must be sought if the request is vague, to avoid disclosing information that is not relevant or not required by the requester.

The record must be collated, redacted where applicable and signed off by a GP partner or manager before being prepared for release.  On no account may the original record be released.

Where possible iGPR will be used to produce and collate the information available on EMIS and Docman.  Lloyd George records must be pruned of expired information in line with defined retention periods (see Summarising Policy) before being photocopied.

Where information is not readily intelligible an explanation e.g. of abbreviations or terminology must be given

The format of the released information must comply with the requester’s wishes wherever possible. If no specific format is requested, we can provide the information in the same manner as the original request e.g. by email (preferred format).

Information can be emailed using the st.pauls.medicalcentre.nhs.uk email address provided it is encrypted.  First email instructions on how to open encrypted information to the requester, then send the relevant documents by secure email by putting [secure] as the title.

Where the information is provided in paper form, this must be collected from the surgery by the individual or his/her representative provided we have been notified by the requester in advance of who the representative is.  In either case proof of identity will need to be shown before the records can released.

Ensure that the date the information is emailed or collected has been completed on the request form before sending this for scanning.

If it is agreed that the subject or their representative may directly inspect the record, a health professional must supervise the access (manager for employee requests).  The supervisor must not comment or advise on the content of a medical record if they are not a healthcare professional.

Exemptions

Access may be denied or restricted where:

• The record contains information which relates to or identifies a third party that is not a care professional and has not consented to the disclosure.
• Access to all or part of the record will prejudice the carrying out of social work because serious harm to the physical or mental well-being of the individual or any other person is likely.
• Access to all or part of the record will seriously harm the physical or mental well-being of the individual or any other person
• If an assessment identifies that to comply with a Subject Access Request would involve disproportionate effort under section 8(2)(a) of the Data Protection Act

Where possible the individual should be provided with that part of the record that does not form one of the above restrictions.

There is no requirement to disclose to the applicant the fact that certain information may have been withheld.

Where the information is to be withheld on the basis of disproportionate effort, the practice will engage with the applicant, having an open conversation about the information they require.  It may be appropriate to have the applicant view the records in practice and select the elements that they require a copy of.

Complaints and appeals

The applicant has the right to appeal against a practice decision to refuse access to their information.  This appeal should be made to Tracey Swift, Patient Services Lead (patients) or Anne Bagot-Moore (staff).

If an applicant is unhappy with the outcome of their access request, the usual complaints (patients) or grievance (staff) procedure should be applied.

Monitoring and review

The Caldicott Lead (Dr C W Scott) has executive responsibility for Subject Access Requests.

All staff will receive training on how to recognise and manage a Subject Access Request.

The Practice Business Manager monitors all Subject Access Requests to ensure the correct process has been followed and monitors and appeals/complaints relating to Subject Access Requests.

Equality impact

In applying this policy the practice will have due regard for the need to eliminate unlawful discrimination, promote equality of opportunity and provide for good relations between people of diverse groups, in particular on the grounds of the characteristics protected by the Equality Act 2010 (see Equal Opportunities Policy) in addition to offending background, trade union membership or any other personal characteristic.

Record-keeping

Where an Access to Health Records Request has been completed in respect of a patient, the completed request form must be placed in the hospital letters drawer for scanning/attaching to the medical record as a problem heading under Health Administration using one of the following read codes:

• 8MA (SNOMED 647551000000110) – Patient requests copy of medical record (free text in if patient representative)
• 9ER8 (SNOMED 2159182015) – Patient record requested by solicitor
• 9l8 (SNOMED 2129781000000118) – Copy of clinical record requested by insurance company

The date the information has been supplied must also be recorded using the appropriate code:

• 9lA (SNOMED 2129861000000118) – Copy of clinical record given to patient (if collected from surgery)
• 9lB (SNOMED 2129901000000113) – Copy of clinical record sent to patient (if emailed)
• 9lC (SNOMED 2129941000000111) – Copy of clinical record sent to solicitor
• 9l9 (SNOMED 2129821000000114) – Copy of clinical record sent to insurance company

The scanned form must then be returned to a member of the Administration Team for filing in the SARS folder.

Details of requests from staff and dates of information supplied will be recorded securely in the employment record for current and previous staff and in the recruitment folder for prospective employees and will therefore be held until those records are destroyed.

Click here to view our latest Terms & Conditions

How we use your medical records

• This practice handles medical records according to the laws on data protection and confidentiality.

• We share medical records with health professionals who are involved in providing you with care and treatment. This is on a need to know basis and event by event.

• Some of your data is automatically copied to the Shared Care Summary Record.

• We share some of your data with local out of hours, urgent care and emergency care services

• Data about you is used to manage national screening campaigns such as Flu, Cervical Cytology and Diabetes prevention.

• Data about you, usually de-identified, is used to manage the NHS and make payments.

• We share information when the law requires us to do, for instance when we are inspected or reporting certain illnesses or safeguarding vulnerable people.

• Your data is used to check the quality of care provided by the NHS.

• We may also share medical records for medical research

For more information ask at reception for copies of individual Service Privacy Notices.